OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: spetrillo on August 10, 2021, 04:38:55 pm

Title: GeoIP Block Not Working?
Post by: spetrillo on August 10, 2021, 04:38:55 pm

I have setup my firewall for GeoIP blocking based on Maxmind. I just noticed that an IP from China showed up in my IDS alert log. It was dropped but I did not expect to see this since I have blocked China via GeoIP. Does this mean Maxmind is only as good as its IP tables?

Title: Re: GeoIP Block Not Working?
Post by: errored out on August 11, 2021, 07:39:53 pm

Where are you using geoip, did you configure it with aliases and firewall rules, or through the IPS?  There was documentation at one point instructing to configure with the IPS.  This is outdated and the new recommended method is through using aliases and firewall rules.

Title: Re: GeoIP Block Not Working?
Post by: tiermutter on August 11, 2021, 07:55:21 pm

Maybe this issue is caused by table overflow due to spikes in GeoIP lists.
Franco mentioned this here: https://forum.opnsense.org/index.php?topic=24324.0
Had a similar issue; setting max table entries to 4 million solved this issue for me.

Title: Re: GeoIP Block Not Working?
Post by: spetrillo on August 11, 2021, 08:00:58 pm

Quote from: errored out on August 11, 2021, 07:39:53 pm

Where are you using geoip, did you configure it with aliases and firewall rules, or through the IPS?  There was documentation at one point instructing to configure with the IPS.  This is outdated and the new recommended method is through using aliases and firewall rules.

I have it configured with an alias and a firewall rule...easy peasy setup!

Title: Re: GeoIP Block Not Working?
Post by: spetrillo on August 11, 2021, 08:03:33 pm

Quote from: tiermutter on August 11, 2021, 07:55:21 pm

Maybe this issue is caused by table overflow due to spikes in GeoIP lists.
Franco mentioned this here: https://forum.opnsense.org/index.php?topic=24324.0
Had a similar issue; setting max table entries to 4 million solved this issue for me.

I am going to up it to 2000000 and see how it operates...thanks for this!

Title: Re: GeoIP Block Not Working?
Post by: franco on August 11, 2021, 08:43:08 pm

We will be adding a counter in a 21.7.x release so you can see the table entry usage and if the tables are full...


Cheers,
Franco

Title: Re: GeoIP Block Not Working?
Post by: tiermutter on August 11, 2021, 08:47:10 pm

Quote from: franco on August 11, 2021, 08:43:08 pm

We will be adding a counter in a 21.7.x release so you can see the table entry usage and if the tables are full...

Very nice! I was wondering as I cant find such information in GUI :)

Title: Re: GeoIP Block Not Working?
Post by: franco on August 11, 2021, 08:49:49 pm

Unfortunately it needs to be calculated across all tables, but the script proposed does it nicely, see

https://github.com/opnsense/core/pull/5142


Cheers,
Franco

Title: Re: GeoIP Block Not Working?
Post by: errored out on August 12, 2021, 12:15:19 am

Franco, if the tables are manually configured for a high record value, say 2,000,000 and the total actual records are being used is 400,000, would this cause any issues?

Memory is being allocated for a larger table but not used, Configuration file is XXXXX, etc.

Title: Re: GeoIP Block Not Working?
Post by: franco on August 12, 2021, 11:04:34 am

Not a problem. I don't think the headroom is wired when it is not being used.


Cheers,
Franco