GeoIP Alias list only works when inverted

[mimugmail]

When I select all countries beside my home and set a block rule it doesn't match, or better, it leaves out this rule and jump to the next. If I select my home and invert the source it works. I also tested just a couple of contries if there's a limit but also 3 in on alias doesn't work.

Can anyone reproduce this (latest stable?

For reference: https://www.reddit.com/r/OPNsenseFirewall/comments/9eyh2q/geoip_via_alias_not_working/

[AdSchellevis]

This sounds odd, sounds more like a source / destination swap. To check if the geo ip’s work, you can easily check the contents of the geoip table to see if your range is in there.

Maybe we should add a simple tool at some point in time to check if an alias contains a given address, that would ease troubleshooting in my opinion. (I don’t think that’s already in the ui).

[mimugmail]

I was just able t o reproduce.

I created a new Alias, marked all countries besides Germany. Set a Firewall rule on WAN with Source as the new Alias and looked at the live view. Now when I do a ping from Netherlands I see the packet dropped, but from the Default drop rule, and not the one I inserted. If I do a reverse and set a label I can see the drop with my own marker.

[AdSchellevis]

Please check the content of the alias, geoips are the same as other types. Just a list of adresses where it matches on. All but a single country will require a large table by the way (defaults are not large enough to load all pools in the world except one country). Usually it’s not a very good idea to match all countries except one, a reverse approach (!DE) is quicker and consumes less memory.

If it couldn’t load your alias, there’s likely a log entry somewhere from pf.

[marjohn56]

Not sure what's happening then as I've just checked mine and all is fine. I have most of the world blocked and a test with Tunnelbear shows that mine is working fine. Only thing I have to do is increase the size of the Firewall Max Table entries..

[mimugmail]

I had a look at max table syslogs but dont get them. I'll higher them and try to reproduce.

Thanks Martin :)

[AdSchellevis]

If the error is missing, we might need to look at that. Last time I had a similar issue there was something in the log if I remember correctly.

[mimugmail]

Yes, this was with URL table, thats why I thought it's not related to max limit.

[mimugmail]

Does highering the state table requires a reboot? I finally found the time to reproduce, highered value to 20mio and only after reboot the rules matched.

[AdSchellevis]

It shouldn’t, a filter reload should be enough.

[mimugmail]

I'm closing it since highering is the solution. Perhaps GeoIP and URL Table aliases works different cause I had in mind that with URL Table there was a warning when the table is higher than the configured value.