GEOIP stopt working

[marjohn56]

Definitely  working here. Rules updated from Maxmind a couple of hours after I corrected my spelling mistake, yes it was me who did the doc, and the rules are working. Just turned on the logging of the inverted, same as dcol, and sure enough log entries started to appear. I normally have it turned off.

Just to confirm, the string should look like this, this is for the non-commercial users:

https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENCE_KEY&suffix=zip

It took an hour or so after I changed it for it to update, not sure exactly how it works out the time to poll but its once a day,

You should see the last updated date, which is the file date and the number of entries, at least on mine is 433499 if it has successfully connected and downloaded the data.

[agrumpyhermit]

chemlud, creating a new alias did the trick. Thank you!

[marjohn56]

Here's a way of forcing a download and seeing what is happening.

Go into the shell. Bold chars are what you must enter

root@gateway:~ # cd /usr/local/opnsense/scripts/filter/lib
root@gateway:/usr/local/opnsense/scripts/filter/lib # python3

You will now be seeing the Python interpreter.

>>> from geoip import download_geolite
>>> download_geolite()

Wait a few seconds and if you have got the correct url and licence you should see something like this:

{'address_count': 433499, 'file_count': 499, 'timestamp': '2020-01-06T23:45:56', 'locations_filename': 'GeoLite2-Country-Locations-en.csv', 'address_sources': {'IPv4': 'GeoLite2-Country-Blocks-IPv4.csv', 'IPv6': 'GeoLite2-Country-Blocks-IPv6.csv'}}

Hit Ctrl-d to exit the Python interpreter.

This will download the data, and extract the lists to the /usr/local/share/GeoIP/alias folder and prove  that your url is correct. If you run this at anytime it will update the files and you can prove this by looking at the changed date/time on the files in that folder. Note that the free Geolite files are only updated weekly, and according to the Maxmind website this happens on a Tuesday.

[agrumpyhermit]

When I try to delete the old alias it says cannot delete... in use by filter.rule.67/source. I've gone through all my rules in the gui thoroughly and can't find anywhere I missed changing to the new alias. I tried resetting states and reloading pf. It let me disable it but won't let me delete it. Can someone tell me how to figure out what filter.rule.67 is so I can fix this?

[gpb]

Here's a way of forcing a download and seeing what is happening.

Thanks very much!  I never did get it working yesterday, applied the hotfix just now and manually verified it's correct.  Cheers.

[Taomyn]

Here's a way of forcing a download and seeing what is happening.

Thank-you very much for this, works a treat. Checked before and after applying the hotfix and looks fine.

[dcol]

Tried recreating rule and alias, still no log entries for GeoIP.
Tried the shell command above and everything is correct. Just not seeing any blocks in the logs. Not sure if it is working or not.

Is there any other way to test this?

[chemlud]

Enter into your browser

yandex.ru

or

opnsense.org

What happenz?

[dcol]

@chemlud It works. Also tried China sites using WebSitePulse and they all work.

So that means the GeoIP is not functioning for me.

[chemlud]

I would delete the Alias, reboot and establish a fresh Alias. Still not blocking? Did you upgrade to 19.7.9_1? (dunno what got fixed by the latest update though...)

[dcol]

Started working after I changed the floating rule to block both directions. Seems most of the blocking was done by IDS already

[chemlud]

I have two floating rules on all interfaces, one with GeoIP as SOURCE, one with DESTINATION. But I checked now, only the one with SOURCE does fire, if I try to access yandex.ru in the browser. My expectation was that even the traffic from the LAN client (GeoIP as DESTINATION) would be blocked...

[dcol]

I found a real disadvantage in using the invert GeoIP floating rule.
For example. I have a GeoIP rule which blocks every country except US and Canada for my Email ports (except 25). Doing this, any local IP's will not be in the Maxmind list so it will be blocked as well.

I am using a floating rule because I have multiple email servers and wanted the same GeoIP blocking for all of them.

So I either have to make a rule which allows all the local ports to pass before the GeoIP rule, or not use invert and have an enormous list in GeoIP.

Floating rules can be tricky to use due to the multiple interfaces and dual direction capabilities.

Any recommendations for the best approach here?

[mayo]

One question about Geoip: do I have to subscribe also if I don’t use aliases? Thank you!

[marjohn56]

If you are not using  GeoIP rules in the firewall then the answer is no.