1
23.7 Legacy Series / Geoblocking Outbound Traffic
« on: January 02, 2024, 05:47:48 am »
Hi, all~
Short version: I believe I have inbound geoblocking working, but for some reason outbound geoblocking is not working (also, I'm a bit of a noob and could very easily be missing something obvious - any help appreciated).
Quite a while back back I followed the MaxMind steps here:
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
Those prior steps appear to still be working, as under "Firewall > Aliases > GeoIP settings" I see:
I then created an alias specific to IPs for the US and Canada that I creatively called "Geo_US_Canada". That one shows:
From there I created a floating inbound rule blocking any IPs not in that alias, with the following settings:
This one seems to be working as expected, because if I uncheck the "Invert" option and then Apply, I'm immediately no longer able to access my internal web server from an external IP within the US (iPhone on cellular).
However, a very similar floating outbound rule doesn't appear to be working. That one is set up like:
The way I've been testing to see if this rule works goes like this:
So yeah, that's where I am. Any thoughts on what I might be missing?
Thanks,
- Nathan
P.S. For whatever it's worth, 178.176.0.0/14 is included in the GeoLite2-Country-Blocks-IPv4.csv file, and if I create an alias for IP ranges in Russia, it is listed there... and I suppose I could create a single giant alias for all countries except the US and Canada and build my rule that way, but https://docs.opnsense.org/manual/aliases.html#geoip explicitly advises against that.
Short version: I believe I have inbound geoblocking working, but for some reason outbound geoblocking is not working (also, I'm a bit of a noob and could very easily be missing something obvious - any help appreciated).
Quite a while back back I followed the MaxMind steps here:
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
Those prior steps appear to still be working, as under "Firewall > Aliases > GeoIP settings" I see:
Quote
Last updated: 2023-12-29T15:11:22
Total number of ranges: 746480
I then created an alias specific to IPs for the US and Canada that I creatively called "Geo_US_Canada". That one shows:
Quote
Last updated: 2024-01-01 18:42:50
Loaded#: 198300
From there I created a floating inbound rule blocking any IPs not in that alias, with the following settings:
Quote
Action: Block
Quick: Checked
Interface: WAN
Direction: In
TCP/IP Version: IPv4+IPv6
Protocol: Any
Source / Invert: Checked
Source: Geo_US_Canada
Destination: Any
Destination port range: Any
Description: Block inbound unless from US or Canada
This one seems to be working as expected, because if I uncheck the "Invert" option and then Apply, I'm immediately no longer able to access my internal web server from an external IP within the US (iPhone on cellular).
However, a very similar floating outbound rule doesn't appear to be working. That one is set up like:
Quote
Action: Block
Quick: Checked
Interface: [currently all four interfaces are selected]
Direction: Out
TCP/IP Version: IPv4+IPv6
Protocol: Any
Source / Invert: Checked
Source: Geo_US_Canada
Destination: Any
Destination port range: Any
Description: Block outbound unless to US or Canada
The way I've been testing to see if this rule works goes like this:
- Head over to https://ipinfo.io/countries/ru
- Grab an IP from their "Important Routers in Russia" list - e.g., 178.176.152.240
- Head over to Firewall > Diagnostics > Aliases > Geo_US_Canada
- Hit the "Update bogons" button and the "refresh" icon for good measure
- Search for "178.176" and verify that there are no matches found within the alias
- Head over to a device on my network that allows ICMP/traceroute out (happens to be an Asus AP that points to the firewall for DNS, etc.)
- Initiate Pings/traceroutes to 178.176.152.240
- See it get passed through the firewall via the "let out anything from firewall host itself (force gw)" rule
- Try accessing http://government.ru/ as a second test, page loads, logs show passed traffic via the same rule
So yeah, that's where I am. Any thoughts on what I might be missing?
Thanks,
- Nathan
P.S. For whatever it's worth, 178.176.0.0/14 is included in the GeoLite2-Country-Blocks-IPv4.csv file, and if I create an alias for IP ranges in Russia, it is listed there... and I suppose I could create a single giant alias for all countries except the US and Canada and build my rule that way, but https://docs.opnsense.org/manual/aliases.html#geoip explicitly advises against that.