GeoIP is not working after upgrade to 142


I’ve installed the new version available and enabled the GeoIP block. All countries have been selected to be blocked except for Italy.

Today I’ve discovered from Log-FW port thatlot of trafics come from countries supposed to be blocked…
where is the issue?

Did you re-validate your firewall rules?


as this was a complete re-installation from scratch…I had to re-create the rules…

Just to clarify. Do you see communication ( in and out ) with these countries or packets from these only?
In latter case, this is normal. The GeoIP filter on your side cannot influence the sender.

Hi Bernhard

where can i see traffic (in/out) from the countries?

I’m quite new on IPF…and I need to learn…



Hello Vincenzo,

did you get it to work ?
I blocked all countries, and it had no impact on web site access.
I must be missing a switch somewhere…



as mentioned at

To block incoming connections by country, you don’t need to set up a firewall
rule anymore since there is a new page in the web interface now.

It is calles “GeoIP block” and is accessable via “Firewall→GeoIP block”. To
block incoming connections via that page (of course it is possible to set
up a firewall group and block them via a firewall rule, as you did before),
check “Enable GeoIP based blocking” and save this setting by clicking at the
“Save” button.

The GeoIP block feature only applies to inbound connections. You cannot block
outgoing connections with it, please do so by creating firewall rules.

Thanks, and best regards,
Peter Müller

1 Like


no, it is not working…

As far I’ve understood from previous posts, the geoIP is not working anymore as the company associated to maintain the free database of IPs, is not willing to keep it free.

IPfire is working to a different and own solution, but I don’t know if and when this will be available.

@administrators: correct me if I understood differently…




GeoIP continues to work, however, the database underneath will become more and
more inaccurate as we are not capable of shipping the current version from MaxMind
any more.

We are working on libloc as a drop-in replacement, but there are still some
things to be done.

Thanks, and best regards,
Peter Müller


I created a simple firewall rule:

Then rebooted,
and I can still go on
and the connection monitor clearly show that I’m exchanging data with china…

I will debug some more on another day…

This seem consistent with the rule you wrote.
IMHO you should write two rules.
Rule #1 : from green to red GeoIP: CN deny
Rule #2 : from red GeoIP: CN to green deny

Hello Mr. Pike

Your suggestion works, the rules below blocks china sites:


FYI, the baidu page still works, the IP seems to be in the US (based on the connection monitor),
but pretty much whatever I click does not work anymore.
I will try to confirm this using the shell tools, it’s really hard to see new events in the logs from the web page.


due to various reasons, we are no longer able to update the GeoIP database
by MaxMind (please refer to On retiring the Maxmind GeoIP database for
further information). A replacement, called libloc, is under active
development and will hopefully be ready soon.

In the meantime, the GeoIP database will become more and more inaccurate,
which is why some IP addresses might be located in a different country meanwhile;
I have not looked at Baidu in particular (they might be using a CDN in western
countries indeed).

By the way: If you do not have any port-forwarding rules in place, incoming
connections will always be dropped, no matter what the source IP address is. :wink:

Thanks, and best regards,
Peter Müller

Hello Peter,

Thanks for the info,

My main goal at the moment is to prevent web redirect to fraudulent pages from unthrusworthy country.

If I click on a link that brings me there, I want the router to block it.


@mpayette don’t forget that rule order can make a lot of difference for the obtained behaviour instead of the desired.
If you have any other rule configured into firewall (more they are, more are to be considered) the performance in processing packets can change quite dramatically.