OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Amanaki on December 06, 2018, 04:10:32 pm

Title: Floating Rules for GeoIP Country Blocking Not Working
Post by: Amanaki on December 06, 2018, 04:10:32 pm

Hi all,

Have been tinkering with blocking known attack source countries but cannot seem to get this working as expected.

I read that the IDS method was essentially replaced with the alias method and have followed the guides I have found on this forum to try it out with no luck.

I have enclosed screenshots of my alias and firewall rules to help with identifying where I might be going wrong.

Any ideas?

Thanks,
Manaki

Title: Re: Floating Rules for GeoIP Country Blocking Not Working
Post by: franco on December 07, 2018, 07:48:09 am

Have you increased your Firewall Maximum Table Entries? Firewall: Settings: Advanced, set to 1000000 or more.


Cheers,
Franco

Title: Re: Floating Rules for GeoIP Country Blocking Not Working
Post by: Julien on December 07, 2018, 09:07:37 am

Curiousity hoe are you trying to block those countries ?
If you are gonna use a firewall rules on the wan make sure your firewall have enough resources.
I’ve tried it before and my firewall cpu was overloaded which causes voip phones issues

Title: Re: Floating Rules for GeoIP Country Blocking Not Working
Post by: Amanaki on December 08, 2018, 11:53:34 pm

Hey Franco,

Thanks for that clarification. Seems it is working but as pointed out by Julien, there is an issue with memory. I have only 4GB/8GB allocated to my installation.

I know in the alias I provided, I have quite a few countries selected for blocking. Truth is, I only really care about blocking aggressive attack countries like 'CN', 'RU'.

Is there any other way to do it that is not so memory intensive?

Thanks,
Naki