Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
[SOLVED] Intrusion Detection: User Defined GeoIP causing issues ...
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Intrusion Detection: User Defined GeoIP causing issues ... (Read 6527 times)
ThePOO
Newbie
Posts: 26
Karma: 3
[SOLVED] Intrusion Detection: User Defined GeoIP causing issues ...
«
on:
January 07, 2018, 02:34:16 am »
17.7.11-amd64
Intel Celeron J1900 1.99GHz (4 cores)
---> What works well:
Intrusion Detection settings:
Enabled X
IPS mode X
Promiscuous mode x
Enable syslog
Pattern matcher Hyperscan
Interfaces WAN LAN
Home networks 192.168.0.0/16
default packet size
Rotate log Daily
Save logs 7
Log package payload
Intrusion Detection Rulesets enabled and configured to DROP:
abuse.ch/Dyre SSL IPBL
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist
ET open/botcc
ET open/botcc.portgrouped
ET open/compromised
ET open/drop
ET open/dshield
ET open/emerging-dos
ET open/emerging-exploit
ET open/emerging-malware
ET open/emerging-scan
---> Adding this causes a HUGE problem:
User Defined:
Enabled X
SSL/Fingerprint
GeoIP/Country United States (not)
GeoIP/Direction Both
Action Drop
Description
------------------------------------------------
I live in the United States and the intent is that only traffic from and to the United States be allowed on either the WAN or LAN interfaces.
Once the GeoIP item is enabled I lose control of the router. I'm unable to use the Web UI to access the router. I'm unable to access the router with SSH. No traffic is flowing in any direction on any interface.
The only thing I can do is connect a local keyboard and monitor and log in that way ... It then becomes apparent the only thing I can do is reset to defaults and import my configuration ---- without the GeoIP User Defined item!!!! Then I'm back in business. Something about that User Defined GeoIP item hates me <frown> ...
Any thoughts on what I'm doing wrong?
«
Last Edit: January 08, 2018, 08:02:56 am by franco
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Intrusion Detection: User Defined GeoIP causing issues ...
«
Reply #1 on:
January 07, 2018, 06:05:42 am »
If you have a LAN with private IP's you will get dropped since they are not in the US.
Please don't use IPS for GeoIP. There is a Firewall Alias Type where you can easily select the coutries you want.
Then go to your WAN rules and drop SRC GEOALIAS to WANADDRESS and go to LAN rules and set LANNET to GEOALIAS drop.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
ThePOO
Newbie
Posts: 26
Karma: 3
Re: Intrusion Detection: User Defined GeoIP causing issues ...
«
Reply #2 on:
January 07, 2018, 07:56:01 am »
Oh yeah, I now see where I was blowing my foot off with trying to use that blocking technique ... duh, silly me.
Before trying that I actually tried to use the Geo alias and I could not get the rules for LAN and WAN set up properly to drop traffic.
Can you share a screenshot of your LAN and WAN settings? For some reason I'm just not getting them right ...
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Intrusion Detection: User Defined GeoIP causing issues ...
«
Reply #3 on:
January 07, 2018, 09:23:36 am »
Better you post a Screenshot and I tell you where to add
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
ThePOO
Newbie
Posts: 26
Karma: 3
Re: Intrusion Detection: User Defined GeoIP causing issues ...
«
Reply #4 on:
January 07, 2018, 10:13:46 am »
Here we go ...
Logged
ThePOO
Newbie
Posts: 26
Karma: 3
Re: Intrusion Detection: User Defined GeoIP causing issues ...
«
Reply #5 on:
January 07, 2018, 10:44:22 am »
I had surgery two days ago ... gotta sleep for a while. Check back a little later. Thanks in advance.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Intrusion Detection: User Defined GeoIP causing issues ...
«
Reply #6 on:
January 07, 2018, 01:20:15 pm »
Rules are correct. Whats in your alias?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
ThePOO
Newbie
Posts: 26
Karma: 3
Re: Intrusion Detection: User Defined GeoIP causing issues ...
«
Reply #7 on:
January 07, 2018, 02:16:55 pm »
The only countries unchecked are United States and Canada ...
I thought about only checking United States and Canada, then check the "Destination/Invert" on my two rules, if that works. Make them inverse rules, if that is a correct use?
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Intrusion Detection: User Defined GeoIP causing issues ...
«
Reply #8 on:
January 07, 2018, 02:47:58 pm »
Only check US and Canada, then inverse in the rule. Better for your memory
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
ThePOO
Newbie
Posts: 26
Karma: 3
Re: Intrusion Detection: User Defined GeoIP causing issues ...
«
Reply #9 on:
January 07, 2018, 03:15:32 pm »
Well now! The inverse rules work perfectly. Thank you for your gentle assistance, much appreciated.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
[SOLVED] Intrusion Detection: User Defined GeoIP causing issues ...