GeoIP Block Not Working?

Started by spetrillo, August 10, 2021, 04:38:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 10, 2021, 04:38:55 PM
I have setup my firewall for GeoIP blocking based on Maxmind. I just noticed that an IP from China showed up in my IDS alert log. It was dropped but I did not expect to see this since I have blocked China via GeoIP. Does this mean Maxmind is only as good as its IP tables?
August 11, 2021, 07:39:53 PM #1
Where are you using geoip, did you configure it with aliases and firewall rules, or through the IPS?  There was documentation at one point instructing to configure with the IPS.  This is outdated and the new recommended method is through using aliases and firewall rules.
August 11, 2021, 07:55:21 PM #2
Maybe this issue is caused by table overflow due to spikes in GeoIP lists.
Franco mentioned this here: https://forum.opnsense.org/index.php?topic=24324.0
Had a similar issue; setting max table entries to 4 million solved this issue for me.
i am not an expert... just trying to help...
August 11, 2021, 08:00:58 PM #3
Quote from: errored out on August 11, 2021, 07:39:53 PM
Where are you using geoip, did you configure it with aliases and firewall rules, or through the IPS?  There was documentation at one point instructing to configure with the IPS.  This is outdated and the new recommended method is through using aliases and firewall rules.

I have it configured with an alias and a firewall rule...easy peasy setup!
August 11, 2021, 08:03:33 PM #4
Quote from: tiermutter on August 11, 2021, 07:55:21 PM
Maybe this issue is caused by table overflow due to spikes in GeoIP lists.
Franco mentioned this here: https://forum.opnsense.org/index.php?topic=24324.0
Had a similar issue; setting max table entries to 4 million solved this issue for me.

I am going to up it to 2000000 and see how it operates...thanks for this!
August 11, 2021, 08:43:08 PM #5
We will be adding a counter in a 21.7.x release so you can see the table entry usage and if the tables are full...


Cheers,
Franco
August 11, 2021, 08:47:10 PM #6
Quote from: franco on August 11, 2021, 08:43:08 PM
We will be adding a counter in a 21.7.x release so you can see the table entry usage and if the tables are full...

Very nice! I was wondering as I cant find such information in GUI :)
i am not an expert... just trying to help...
August 11, 2021, 08:49:49 PM #7
Unfortunately it needs to be calculated across all tables, but the script proposed does it nicely, see

https://github.com/opnsense/core/pull/5142


Cheers,
Franco
August 12, 2021, 12:15:19 AM #8
Franco, if the tables are manually configured for a high record value, say 2,000,000 and the total actual records are being used is 400,000, would this cause any issues?

Memory is being allocated for a larger table but not used, Configuration file is XXXXX, etc.
August 12, 2021, 11:04:34 AM #9
Not a problem. I don't think the headroom is wired when it is not being used.


Cheers,
Franco
Print
Go Up Pages1
User actions