Geo IP Alias and Firewall block not working all the time

[Plaidy]

OPNsense is a stateful firewall. You have to block/allow on LAN. Don't ALLOW ANYTHING on WAN.

I am really not following here. I know it is a stateful firewall and as far as I know the rule is only allowing sessions INITIATED from the outside TO my WAN address which is then forwarded to the appropriate place on my LAN by OPNsense after the request is received.

[chemlud]

.

[Plaidy]

OMG.

Dude, I don't know if that response is necessary. This is an INBOUND rule we are talking about. I want to allow some inbound traffic and deny others.

Edit: As I understand it, all that WAN designation does is tell OPNsense to APPLY this rule to packets coming in to the first interface they would hit from the outside: The WAN interface.

Of those packets coming into the OUTSIDE (read: WAN) interface NOT initiated from inside my network, apply the rule that only IP subnets listed as being from DE or the US may proceed to be evaluated by the next rule in the list. If they are not listed as DE or US they will be denied.

If this is not correct, could you please tell me where the break in logic is? This has nothing to do with stateful sessions at this point. I am trying to block/allow HTTP/HTTPS traffic to my reverse proxy that sits inside my home LAN BEHIND the OPNsense box and its WAN interface and that traffic/those requests are initiated from the OUTSIDE of the OPNsense box.

Edit: Glad I started quoting all your responses for the sake of posterity

I see now that you were mistaken this whole time and thought I was trying to block ALL traffic inbound and block outbound LAN traffic to everywhere but the US and DE. That would be a very bizarre thing to do and definitely not what I was trying to accomplish. Thanks for trying to give me a lesson on networking and stateful packet inspection though heh.

[Taomyn]

I don't know if this is the exact same issue I am having, but I'm seeing mail traffic hitting my mail server which should be blocked by my GeoIP alias i.e. anything not in the alias should be blocked.

When I check the IP using a general IP Location website I confirm that it's from a "blocked" country but when I check the Maxmind GeoLite2 files the subnet is not present. Checking the full database at Maxmind confirms the same, that the GeoLite2 data is simply missing the subnet so it doesn't get blocked.


Has anyone been able to replace Maxmind with anything else? I can see that IP2Location has my example subnet listed so it would block it, but I have no idea if we can use their data instead.

[Plaidy]

...i.e. anything not in the alias should be blocked. ...

...when I check the Maxmind GeoLite2 files the subnet is not present. ...

The way you explained it, it sounds like it's working as expected. That you have an Alias with only say USA IPs in it and then an inverse source rule that if the source is not a USA IP address it is blocked. That IP from say Mexico would not be in the list for the USA in the maxmind db or your rule set. You may have meant something else but that is what I understood.

[Taomyn]

The way you explained it, it sounds like it's working as expected. That you have an Alias with only say USA IPs in it and then an inverse source rule that if the source is not a USA IP address it is blocked. That IP from say Mexico would not be in the list for the USA in the maxmind db or your rule set. You may have meant something else but that is what I understood.

No I think I wrote it correct, I have an alias list with the US plus some EU countries so "US, CA, UK, DE, BE, FR" and as you say the rule is inversed on the source, so when an IP from RU or CN comes in it should be blocked - but it doesn't always. My server continues to receive the occasional hit from RU and other countries not on the list and when I check the IPs they're not under their respective country, so to me it's like they get included regardless.

[Taomyn]

I've been staring at the rule I use for this and I'm at that point where I'm not understanding what I am doing - overthinking the whole thing and giving me a headache.


So to step back, what's the best rule to use to block all inbound external traffic that is not in my alias of allowed countries, and on which firewall interface is the rule located? I.e. a working example please 


As an alternative to blocking, something else I've been unable to achieve is a rule that instead redirects the traffic to a specific device in my DMZ.

[erje]

@Plaidy; Did you get it to work?

ps Thanks for your detailed posts and for quoting chemlud.

[Plaidy]

@Plaidy; Did you get it to work?

ps Thanks for your detailed posts and for quoting chemlud.

Sorry for not replying here. I guess I don't have notifications setup when people reply to posts here. I did get it to work, or rather I gathered enough information be satisfied I guess. Still no actual explanation as to why some addresses can get through. Are you having issues?