No more access to ipfire - Core 150 | Location-Filter

Hello everyone,

i have spent 2h of my life troubleshooting today and fortunately i was not the only one with this problem.
I have divided my network into 4 segments (RED; GREEN 10.10.1.0; DMZ: 10.10.2.0; BLUE: 10.10.3.0) and in the last weeks and today extremely I could neither ping the IP of the ipFire router nor reach the WebGUI from my computer. All the time I assumed that my computer was crazy but today it was extreme because in the middle of my work (home office) I noticed that I couldn’t reach websites anymore. Also the WebGUI was not reachable and also no SSH to the router.
I was about to set up my ipfire again and almost despaired at this thought.

But then I found like-minded people in the ipFire forum who suspected the new location database and after renaming the file „/var/ipfire/firewall/locationblock_old“ and running firewallctrl I could access my system again. The option Location-Filter now has an internal error when called.

What can I do to make the Location-Filter work again and filter only on the red interface. I have a VM with Nextcloud (DMZ) in operation and therefore only access from Germany should be possible.

Thanks a lot for your help.

2 Likes

Same here.

In the morning I could suddenly no more access the internet and ipfire on green, not even with https or ssh. So I had to use the console cable and manually tune iptables with iptables -A CUSTOMINPUT -i green0 -j ACCEPT to get to the web interface and disable Location Block.

After a reboot everything workes again. To double check I enabled Location Block again with the same behaviour, so for now I keep Location Block off.

Same here! DHCP is running so the network seems fine at first glance, but everything else is unresponsive.

I was able to restore a disk image from last weekend (with core 150 already installed prior to backup).
Edit: The restored machinen failed after 30 minutes as well

Unfortunately I have to leave for work, but I will test your suggestions later, thanks in advance!

I renamed the file /var/ipfire/firewall/locationblock back to the original and disabled the location filter afterwards.

I hope there will be an update in the near future because I was already desperate what was going on in the last days / weeks.

This is the same topic as this here:

Same here.

Fresh install and only configure LocationFilter addon and I can´t surf to internet. I check all countries except Spain and IPFire block me all comunication.

Only can edit /var/ipfire/firewall/locationblock file and change “on” to “off” and restart firewall with /etc/init.d/firewall restart, everything goes back to normal. I change it connecting one monitor and keyboard.

Is there a problem with Location Block?

3 Likes

Its not the Location Block code itself it is a error in the Database. Networks like 192.168.x.x are detected as “EU” because there is a wrong annoucement that 192.168.0.0/15 is assigned to the RIPE.

At the moment you should not block the Country “EU”

1 Like

Ok Arne. I imagined. This GeoIP is a double-edged sword.

The box is already unchecked and for now it works.

Thank you so much for your speed.

Greetings.

Same here,
After the Update to 150 i do Not any Access to the System.
Best regards Richard

Unchecking EU and applying firewall rule did NOT work for the majority of the firewalls I maintain (even though connections show up as EU when GeoIP disabled).

Same here. EU did not work for me either.

But I ask myself, why does the Location Filter (GeoIP) work on my internal network and not only on the red interface from where I could be threatened?

Which countries or regions do I have to deactivate if I use 192.168.x.x\24 (FritzBox before ipfire) and 10.10.1.0\24 in the internal network?

192.168.0.0/16 is (false!) defined as EU.

And 10.10.1.0 this is also a private address range.

Can you somehow see, which adressranges are stored in the DB and into which group of countries they are assigned.

locate lookup <IP> gives you the information.

Actually, the command is, location lookup <ip> but …

[root@ipfire ~]# location lookup 192.168.0.0
Nothing found for 192.168.0.0

1 Like

[root@router ~]# location lookup 10.10.0.0
Network : 8.0.0.0/5
Country : European Union

[root@router ~]# location lookup 192.168.0.0
Network : 192.168.0.0/15
Country : European Union

———————

What does the 10 IP address range have to do with EU?
Neither 192.168.0.0/24
still 10.0.0.0/8 are used in the Internet and are reserved for private networks.
Even that should only work on the red interface of the location filter would make sense to me.

There some false entries in the location database.
This was stated in another thread here in the community.
To circumvent this just do not block EU.

@roberto many thanks, you saved my day!!!
by the way only turning off EU did not work for my ipfire,
had to turn off location filter to regain access to web interface and internet.

same here no internet this morning i will check turn off location filter.

P. S: I’ve never blocked EU but it also doesn’t work. My Ranges are 192.168.30.0/24 on red and 192.168.20.0/24 on green.

Without Geblock all works well.