Reply
New Member
Posts: 29
Registered: ‎07-31-2017
Kudos: 18
Solutions: 1

Geo IP Filtering Question

Running 5.7.12.

 

Quick question. If I set the United States in geo ip filtering and set that to allow, does that block all other countries?

 

Thanks <3

 
Highlighted
New Member
Posts: 35
Registered: ‎11-21-2014
Kudos: 7
Solutions: 1

Re: Geo IP Filtering Question

I'd like to know the answer to this too.  If I allow a country, does it block all of the others?  I'd like to just allow Canada or USA etc and have it block all the other countries.  Makes more sense to me than doing it via blocking.

New Member
Posts: 56
Registered: ‎02-13-2016
Kudos: 41

Re: Geo IP Filtering Question

+1

New Member
Posts: 21
Registered: ‎08-21-2013
Kudos: 6
Solutions: 2

Re: Geo IP Filtering Question

I'd like to know this as well. In my testing it does not look that way. I set an allow rule for the USA and then waited for provisioning to finish. I was still able to access foreign sites... Maybe I am testing it incorrectly.
New Member
Posts: 8
Registered: ‎03-06-2017
Kudos: 2

Re: Geo IP Filtering Question

+1
Unifi Guru
Ubiquiti Employee
Posts: 132
Registered: ‎02-13-2018
Kudos: 30
Solutions: 24

Re: Geo IP Filtering Question

When you set accept US this is what is provisioned in the USG:

geoip {
    action accept-only
    country-list US
    lan-list eth1
    traffic-direction both
    wan-list eth0

This implies that only traffic from the US is accepted in and out of my USG. 

 

If you want to view what is provisoned in your USG you can SSH into it and type show configuration and parse through it or go into configure mode and type show geoip.

New Member
Posts: 8
Registered: ‎03-06-2017
Kudos: 2

Re: Geo IP Filtering Question

Maybe in theory. 

If you apply the rules to block The USA, you still access USA links.

If you apply the rules to allow ONLY the USA, you can still access foreign links.

 

I've found no way to prove that this function actually works, its a placebo at the moment.

Unifi Guru
New Member
Posts: 37
Registered: ‎11-25-2015
Kudos: 3

Re: Geo IP Filtering Question

Still no answer on this from unifi?

Ubiquiti Employee
Posts: 132
Registered: ‎02-13-2018
Kudos: 30
Solutions: 24

Re: Geo IP Filtering Question

This feature only works for offloaded traffic at this point. If you have selected smart queues, or IDS/IPS then it will negate the function of geo-IP blocking. 

 

Another note to keep in mind is the presence of POPs in a CDN. @masterdarken, when you visit these foreign links, are you positive that the domain you are resolving is an IP that is included in a block of IPs that a country is using?

 

Keep in mind that geo-IP filtering does have the beta tag on it still, and is in active development. 

New Member
Posts: 8
Registered: ‎03-06-2017
Kudos: 2

Re: Geo IP Filtering Question

Thank you for clarification AdamD.

 

I'm confident my links are resolved foreign, as i'm using a specific site over seas designed for testing this specific feature

 

However, i was not aware that IDS/IPS negated the effects of geo-ip blocking, and i do have these enabled.

 

I will re-test with your advice and report back results.

Unifi Guru
Ubiquiti Employee
Posts: 132
Registered: ‎02-13-2018
Kudos: 30
Solutions: 24

Re: Geo IP Filtering Question

@masterdarken I appreciate it. Are you able to give me specifics on that site for testing and any other methods that you are testing with? I would also like do some testing of my own on this one to get back with some feedback for all of you on here. 

Reply