Jump to content

Anyone using geoip-filtrering?

skooogis

By skooogis
in Non-Emby General Discussion

 Share

Recommended Posts

skooogis

skooogis   7

Posted
Posted

Hello!

I have thought about using geoip-filtering for incoming request.

Best way I believe is to "allow" specific, and rest is blocked, rather then block all and allow specific.

In my case, I would want to simply only allow incoming from IP's within the same country, no need to go further then that.

I have spent numerous hours on google but still dont know which path to take, or if there's alternatives that that might be better or more suitable depending on the setup environment.

 

So I currently run Emby and other services on a Win2019 server, with IIS as reverse proxy.

Now using a Fortigate 60D which has no active license, which limits the available functions.

One way to go is to replace the Fortigate with a PFsense, Opnsense or Unifi UDM Pro.

If anyone here using this feature on any of these, and might tell me if it works bad/good?

Another way to go could be to use the IP-filtering feature on IIS, but have not really found a good way to implement this. I have not found db thats free, or well updated, and if updated how to update it on IIS without hours of manual work.

I also believe it would be better to filter this on firewall-level, rather then letting the server itself manage this feature due to obvious reasons.

So if you are using any geographical filtering, I would love to hear about what you are using, and how it works.

Best regards

Link to comment
Share on other sites
rbjtech

rbjtech   4291

Posted
Posted
4 hours ago, skooogis said:

Hello!

I have thought about using geoip-filtering for incoming request.

Best way I believe is to "allow" specific, and rest is blocked, rather then block all and allow specific.

In my case, I would want to simply only allow incoming from IP's within the same country, no need to go further then that.

I have spent numerous hours on google but still dont know which path to take, or if there's alternatives that that might be better or more suitable depending on the setup environment.

 

So I currently run Emby and other services on a Win2019 server, with IIS as reverse proxy.

Now using a Fortigate 60D which has no active license, which limits the available functions.

One way to go is to replace the Fortigate with a PFsense, Opnsense or Unifi UDM Pro.

If anyone here using this feature on any of these, and might tell me if it works bad/good?

Another way to go could be to use the IP-filtering feature on IIS, but have not really found a good way to implement this. I have not found db thats free, or well updated, and if updated how to update it on IIS without hours of manual work.

I also believe it would be better to filter this on firewall-level, rather then letting the server itself manage this feature due to obvious reasons.

So if you are using any geographical filtering, I would love to hear about what you are using, and how it works.

Best regards

It depends on your use-case, but I geo-filter on the actual firewall rule for emby to only allow incoming connections from the UK for example.  Any half decent firewall will have geo filtering built in and you can apply per rule, group or globally etc.    Globally, I would suggest just blacklisting 'known' risky countries.

Remember, VPN's allow you to connect from anywhere these days - so while geo-blocking will help stop nuisance traffic - it won't stop anybody who knows what they are doing ... ;)

Link to comment
Share on other sites
Bagul

Bagul   147

Posted
Posted (edited)

Hey!

In my memory with PFSense you have the pfBlocker-NG package that allows you to do this maybe they have implemented it directly now.

Opnsense allows you to do this with MaxMind IP directly in the settings as I remember.

I prefer to use a firewall detached from my server to do this but for other means:

With nginx it is possible with MaxMind IP.

If you are on windows forget Traefik with Docker.

Personally I use caddy and you have a plugin that allows you to do that : Caddy geoip plugin

Edited by Bagul
Link to comment
Share on other sites
skooogis

skooogis   7

Posted
  • Author
Posted
3 hours ago, rbjtech said:

It depends on your use-case, but I geo-filter on the actual firewall rule for emby to only allow incoming connections from the UK for example.  Any half decent firewall will have geo filtering built in and you can apply per rule, group or globally etc.    Globally, I would suggest just blacklisting 'known' risky countries.

Remember, VPN's allow you to connect from anywhere these days - so while geo-blocking will help stop nuisance traffic - it won't stop anybody who knows what they are doing ... ;)

I believe Fortigate 60D is a half decent firewall, but without license you can not update db etc.. So even if I was able to use it, it would not really do the job it's suppose to..
How have have implemented that in your firewall? Have you added like 70 000 row csv into that ruleset? Otherwise it has to be a built-in feature to be able to update that IP-db once in a while, and to my knowledge I have not really found that many that supports it, yet..

Me personally, would not have problem with VPN, but my father who barely can start the TV, you get it ;)
 

Link to comment
Share on other sites
skooogis

skooogis   7

Posted
  • Author
Posted
3 hours ago, Bagul said:

Hey!

In my memory with PFSense you have the pfBlocker-NG package that allows you to do this maybe they have implemented it directly now.

Opnsense allows you to do this with MaxMind IP directly in the settings as I remember.

I prefer to use a firewall detached from my server to do this but for other means:

With nginx it is possible with MaxMind IP.

If you are on windows forget Traefik with Docker.

Personally I use caddy and you have a plugin that allows you to do that : Caddy geoip plugin

You are right about PFSense using Maxmind, and OPNSense aswell. The difference might be that OPNSense have built-in support, and PFsense by plugin, but that doesnt really matter to much.. 

As you said aswell, I'd prefer to implement it with separate hardware and not letting leaving this to be terminated at server-level.

I have also seen that Ubiquiti supports this on UDM Pro and UDM Pro SE, but need to get more information about that, like what DB they use, and if they even update it at all etc.. The only thing that really make look that way is that I have one AP from them now, and we are building a house which will then need atleast 1 more AP, and it would be nicely integrated.. Now controlling the AP via phone-app, would instead be managed centrally from the UDM in that case.. 

If I go PFsense/OPNsense, and buy more AP's I would need to manually manage them one by one or buy just a cloud key (another piece of hardware) to just manage them centrally. So not that I'm just looking for a way to GEO-IP filter, I'm also trying to plan how and what the network shall be in the house..

Link to comment
Share on other sites
rbjtech

rbjtech   4291

Posted
Posted (edited)

Have a look at Sophos XG - it's free for personal use and does everything you are likely to need incl geo-filtering.  Ubiquiti routers (incl UDM Pro) had a very poor firewall or did when I bought one when they first came out - I returned mine as it was frankly embarrassing for a 'Pro' product - so unless it's substantially improved, I would stick to your dedicated f/w idea.  Ubiquiti switches and AP's are fantastic (I use those too) - you don't need to buy a cloud key, just run the Controller service on existing other hardware (it's Java based).  

Edited by rbjtech
Link to comment
Share on other sites
skooogis

skooogis   7

Posted
  • Author
Posted
31 minutes ago, rbjtech said:

Have a look at Sophos XG - it's free for personal use and does everything you are likely to need incl geo-filtering.  Ubiquiti routers (incl UDM Pro) had a very poor firewall or did when I bought one when they first came out - I returned mine as it was frankly embarrassing for a 'Pro' product - so unless it's substantially improved, I would stick to your dedicated f/w idea.  Ubiquiti switches and AP's are fantastic (I use those too) - you don't need to buy a cloud key, just run the Controller service on existing other hardware (it's Java based).  

I will have a look at Sophos, appreciate your answers and help. Thank you ☺️

Link to comment
Share on other sites
skooogis

skooogis   7

Posted
  • Author
Posted
24 minutes ago, crusher11 said:

I have mine set up through CloudFlare. Super simple process. 

I used that a couple a years ago, but as I remember it you could only use that feature if the you had set your A-record as proxied, and you could only proxy one site (free)

Not that I run so many services externally, but need to access atleast two.

 

Link to comment
Share on other sites
skooogis

skooogis   7

Posted
  • Author
Posted

Nice to hear, most likely will go this path. Just, how does it work you think? I know that maxminds free db is OK, not Great.. 

Link to comment
Share on other sites
Spaceboy

Spaceboy   2500

Posted
Posted

i don't have any complaints. just runs in the background. as others have pointed out, its not a panacea, just another tool in the box

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...