OPNsense Forum

English Forums => General Discussion => Topic started by: opnsenseuser on November 09, 2018, 12:09:34 pm

Title: GeoIP Problem!
Post by: opnsenseuser on November 09, 2018, 12:09:34 pm
First, I created the alias. then I have selected the countries or continents that I want to block.
In the last step, I selected the alias as the source in the firewall rule of the wan interface. this then confirmed, 10 minutes waiting and tried.

how can it be that I still can load for example the angola homepage?

I then additionally entered as destination the alias in the wan firewall rules too. but it does not work either.

does this work only with IDS / IPS or am I doing something wrong?

Screenshots of the settings see appendix!

best regards
rené
Title: Re: GeoIP Problem!
Post by: mimugmail on November 09, 2018, 12:44:54 pm
You have to increase max table size in Firewall : Settings : Advanced
Title: Re: GeoIP Problem!
Post by: opnsenseuser on November 09, 2018, 01:33:17 pm
thx for you reply.

i increased the Firewall Maximum Table Entries to "500000" and applied the changes.
i still use the alias on source and destionation wan rules.

no difference http://www.governo.gov.ao/ (http://www.governo.gov.ao/) still works!


Title: Re: GeoIP Problem!
Post by: mimugmail on November 09, 2018, 01:42:30 pm
Make ist 1,5 Mio .. if it's still not working it's Layer 8 :)
Title: Re: GeoIP Problem!
Post by: opnsenseuser on November 09, 2018, 01:58:47 pm
Make ist 1,5 Mio .. if it's still not working it's Layer 8 :)

https://en.wikipedia.org/wiki/Layer_8 ;-)

http://www.angolatelecom.ao/ -> still works
http://www.governo.gov.ao/ -> still works
http://www.angop.ao/ -> still works

if I understand the firewall rules correctly, is under "source" to understand the traffic that comes in the firewall and under "destination" everything that goes out of the firewall? right?

So if I want to block pages from Angola I would have to enter the alias under Destination. right ?

after having amused myself about layer 8, I can not really say what I'm doing wrong now.
perhaps choose the lan interface for the blocking rule and not the wan interface?
how can i check whether the GEOip blocking works?

by the way .. i´m using transparent squid proxy with certificate if this is important to know!


Title: Re: GeoIP Problem!
Post by: mimugmail on November 09, 2018, 03:13:38 pm
If you want to block traffic TO Angola, you have to add the rule in LAN tag and it's destination.
When using Squid as transparent it SHOULD be on WAN tab and destination, but I'm unsure, never did that in transparent mode
Title: Re: GeoIP Problem!
Post by: opnsenseuser on November 09, 2018, 04:19:15 pm
Unfortunately, I have to tell you that I've tried everything you said, but unfortunately without success. no matter which countries are blocked, they are blocked via dest / source on the lan interface or via dest / source on the wan interface. it has to be somehow related to the transparent proxy. but I do not know yet.

Who knows how to configure it?
Title: Re: GeoIP Problem!
Post by: mimugmail on November 09, 2018, 04:27:14 pm
I'm afraid it won't work with transparent proxy.

Only solution is to make a no rdr rule in NAT for your country so it's not routed via proxy and then you have to put the rule in LAN tab.

Touching NAT rules on transparent proxy needs nat state clearing!
Title: Re: GeoIP Problem!
Post by: gex on December 01, 2018, 06:48:43 pm
try what I post in https://forum.opnsense.org/index.php?topic=10458.new;topicseen#new as a workaround