Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
GeoIP and Maxmind
« previous
next »
Print
Pages: [
1
]
Author
Topic: GeoIP and Maxmind (Read 1585 times)
spetrillo
Hero Member
Posts: 721
Karma: 8
GeoIP and Maxmind
«
on:
May 01, 2024, 08:20:03 pm »
Hello all,
I am using GeoIP with Maxmind, but wanted to setup an inbound and an outbound rule, so that nothing comes in or goes out to any country that I am blocking with Maxmind. My rules are in the attachment. Do I have this right or should I be specifying the WAN port?
Thanks,
Steve
Logged
Patrick M. Hausen
Hero Member
Posts: 6848
Karma: 575
Re: GeoIP and Maxmind
«
Reply #1 on:
May 01, 2024, 08:22:27 pm »
Don't you have a "deny all" rule on WAN, anyway?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: GeoIP and Maxmind
«
Reply #2 on:
May 01, 2024, 08:26:51 pm »
It looks like I do, so then is GeoIP only used outbound from my environment? I thought it also blocks me from anything hitting me from the blocked countries.
Logged
Patrick M. Hausen
Hero Member
Posts: 6848
Karma: 575
Re: GeoIP and Maxmind
«
Reply #3 on:
May 01, 2024, 09:20:46 pm »
How can anything hit you if "deny all" is already in place?
Inbound GeoIP is useful if you have publicly accessable services. You can then use GeoIP in those rules.
But "more deny than deny all" is simply not possible. The packets are dropped. End of story.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: GeoIP and Maxmind
«
Reply #4 on:
May 01, 2024, 10:12:30 pm »
I have publicly accessible websites, so I figured I would use Maxmind to limit where I get hits from.
Do I only need the inbound rule or can I use both the inbound and outbound rule?
Logged
Patrick M. Hausen
Hero Member
Posts: 6848
Karma: 575
Re: GeoIP and Maxmind
«
Reply #5 on:
May 01, 2024, 10:19:16 pm »
Yes, sure.
So outbound GeoIP restrictions go on LAN - or any other internal interface, direction "in", then e.g. a destination invert and an alias that contains all the countries you want to block. Or without the invert an alias containing the countries you want to allow.
For inbound it depends if you have a firewall rule on WAN or a NAT port forward for these publicly accessible web services. Anyway the restriction goes on that rule, interface WAN, direction "in" again.
You hardly ever need "out" rules in OPNsense. The direction from a birds eye view is decided by the placement of the rule on a particular interface. Anything "from the Internet inbound" is WAN and "in". Anything "to the Internet outbound" is LAN (and OPT1, OPT2, ... if applicable) and "in".
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: GeoIP and Maxmind
«
Reply #6 on:
May 01, 2024, 11:03:46 pm »
Ok so this is how I have my rules setup...
My whitelist of IPs is first. Then I block all countries I do not want to see knocking on my door. Then I allow access to my websites. I think this is ther right order. The whitelist is first bc there are IPs that I want to allow but are in countries I do not want to allow.
Logged
Patrick M. Hausen
Hero Member
Posts: 6848
Karma: 575
Re: GeoIP and Maxmind
«
Reply #7 on:
May 01, 2024, 11:22:51 pm »
Looks good. For a test put your own country in that block list and try to access via mobile phone or similar ...
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
GeoIP and Maxmind