search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.39k stars 757 forks source link

Can't block Yandex urls using BGP ASN #6953

Closed ruslanbay closed 1 year ago

ruslanbay commented 1 year ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

To Reproduce

Steps to reproduce the behavior:

  1. Go to Firewall: Aliases
  2. Create a new alias Name: Yandex Type: BGP ASN, IPv4+IPv6 Content: 13238 44534 210560
  3. Click Save
  4. Click Apply
  5. Go to Firewall: Rules: LAN
  6. Create a new rule Action: Block Quick: checked Interface: LAN Direction: IN TCP/IP Version: IPv4+IPv6 Protocol: Any Source: Any Destination: Yandex (the alias we created on step 4)
  7. Click Save
  8. Click Apply
  9. Navigate to https://ya.ru or https://passport.yandex.ru/

Expected behavior Web pages are not available

Actual behavior The web page is accessible even though the IP address belongs to ASN13238.

I have the same exact rule for several other ASNs, but for some reason the rule doesn't work for Yandex.

https://host.io/ya.ru https://ipinfo.io/213.180.204.24 https://ipinfo.io/77.88.55.242 https://ipinfo.io/2a02:6b8::24

Screenshots image image

Environment

OPNsense 23.7.6

AdSchellevis commented 1 year ago

same comment as the other ticket, to fetch ASN's, the firewall needs to be able to fetch a remote file. Often these issues relate to DNS and/or misconfigured ipv6 routing. The log files help debug your issues in these cases.

ruslanbay commented 1 year ago

The thing is, I have several rules for different ASNs and they all work except the rule for Yandex

ruslanbay commented 1 year ago
It seems like ASNs have been fetched Date Severity Process Line  
2023-10-20T15:09:30 Notice firewall dowloaded ASN list (1114566 entries)  
2023-10-19T14:34:34 Notice firewall dowloaded ASN list (1114803 entries)
AdSchellevis commented 1 year ago

does the alias contain anything for Yandex? if not I can easily try the same on my end as well.

ruslanbay commented 1 year ago

Thank you Ad, I appreciate that level of support. The alias only contains three ASNs: 13238, 44534 and 210560. They are all related to Yandex.

AdSchellevis commented 1 year ago

https://passport.yandex.ru/ resolves to 213.180.204.24 at my end, which doesn't seem to match the provided ASN's

image

our (ipv4) source is https://thyme.apnic.net/current/data-raw-table

ruslanbay commented 1 year ago

our (ipv4) source is https://thyme.apnic.net/current/data-raw-table

Thanks, It seems like there are some IP addresses missing in this list.

cat "data-raw-table.txt" | Select-String 13238
90.156.181.0/24 13238

Is it possible to use offline packages as a ASN/GeoIP database? I can see some MaxMind packages for FreeBSD: https://freebsd.pkgs.org/13/freebsd-amd64/libmaxminddb-1.7.1_1.pkg.html https://freebsd.pkgs.org/13/freebsd-amd64/p5-MaxMind-DB-Reader-1.000014.pkg.html https://freebsd.pkgs.org/13/freebsd-amd64/p5-MaxMind-DB-Reader-XS-1.000009.pkg.html

AdSchellevis commented 1 year ago

This is likely the entry you're looking for, not sure why it moved to 208398

213.180.192.0/19        208398

Other packages are not supported on our end, but you can always create your own list and fetch it from there.