GeoIP - unable to create alias < Invalid argument. [geographic_blocks] >

[BISI Sysadmin]

I have attached a screen shot of the captioned error message, generated when I attempt to create an alias as part of setting up GeoIP blocking.

By way of background, GeoIP was working on this firewall, and then we started getting lockouts on our mail server.  Investigation revealed the geographic blocking was no longer working.   See this discussion for some of the things I have tried.
https://forum.opnsense.org/index.php?topic=18411.0

I have several times removed all parts of the configuration for the geoIP function (including removing contents of directories in the filesystem) and attempted to re-create it, using various forms of the name for the Alias.  I have numerous other opnsense firewalls with working geo-blocking configurations, and the same configuration on this particular box does not work.

The firewall is updated to OPNsense 20.7.4-amd64 (it stopped working before this update).  I have working instances of GeoBlocking on the same code level, on both identical and completely different hardware.

Where to go with troubleshooting?  I'd like to make this fixable, rather than just configure another box and drop it in, but we have email accounts exposed to slow-moving brute force password attacks, which generate lockout for some of our users, so it's not something we can live with for very long.

Thanks in advance for any help!
d.

PS - here's my recipe for creating a geo-blocking rule.  It's in wikimedia format, so readability might be an issue (monospace font helps).

Code Select Expand

===GeoIP===
new procedure for OPNSense v20.1x
[[https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html must sign up at Maxmind]]
:TL;DR
:have set up an account that all clients can use. Details, if you need to do it again to provide completely separate credentials for a client, are below.
: paste this URL in the entry box for ''Firewall:Aliases:GeoIP Settings''
::https://download.maxmind.com/etc/etc/etc/

:Credentials
   userID:
password:
     name:       

'''License Key'''
Your new license key ''YadaYadaYada'' has been created.
This license key is stored in hashed format for security purposes.

It may take up to five minutes for this new key to be activated.

This will be the only time this key is displayed to you in full.
Please copy the key to a safe location for your future reference.

Account/User ID:
     License key:
====set up alias====
Firewall -> aliases
   + button at bottom of alias list
     Enabled <X>
     Name    [GeoBlocking1]
     Type    [GeoIP] [ IPv4 | IPv6 | IPv4+IPv6 ] 
     Content [pick your countries to accept/block] <-- start at bottom of list and work upwards
     statistics <X>  (or not - you decide)
     Description [block incoming connections by geographic region]

====set up WAN Rule====
Firewall -> Rules -> WAN
<pre>
Action                        [Block]
Disabled                      < > Disable this rule
Quick                         <X> Apply the action immediately on match.
Interface                     [WAN]
Direction                     [in]
TCP/IP Version                [IPv4]
Protocol                      [any]
Source / Invert               < >
Source                        [Geographic_blocks] (from aliases)
Source                        [Advanced]  (not used)
Destination / Invert          < >
Destination                   [WAN address]
Destination port range from:  [any]    to:  [any]
Log                           <X> Log packets that are handled by this rule
Category                      [GeoBlock1 ]
Description                   [REMEMBER TO TURN OFF LOGGING]
Advanced features
Source OS                     [Any]
No XMLRPC Sync                < >
Schedule                      [none]
Gateway                       [default]
Advanced Options              [Show/Hide]  (not used)
</pre>
'''Position rule at top of ruleset''

[Plaidy]

Did you try upping the limit under firewall-->settings-->advanced-->Firewall Maximum Table Entries to something like 99999999999?

I initially had geoIP working and then in a subsequent update it stopped and I had to go edit that entry. Not sure why, if that is the fix, that it would only be needed on one box but worth a check anyway.

[BISI Sysadmin]

thanks for the idea, but upping this, and for good measure, the Maximum Table Entries had no effect.

[chemlud]

.

[BISI Sysadmin]

So, I am now able to create the alias -- I think there is some table somewhere holding on to the names I was using.  I have therefore started using a naming convention that increments the Alias name to ensure it is unique.

I re-read the earlier post I referenced in my question and tried again the idea of using source/invert.  Of course that immediately stopped my access to the WAN port of the firewall. (It works!)  Fortunately the IPSec tunnel was unaffected. Unfortunately, the dropped packets were still not being logged (not showing up in Firewall -> Log Files -> Live View, nor in Plain View)..

The next step was to create an alias containing only the regions I want to allow, creating the blocking firewall rule, incoming on WAN, and ensure the Source/Invert flag is set, remove the problematic rule, and test.

I am now seeing the usual storm of packets being blocked by the Geo-blocking rule, and unsetting / setting the "Log packets that are handled by this rule" has the desired effect of not showing (or showing) the activity in the firewall log.

So, not problem solved, but a "duct-tape" workaround.   If there is any way to elevate this to the development people, please let me know. 

I know the rule was NOT being evaluated until I set the source/invert flag, because of the logs on the mail server showed that IP addresses that should have been blocked were getting through. Even after my inadvertent successful test to block packets from myself, logging did not work until I created a new rule with the source/invert flag set.