GeoIP Problem!

Started by opnsenseuser, November 09, 2018, 12:09:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 09, 2018, 12:09:34 PM Last Edit: November 09, 2018, 12:16:11 PM by noname12123
First, I created the alias. then I have selected the countries or continents that I want to block.
In the last step, I selected the alias as the source in the firewall rule of the wan interface. this then confirmed, 10 minutes waiting and tried.

how can it be that I still can load for example the angola homepage?

I then additionally entered as destination the alias in the wan firewall rules too. but it does not work either.

does this work only with IDS / IPS or am I doing something wrong?

Screenshots of the settings see appendix!

best regards
rené
Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
November 09, 2018, 12:44:54 PM #1
You have to increase max table size in Firewall : Settings : Advanced
November 09, 2018, 01:33:17 PM #2
thx for you reply.

i increased the Firewall Maximum Table Entries to "500000" and applied the changes.
i still use the alias on source and destionation wan rules.

no difference http://www.governo.gov.ao/ still works!


Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
November 09, 2018, 01:42:30 PM #3
Make ist 1,5 Mio .. if it's still not working it's Layer 8 :)
November 09, 2018, 01:58:47 PM #4 Last Edit: November 09, 2018, 02:06:50 PM by noname12123
Quote from: mimugmail on November 09, 2018, 01:42:30 PM
Make ist 1,5 Mio .. if it's still not working it's Layer 8 :)

https://en.wikipedia.org/wiki/Layer_8 ;-)

http://www.angolatelecom.ao/ -> still works
http://www.governo.gov.ao/ -> still works
http://www.angop.ao/ -> still works

if I understand the firewall rules correctly, is under "source" to understand the traffic that comes in the firewall and under "destination" everything that goes out of the firewall? right?

So if I want to block pages from Angola I would have to enter the alias under Destination. right ?

after having amused myself about layer 8, I can not really say what I'm doing wrong now.
perhaps choose the lan interface for the blocking rule and not the wan interface?
how can i check whether the GEOip blocking works?

by the way .. i´m using transparent squid proxy with certificate if this is important to know!


Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
November 09, 2018, 03:13:38 PM #5
If you want to block traffic TO Angola, you have to add the rule in LAN tag and it's destination.
When using Squid as transparent it SHOULD be on WAN tab and destination, but I'm unsure, never did that in transparent mode
November 09, 2018, 04:19:15 PM #6
Unfortunately, I have to tell you that I've tried everything you said, but unfortunately without success. no matter which countries are blocked, they are blocked via dest / source on the lan interface or via dest / source on the wan interface. it has to be somehow related to the transparent proxy. but I do not know yet.

Who knows how to configure it?
Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
November 09, 2018, 04:27:14 PM #7
I'm afraid it won't work with transparent proxy.

Only solution is to make a no rdr rule in NAT for your country so it's not routed via proxy and then you have to put the rule in LAN tab.

Touching NAT rules on transparent proxy needs nat state clearing!
December 01, 2018, 06:48:43 PM #8 Last Edit: December 02, 2018, 12:53:51 AM by gex
Print
Go Up Pages1
User actions