Portforwarding & GeoIP blocking

Hello everyone,

I'm relatively new to the OpenWrt community, having installed it about two weeks ago. I've quickly become a big enthusiast due to the extensive customization options it offers.

My home network setup is as follows: My ISP's router provides internet to a ZyXEL NBG7815 (Armor G5) running the latest stable version of OpenWrt. This router handles most tasks, except for DNS and DNS adblocking, which are managed by a Pi-hole on a Raspberry Pi.

The network also includes a media server (Unraid). For remote access to Plex on this server, I need to open a specific port. I've been exploring the idea of GeoIP blocking to enhance security. Specifically, I'm considering blocking all IP addresses from outside my home country to minimize the risk of unauthorized access to this port.

I've installed banIP, but I'm uncertain if its Geo blocking feature is the best approach. It essentially blocks all countries except mine. I'm wondering if this might be too restrictive or if there's a more convenient method, like using firewall rules, to block foreign IPs from accessing my port (sounds more dirty than intended...).

Any guidance or clarification on how to best integrate these elements for security and functionality would be greatly appreciated. Thank you in advance for your help, and apologies if the solution seems obvious – I'm still trying to understand how everything works together.

Thanks!

The free GeoIP DB is a pretty dull tool, I wouldn't use it, but implement a white list for your country.

AFAIK, banIP is for outgoing connections only.

Nope, see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for details.

The thing is, it does not actually do this... it will block sets of IP addresses and it will typically create such lists based on some heuristics to restrict them to specific countries. Which in generally works somewhat but since IP address distribution does not naturally map nicely to country borders will always be imprecise. Worse you need to put trust in who ever actually compiles the list you use to block these countries (however that is similar to adblocking where this approach typically does seem to work well enough).

I do this exact thing just let in the local country only openwrt V23
info from this page https://openwrt.org/docs/guide-user/advanced/ipset_extras

tho now I look again it may change to a package called resolveip

this is what I did last time & still working

run this in ssh

URL="https://openwrt.org/_export/code/docs/guide-user/advanced"
cat << EOF > hotplug-ipset.sh
$(wget -U "" -O - "${URL}/hotplug_extras?codeblock=0")
$(wget -U "" -O - "${URL}/ipset_extras?codeblock=0")
EOF
. ./hotplug-ipset.sh

add your county code this shows mine "au"

uci -q delete dhcp.example
uci set dhcp.example="ipset"
uci add_list dhcp.example.name="au"
uci add_list dhcp.example.name="au6"
uci add_list dhcp.example.geoip="au"
uci commit dhcp
ipset setup

this will add an ipset for you to use on your port forward
under firewall - port forward > edit > advanced settings > Use ipset
under firewall - traffic rules > edit > advanced settings > Use ipset

I would setup wireguard to secure the connection. Relying on blocking a number of IPs is a bit security by obscurity. It is too easily circumvented.

yes but for me it's just my mail server
it has it's own protections on top
but 99% of the random attacks are not from my country
and if targeted well I'm the biggest risk
the poor human in the mix

just had a look there are 6 attacks just on the smtp side
US,UK,UK,UAE,UK & Lithuania
so none from here AU can't block smtp tho

I should point out I do use openvpn for PC related stuff "file sharing"
but it's my mobile phone that gets email I just don't need vpn on that

You really do not know where the attacks originated from, all you know is that the IP address of the incoming packets where, according to your lists, not in AU. That might well be good enough for your purpose (and I believe it is), but please do not confuse "not on the AU list" with "not originating from AU". In theory triangulation, that is measuring the RTT of an IP address from multiple well known probing locations inside of AU would work much better, but that still leaves things like a user in the "outback" connected via a geostationary satellite link as a corner case... I guess AU due to it being its own continent surrounded by water and relatively far away from other places would be genuinely well suited for triangulation, compared to e.g. central Europe.

location in this case is not relative
to bypass this one obstetrical they just need a return IP
registered as being in Australia "on the geo location list as AU"
but for the random bots out there looking for an opportunistic weakness
it has eliminated a huge % of them I'd guess above 95%
if you have small IOT type devices like say a security camera
these constant attempts can almost cause a DOS
this also lowers the likely hood of this
voip is also prone to this
just the resources needed to process the denials could upset audio in a voip call
it's just another tool to add another layer

If you know which ISPs you'll be connecting from, you can always only allow the public IP ranges register to them.
That should be a lot less than the whole of AU.

If you're paranoid enough, install fail2ban too.

I do wish it was that easy but it's the mobile phone networks
I did try this but was always changing ip subnets
and ever sharing arrangements over the multiple carriers

it is, the public part is pretty much static, but it could persist of multiple segments.

I've been doing it with my mobile provider for several years, no issues whatsoever.

but yes, you need to find them all, and it could take a while, if they're cooperating.

well here you can be with provider A but in a country town
where they only have a cell tower by provider B
then they have a sharing arrangement
and when you consider the mobile providers are also the home internet providers
you would cover 80% of the country's ip's anyway

this assumes there's a 1:1 ratio between subscribers and public IPs, which I doubt...

most cell phone carriers use CGNAT, and could, at least in theory, put all their subscribers behind one IP.

true and they do use ipv6 as well
I could not map it but I do have AAAA setup
oh I did have. must have removed it last ISP change not there now

As I said "That might well be good enough for your purpose (and I believe it is)" you are clearly aware of the approximate nature of this measure and fully understand it. My comment is more intended for casual readers of this thread so they are aware of the challenges this approach still has.