Author Topic: GeoIP Block Not Working? (Read 3808 times)

spetrillo · « **on:** August 10, 2021, 04:38:55 pm »

I have setup my firewall for GeoIP blocking based on Maxmind. I just noticed that an IP from China showed up in my IDS alert log. It was dropped but I did not expect to see this since I have blocked China via GeoIP. Does this mean Maxmind is only as good as its IP tables?

errored out · « **Reply #1 on:** August 11, 2021, 07:39:53 pm »

Where are you using geoip, did you configure it with aliases and firewall rules, or through the IPS? There was documentation at one point instructing to configure with the IPS. This is outdated and the new recommended method is through using aliases and firewall rules.

tiermutter · « **Reply #2 on:** August 11, 2021, 07:55:21 pm »

Maybe this issue is caused by table overflow due to spikes in GeoIP lists.
Franco mentioned this here: https://forum.opnsense.org/index.php?topic=24324.0
Had a similar issue; setting max table entries to 4 million solved this issue for me.

spetrillo · « **Reply #3 on:** August 11, 2021, 08:00:58 pm »

Quote from: errored out on August 11, 2021, 07:39:53 pm

Where are you using geoip, did you configure it with aliases and firewall rules, or through the IPS? There was documentation at one point instructing to configure with the IPS. This is outdated and the new recommended method is through using aliases and firewall rules.

I have it configured with an alias and a firewall rule...easy peasy setup!

spetrillo · « **Reply #4 on:** August 11, 2021, 08:03:33 pm »

Quote from: tiermutter on August 11, 2021, 07:55:21 pm

Maybe this issue is caused by table overflow due to spikes in GeoIP lists.
Franco mentioned this here: https://forum.opnsense.org/index.php?topic=24324.0
Had a similar issue; setting max table entries to 4 million solved this issue for me.

I am going to up it to 2000000 and see how it operates...thanks for this!

franco · « **Reply #5 on:** August 11, 2021, 08:43:08 pm »

We will be adding a counter in a 21.7.x release so you can see the table entry usage and if the tables are full...

Cheers,
Franco

tiermutter · « **Reply #6 on:** August 11, 2021, 08:47:10 pm »

Quote from: franco on August 11, 2021, 08:43:08 pm

We will be adding a counter in a 21.7.x release so you can see the table entry usage and if the tables are full...

Very nice! I was wondering as I cant find such information in GUI

franco · « **Reply #7 on:** August 11, 2021, 08:49:49 pm »

Unfortunately it needs to be calculated across all tables, but the script proposed does it nicely, see

https://github.com/opnsense/core/pull/5142

Cheers,
Franco

errored out · « **Reply #8 on:** August 12, 2021, 12:15:19 am »

Franco, if the tables are manually configured for a high record value, say 2,000,000 and the total actual records are being used is 400,000, would this cause any issues?

Memory is being allocated for a larger table but not used, Configuration file is XXXXX, etc.

franco · « **Reply #9 on:** August 12, 2021, 11:04:34 am »

Not a problem. I don't think the headroom is wired when it is not being used.

Cheers,
Franco

Author Topic: GeoIP Block Not Working? (Read 3808 times)

spetrillo

GeoIP Block Not Working?

errored out

Re: GeoIP Block Not Working?

tiermutter

Re: GeoIP Block Not Working?

spetrillo

Re: GeoIP Block Not Working?

spetrillo

Re: GeoIP Block Not Working?

franco

Re: GeoIP Block Not Working?

tiermutter

Re: GeoIP Block Not Working?

franco

Re: GeoIP Block Not Working?

errored out

Re: GeoIP Block Not Working?

franco

Re: GeoIP Block Not Working?