Reply
Emerging Member
Posts: 44
Registered: ‎07-31-2017
Kudos: 25
Solutions: 1

Geo IP Filtering Question

Running 5.7.12.

 

Quick question. If I set the United States in geo ip filtering and set that to allow, does that block all other countries?

 

Thanks <3

 
New Member
Posts: 37
Registered: ‎11-21-2014
Kudos: 8
Solutions: 1

Re: Geo IP Filtering Question

I'd like to know the answer to this too.  If I allow a country, does it block all of the others?  I'd like to just allow Canada or USA etc and have it block all the other countries.  Makes more sense to me than doing it via blocking.

New Member
Posts: 59
Registered: ‎02-13-2016
Kudos: 42

Re: Geo IP Filtering Question

+1

New Member
Posts: 21
Registered: ‎08-21-2013
Kudos: 6
Solutions: 2

Re: Geo IP Filtering Question

I'd like to know this as well. In my testing it does not look that way. I set an allow rule for the USA and then waited for provisioning to finish. I was still able to access foreign sites... Maybe I am testing it incorrectly.
New Member
Posts: 9
Registered: ‎03-06-2017
Kudos: 2

Re: Geo IP Filtering Question

+1
Unifi Guru
Ubiquiti Employee
Posts: 579
Registered: ‎02-13-2018
Kudos: 190
Solutions: 84

Re: Geo IP Filtering Question

When you set accept US this is what is provisioned in the USG:

geoip {
    action accept-only
    country-list US
    lan-list eth1
    traffic-direction both
    wan-list eth0

This implies that only traffic from the US is accepted in and out of my USG. 

 

If you want to view what is provisoned in your USG you can SSH into it and type show configuration and parse through it or go into configure mode and type show geoip.

Adam Dipple | UniFi Support Team
New Member
Posts: 9
Registered: ‎03-06-2017
Kudos: 2

Re: Geo IP Filtering Question

Maybe in theory. 

If you apply the rules to block The USA, you still access USA links.

If you apply the rules to allow ONLY the USA, you can still access foreign links.

 

I've found no way to prove that this function actually works, its a placebo at the moment.

Unifi Guru
New Member
Posts: 43
Registered: ‎11-25-2015
Kudos: 3

Re: Geo IP Filtering Question

Still no answer on this from unifi?

Ubiquiti Employee
Posts: 579
Registered: ‎02-13-2018
Kudos: 190
Solutions: 84

Re: Geo IP Filtering Question

This feature only works for offloaded traffic at this point. If you have selected smart queues, or IDS/IPS then it will negate the function of geo-IP blocking. 

 

Another note to keep in mind is the presence of POPs in a CDN. @masterdarken, when you visit these foreign links, are you positive that the domain you are resolving is an IP that is included in a block of IPs that a country is using?

 

Keep in mind that geo-IP filtering does have the beta tag on it still, and is in active development. 

Adam Dipple | UniFi Support Team
New Member
Posts: 9
Registered: ‎03-06-2017
Kudos: 2

Re: Geo IP Filtering Question

Thank you for clarification AdamD.

 

I'm confident my links are resolved foreign, as i'm using a specific site over seas designed for testing this specific feature

 

However, i was not aware that IDS/IPS negated the effects of geo-ip blocking, and i do have these enabled.

 

I will re-test with your advice and report back results.

Unifi Guru
Ubiquiti Employee
Posts: 579
Registered: ‎02-13-2018
Kudos: 190
Solutions: 84

Re: Geo IP Filtering Question

@masterdarken I appreciate it. Are you able to give me specifics on that site for testing and any other methods that you are testing with? I would also like do some testing of my own on this one to get back with some feedback for all of you on here. 

Adam Dipple | UniFi Support Team
New Member
Posts: 9
Registered: ‎03-06-2017
Kudos: 2

Re: Geo IP Filtering Question

[ Edited ]

AdamD,

 

Seems your advice was spot on - Thanks again.

 

With IDS/IPS in a disabled state it works as intended. Care to elaborate on why both cant be used at the same time?

 

I tested using a few specific Apps, WeChat being one of them, and others under development. WeChat triggers the IPS just by accessing its login server, calling WeChat servers out as hosting a Network Trojan. I've confirmed this is a false positive. If that was a real threat, and IPS was blocking the attack, great news, but is it worth mentioning that false positives can be a real drain on resources of the router.

 

WeChat's traffic passes through China servers. If i block China, WeChat app fails to work. I can allow China, and the app works.

 

The other apps in development didnt throw any alerts on IPS, but were allowed and blocked as specified, for U.K. and South America.

Overwatch. Only allowing USA/China is not enough, and will still block you from connecting to an Overwatch game server. This only means that Overwatch servers are located other than USA, or their IPs are registered to other counrtries.  I havent figured this one out yet, so in the mean time i've turned off Geo-IP filtering and left IPS on. I would eventually like to use both at once

 

Unifi Guru
Ubiquiti Employee
Posts: 579
Registered: ‎02-13-2018
Kudos: 190
Solutions: 84

Re: Geo IP Filtering Question

@masterdarken Geo-IP not working with non-offloaded traffic is just the development cycle that the feature is in right now. We fully intend on getting this functional alongside IDS/IPS and other features that negate hardware offload. 

Adam Dipple | UniFi Support Team
New Member
Posts: 16
Registered: ‎10-24-2017
Kudos: 5

Re: Geo IP Filtering Question

[ Edited ]

After setting up geoip filtering for a few countrys, I noticed that I was still getting traffic from them.  my current configuration is:

 

ubnt@usg# show geoip

 action block

 country-list CN,HK,KP,KR,SC

 lan-list eth1,eth2

 traffic-direction both

 wan-list eth0

[edit]

 

IDS/IPS is disabled.

USG ver. 4.4.28.5118795 

 

It would seem that I should not receive traffic on my LAN from  111.230.41.189 (Beijing, CN)  but alas I am.

 

Any thoughts?

 

 

 

Emerging Member
Posts: 96
Registered: ‎02-04-2016
Kudos: 12
Solutions: 3

Re: Geo IP Filtering Question

[ Edited ]

On IPS, you get logged connection attempts.  e.g.

 

Sep 14 12:37:59 f09fc21119d5 kernel: ALIEN BLOCK: IN=eth0 OUT= MAC=f0:9f:c2:11:19:d5:0c:86:10:29:cc:c2:08:00 src=176.119.7.18 DST=(Removed IP)  LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=30738 PROTO=TCP SPT=59997 DPT=63021 WINDOW=1024 RES=0x00 SYN URGP=0

 

Why doesn't this happen (or an option) to log attempts in GeoIP ?

UniFi Security Gateway 3P
2 x UniFi Switch 24 POE-250W
UniFi AP-LR, UniFi AP-AC-LR
Ubiquiti Cloud Key
Ubiquiti Edgerouter X SFP
Highlighted
Established Member
Posts: 1,213
Registered: ‎01-29-2015
Kudos: 156
Solutions: 47

Re: Geo IP Filtering Question


IDS/IPS is disabled.

USG ver. 4.4.28.5118795 

 

It would seem that I should not receive traffic on my LAN from  111.230.41.189 (Beijing, CN)  but alas I am.

 

Any thoughts?

 

 

 


Smart Queues off?

 

How are you testing this? I'm curious.

New Member
Posts: 16
Registered: ‎10-24-2017
Kudos: 5

Re: Geo IP Filtering Question

Smart Queues is OFF

 

The USG forwards port 80 traffic to a http server on the LAN,  The access attempts show up on that server log.

Reply