Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
[Solved] 19.7.3: GeoIP based firewall rules on the secondary HA partner broken
« previous
next »
Print
Pages: [
1
]
Author
Topic: [Solved] 19.7.3: GeoIP based firewall rules on the secondary HA partner broken (Read 3537 times)
rainerle
Full Member
Posts: 151
Karma: 9
[Solved] 19.7.3: GeoIP based firewall rules on the secondary HA partner broken
«
on:
September 04, 2019, 06:41:51 pm »
Hi,
as suggested I open a separate thread for above mentioned problem.
During a HA take over services on the BACKUP HA partner are not available since the GeoIP based firewall rules block them.
Running the following scripts on the CLI
/usr/local/opnsense/scripts/filter/download_geoip.py
/usr/local/etc/rc.filter_synchronize
/usr/local/etc/rc.filter_configure
The GeoIP DB files under /usr/local/share/GeoIP/alias are updated but the rules still allow no access to the service.
Adjusting the rules by changing from GeoIP to any restores access to the service. So I am sure it is related to the GeoIP based rule.
Thanks
Rainer
«
Last Edit: September 06, 2019, 12:13:21 am by rainerle
»
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: 19.7.3: GeoIP based firewall rules on the secondary HA partner are not working
«
Reply #1 on:
September 04, 2019, 10:08:14 pm »
I try to reproduce tomorrow, just to sum up: I have a HA CARP setup, only allow connections incoming from GER, when FO occurs I can't connect from GER, correct?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
rainerle
Full Member
Posts: 151
Karma: 9
Re: 19.7.3: GeoIP based firewall rules on the secondary HA partner are not working
«
Reply #2 on:
September 04, 2019, 10:53:25 pm »
Yes. Just as an example ICMP ping allowed from Hosts in Germany. Sync the Firewall rules using XMLRPC sync. Then failover to the BACKUP HA system. Ping to CARP Virtual IP and Host IP does not get a reply.
I do not even get a PING reply on the BACKUP HA system before the failover.
Logged
Kingrat
Newbie
Posts: 9
Karma: 3
Re: 19.7.3: GeoIP based firewall rules on the secondary HA partner are not working
«
Reply #3 on:
September 05, 2019, 02:51:52 am »
What about the alias tables under /var/db/aliastables? Are you being blocked because your address is or is not in one of those (because it is not updating?) There was just a commit to address geo ip alias tables not updating (no expiration set in config)
If your alias tables in there are not actually updating try opnsense-patch ae5692b which includes setting a default expiration of 1 day.
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: 19.7.3: GeoIP based firewall rules on the secondary HA partner are not working
«
Reply #4 on:
September 05, 2019, 12:46:30 pm »
Firewall : Diagnostics : pfTables
You alias is filled with content on both? On a fresh system I was missing the GeoIP folder .. so there seems something wrong.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: 19.7.3: GeoIP based firewall rules on the secondary HA partner are not working
«
Reply #5 on:
September 05, 2019, 01:43:16 pm »
Is your alias named like your country? I had this issue, just apply this patch:
https://github.com/opnsense/core/commit/3ef14d17e3b4f4ed38cbe8a9a3861ca5914ee59e
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
rainerle
Full Member
Posts: 151
Karma: 9
Re: 19.7.3: GeoIP based firewall rules on the secondary HA partner are not working
«
Reply #6 on:
September 05, 2019, 01:44:34 pm »
I checked Firewall : Diagnostics : pfTables for the GeoIP aliases - there are IP networks in those aliases.
After running
/usr/local/opnsense/scripts/filter/download_geoip.py
the files under
/usr/local/share/GeoIP/alias
are updated and contain entries. So that seems to work.
Looking at /var/db/aliastables:
root@opnsense02:/var/db/aliastables # ls -lart GeoIP_D*
-rw-r----- 1 root wheel 0 Jun 11 10:11 GeoIP_D_A_CH_RO.self.txt
-rw-r----- 1 root wheel 32 Jun 11 10:11 GeoIP_D_A_CH_RO.md5.txt
-rw-r----- 1 root wheel 0 Jun 11 10:11 GeoIP_D_A_CH_RO.txt
-rw-r----- 1 root wheel 411223 Jul 30 02:51 GeoIP_D.self.txt
-rw-r----- 1 root wheel 32 Jul 30 02:51 GeoIP_D.md5.txt
-rw-r----- 1 root wheel 411222 Jul 30 02:51 GeoIP_D.txt
-rw-r----- 1 root wheel 636862 Jul 30 02:51 GeoIP_D_A_CH_plus.self.txt
-rw-r----- 1 root wheel 32 Jul 30 02:51 GeoIP_D_A_CH_plus.md5.txt
-rw-r----- 1 root wheel 636861 Jul 30 02:51 GeoIP_D_A_CH_plus.txt
root@opnsense02:/var/db/aliastables #
These entries seem outdated and one is even empty...
After applying patch ae5692b and running
/usr/local/etc/rc.filter_configure
the files in /var/db/aliastables are updated and now the GeoIP aliases work...
Cool!
Thanks for mentioning the patch!
Do I need to schedule /usr/local/opnsense/scripts/filter/download_geoip.py in System : Settings : Cron by myself? Or is it run somehow else periodically?
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: 19.7.3: GeoIP based firewall rules on the secondary HA partner are not working
«
Reply #7 on:
September 05, 2019, 02:05:58 pm »
Quote from: rainerle on September 05, 2019, 01:44:34 pm
Thanks for mentioning the patch!
Ad wrote it after I tried to reproduce and pinged via IRC
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
[Solved] 19.7.3: GeoIP based firewall rules on the secondary HA partner broken