pfSense Support Subscription

Author Topic: GeoBlock Whitelisting by LAN IP  (Read 284 times)

0 Members and 1 Guest are viewing this topic.

Offline EWBtCiaST

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
GeoBlock Whitelisting by LAN IP
« on: December 01, 2017, 06:29:38 pm »
I'm currently using pfBlockerNG to geoblock several countries. I have one device on my LAN that I want whitelisted from the geoblock. Is this possible?

I've tried adding a whitelisting rule to the IPv4 rules. I've also tried adding floating and LAN rules to the top of the firewall lists allowing the specific LAN device as the source to ANY.

What am I doing wrong?

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #1 on: December 02, 2017, 11:40:12 am »
I don't believe you can whitelist geoblocking in pfBlocker...I suspect you blocked everything? In my experience geo blocking is all or nothing...

Offline EWBtCiaST

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #2 on: December 02, 2017, 01:41:16 pm »
I'm not blocking everything, but I am blocking the usual suspect countries. I was hoping to exclude one specific device on my LAN from geoblocking. I looked for a few hours yesterday and couldn't figure it out.

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 684
  • Karma: +96/-2
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #3 on: December 02, 2017, 02:57:32 pm »
What about creating FW Rules to allow that device outbound before the GeoIP FW Block rules
Or use Advanced OutBound FW Rules Settings, Custom Source/Invert/Alias name for Ip of the lan device
« Last Edit: December 02, 2017, 03:14:16 pm by RonpfS »
2.3.5-RELEASE (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_1/Dev, suricata 4.0.1

Offline EWBtCiaST

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #4 on: December 02, 2017, 03:31:29 pm »
The geo blocking rules are in the floating section of the firewall. I did add a floating rule to the top of the floating section with the source as the LAN IP I need unblocked. But that was still being blocked even though it was above the geo blocking rules. Is there any other way to do it?

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 684
  • Karma: +96/-2
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #5 on: December 02, 2017, 03:39:55 pm »
Did you Select Quick [ x ] Apply the action immediately on match.
« Last Edit: December 02, 2017, 03:51:47 pm by RonpfS »
2.3.5-RELEASE (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_1/Dev, suricata 4.0.1

Offline EWBtCiaST

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #6 on: December 02, 2017, 04:13:28 pm »
Yes I did. But I do t think I selected “inverted.” Would that make a difference?

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 684
  • Karma: +96/-2
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #7 on: December 02, 2017, 04:25:45 pm »
Yes I did. But I do t think I selected “inverted.” Would that make a difference?
If you created a FW rule to allow the Lan Device, then you have to select Quick and no invert for Source.

For you GeoIP block alias table, there you could just create an FW Alias IP for the lan device, then select Custom source, Invert, that should block inbound LAN except the lan device.

2.3.5-RELEASE (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_1/Dev, suricata 4.0.1

Offline EWBtCiaST

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #8 on: December 02, 2017, 08:10:44 pm »
Attached is the floating rule I have at the top of the list. When I add this rule, the traffic is still blocked, but the blocked alert changes my interface from the LAN to Opt1.

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 684
  • Karma: +96/-2
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #9 on: December 02, 2017, 08:16:18 pm »
What did you select for Interface for that rule ? Should be applied on LAN if the device reside on that network.
2.3.5-RELEASE (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_1/Dev, suricata 4.0.1

Offline EWBtCiaST

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #10 on: December 02, 2017, 08:19:43 pm »
The only interface selected is the LAN.

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 684
  • Karma: +96/-2
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #11 on: December 02, 2017, 08:25:59 pm »
What is the interface / direction of the alerts ?

The FW rule will allow the lan ip to initiate Outbound traffic and associated return traffic.
It will still block incoming connections not initiated by the lan IP.
2.3.5-RELEASE (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_1/Dev, suricata 4.0.1

Offline EWBtCiaST

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #12 on: December 02, 2017, 08:57:33 pm »
I'm trying to visit a website from that .15 device on my LAN. PFBlocker is geoblocking it even though the rule is above the geo rules in the floating section.

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 684
  • Karma: +96/-2
    • View Profile
Re: GeoBlock Whitelisting by LAN IP
« Reply #13 on: December 02, 2017, 09:17:27 pm »
Beats me. You applied the changes to the FW Rules ?
Enable logging on the rule and see what's happening in Firewall logs.
Also check the LAN rules
2.3.5-RELEASE (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_1/Dev, suricata 4.0.1