[18.7.8] GeoIP alias not working

[Taomyn]

I've created an alias for one country, Luxembourg, and created a WAN rule that blocks any access not from the alias (source inverted) to a specific TCP port, yet it still blocks my Luxembourg IPs


I have run a test on a blocked IP

Code Select Expand


root@bart:~ # /usr/local/bin/geoiplookup 193.91.40.197
GeoIP Country Edition: LU, Luxembourg




And as you can see it returns the correct country - I also see other non-LU IPs being blocked so the alias seems to be broken. I have rebooted the firewall as well.


Why is my IP being blocked by the firewall? Is there another test I can try to see why it doesn't think my IP is from Luxembourg?

[Taomyn]

Ok, so I found the problem - seems the alias GUI is not making some things obvious so it simply broke the rule.


I changed it from:



to:



And now it works.


When I remember how to do it, I will log a bug report.

[gex]

Hi,

I have a similar problem.
I want to catch traffic to Austria, but it's not working. I added screenshots.

Code Select Expand


root@fw01:~ # /usr/local/bin/geoipupdate.sh
Fetching GeoIP.dat and GeoIPv6.dat...
/usr/local/share/GeoIP/GeoIPupdate.NQMYd6/GeoI100% of  694 kB 4658 kBps 00m00s
/usr/local/share/GeoIP/GeoIPupdate.DLAu70/GeoI100% of 1180 kB 5075 kBps 00m01s
root@fw01:~ # /usr/local/bin/geoiplookup 194.232.104.139
GeoIP Country Edition: AT, Austria


command line is also working, so I don't know why I don't get a catch on the rule, I tried it in Floating, LAN and WAN

Regards

Gregor

[opnsenseuser]

Hi,

I have a similar problem.
I want to catch traffic to Austria, but it's not working. I added screenshots.

Code Select Expand


root@fw01:~ # /usr/local/bin/geoipupdate.sh
Fetching GeoIP.dat and GeoIPv6.dat...
/usr/local/share/GeoIP/GeoIPupdate.NQMYd6/GeoI100% of  694 kB 4658 kBps 00m00s
/usr/local/share/GeoIP/GeoIPupdate.DLAu70/GeoI100% of 1180 kB 5075 kBps 00m01s
root@fw01:~ # /usr/local/bin/geoiplookup 194.232.104.139
GeoIP Country Edition: AT, Austria


command line is also working, so I don't know why I don't get a catch on the rule, I tried it in Floating, LAN and WAN

Regards

Gregor

have the same problem. since I use a transparent proxy, it should lie on the transparent proxy. but then I did not try the solution further. do you use a transparent proxy? If so, give it a try with the mimugmail solution. If it still does not work, then the problem is apparently not the proxy

https://forum.opnsense.org/index.php?topic=10192.msg46733#msg46733

[gex]

under Firewall: Diagnostics: pfTables the table is also empty - look like it gets not loaded

[gex]

Code Select Expand


root@fw01:/var/db/aliastables # /usr/local/opnsense/scripts/filter/update_tables.py
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/filter/update_tables.py", line 122, in <module>
    alias_content = alias.resolve()
  File "/usr/local/opnsense/scripts/filter/lib/alias.py", line 236, in resolve
    for address in address_parser(item):
  File "/usr/local/opnsense/scripts/filter/lib/alias.py", line 171, in _fetch_geo
    for proto in self._proto.split(','):
AttributeError: 'NoneType' object has no attribute 'split'


[gex]

I fix the update issue but still not working:

Code Select Expand


root@fw01:/var/db/aliastables # /usr/local/opnsense/scripts/filter/update_tables.py
root@fw01:/var/db/aliastables # cat /var/db/aliastables/IPv4_at.*
34fafd09432a71cc46e9fd6fc94b5ab3root@fw01:/var/db/aliastables #


[gex]

my personal workaround, till I get help:

Code Select Expand


cp /usr/local/share/GeoIP/alias/AT-IPv4 /var/db/aliastables/IPv4_at.self.txt
cp /usr/local/share/GeoIP/alias/AT-IPv4 /var/db/aliastables/IPv4_at.txt
/usr/local/opnsense/scripts/filter/update_tables.py


[lewi3069]

under Firewall: Diagnostics: pfTables the table is also empty - look like it gets not loaded

I also have this issue. I am using US IPv4 as my constraint and the table is empty in pfTables.