Geo IP Alias and Firewall block not working all the time

[Plaidy]

I recently set up OPNsense on an E3-1240L v3 with 8GB of DDR3 ECC Unbuffered memory. With my aliases and rules I am running about 3GB RAM used at any particular time. I made an alias for geoip and added the US and DE to it. I then made a firewall rule with a source invert allowing only traffic from these two countries to my network. I have tested that the block is working by connecting to a handful of other countries over VPN and attempting to access my network. The problem is I am seeing some hits in Fail2Ban from a few IPs that are from countries that are not supposed to be allowed such as CN and GB. The system with Fail2Ban sits behind the OPNsense box within my LAN so it should never see the hits if OPNsense is doing its job. I grep'd the maxmind csv files and the IP blocks the single IPs are coming from are reported correctly in line with their whois information.

Does anyone know why I would be getting some IPs through the firewall that should be blocked by the geo IP alias set?

I attached a compilation screenshot showing the traffic to my internal device, the lookup of the IP via whois and then matching it to maxmind. Then it shows how I have the geoip set configured in Aliases and the Firewall block. Any suggestions would be welcome.

[Plaidy]

Do any devs monitor these forums? Seems like this should be knowledge held by someone.

[chemlud]

.

[Plaidy]

I wasn't quite sure how to look in the actual GeoIP Alias in OPNsense. The closest I could figure out was to grep the country code of the subnet from the csvs that OPNsense is using as a source. I mean, mostly it's all working as expected, meaning that it must be populating. I just get a few one off strange cases as shown in the screenshot once in awhile.

[chemlud]

.

[Plaidy]

Ok so I just checked and the 180.160.0.0/12 subnet is NOT in the whitelist_by_country alias as would be expected since I am using it for a source invert block rule.

Also, thank you for the way to see the individual entries in an alias. I was looking for that a few days ago with no success.

Edit: Since this person deleted EVERY single response even ones with helpful information, the way to see these subnets in the alias is by going to Firewall --> Diagnostics --> pfTables.

[chemlud]

.

[Plaidy]

No. Those are the 4 subnets that show up when I typed 180.160 in the search bar above right. None of them are the subnet in question.

It sems you edited this post so to quote the new message:

But as it is not in your list, it should be blocked...

You're right it should have been blocked but it wasn't.

[Plaidy]

Nobody is perfect... or maybe China Telecom pays for not being included? Who knows...
...
This Geoblocking thing has nothing to do with OPNsense developers, better to complain there... ;-)

In response to the issue being taken up with the block list provider: That would make sense if the subnet was not shown correctly as belonging to a country outside DE/US. But it is shown in the providers subnet list csv as belonging to a country outside my GeoIP selection AND OPNsense is not showing the subnet as being included in the geoIP countries I have selected.

...but OPNsense was still allowing that subnet through the firewall for some reason. Or more accurately, an IP in a subnet that OPNsense should have known to block based on my firewall rule.

I put the effort in to verify that what you outlined above was the not the scenario in this case and went to pains to show that in my first screenshot collection. This IS the fault of OPNsense.

[Plaidy]

...and although CN is on my GeoBlock Alias, this 180.163.220.0/24 is not in the Alias. Nobody is perfect... or maybe China Telecom pays for not being included? Who knows...

In fact, your example here is the same exact scenario as mine. The maxmind list shows the subnet you listed as being part of china:

$ grep -r "^180.160." ./*
./GeoLite2-Country-Blocks-IPv4.csv:180.160.0.0/12,1814991,1814991,,0,0
---------------------
./GeoLite2-Country-Locations-en.csv:1814991,en,AS,Asia,CN,China,0

---->  180.160.0.0/12 = 180.160.0.0 - 180.175.255.255

[chemlud]

.

[Plaidy]

Actually the 180.163.220.3 is blocked here with my geoblock including CN. Did you check what is all included in the INVERT logics of your firewall rule?

My firewall rule only has a source invert block to my WAN IP address with the geoIP Alias that has DE, US included.

[chemlud]

.

[Plaidy]

Ehm, the rule on WAN makes no sense, as you should not allow ANYTHING from WAN. You need to have the rule on LAN with DESTINATION to your whitelist and INVERT...

And you will be surprised that most of yout interwebs won't work with only hosts from US and DE allowed (and by the way malware offenders from the US are more likely than not...)

Maybe I am not understanding the logic but I don't think I have it set up that way. As I understand it, the screenshot below illustrates that ONLY DE, US IPs are allowed into my network and the rule is applied to packets hitting my WAN interface.

To address your edit regarding malware coming from the US: That's fine. I have other aliases that are updated periodically based on probe/attack traffic I see from places such as Digital Ocean and Linode. I specifically want to know why OPNsense is not doing its job here in these admittedly small number of cases.

...And my network connectivity is not hampered in any way by this rule. It is an inbound rule AFAIK.

[chemlud]

.