This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SG430 Geo Blocking Country Blocking exceptions for single Users or MAC addresses

Hello,

we have activated the country blocking for different countries (in and out). Now some people need to connect via IPsec VPN to our SG from those countries. We can just create exceptions from country blocking for source IP addresses, but the people do not have fix ip addresses in ther home or hotel locations in the blocked countries so in my eyes the only way would be to create an exception for the whole country with source = Any and service = IPsec. Or is there a better way to to it granulary for only this special people, e.g. for their mac addresses?

Thanks.



This thread was automatically locked due to age.
  • If the clients are set up in your definitions, you can create the exception per host under the Exceptions tab for whichever services they need to access.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Thanks for your answer Amodin.

    What exactly do you mean with "If the clients are set up in your definitions"? I could create a host object for the sepcific client, but with its DNS name it could not be resolved because it does not get an IP frome the sophos becaus it is blocked.

  • But your clients have MAC addresses which don't change.  You should be able to disable your country blocking temporarily, have the clients connect and create the host definitions via the DHCP Pool (because it contains the MAC addresses they connect with) then add the exceptions for the hosts.  Or, you can have them send you screenshots of their MAC address, and you can build them manually (more tedious work).

    When you create your exceptions in Country Blocking Exceptions, don't select any countries and just add the host object exceptions and also enable your Country Blocking rules as you normally would do under Country Blocking.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Thanks!!!!! Creating static host object from DHCP I didn't try. I just tried to add the clients MAC to a MAC list in the firewall tab but couldn't add this MAC list in the country blocking exceptions and tried by adding a nwes FW rule for this MAC list but that didn't work. As soon as the user ist online next time, I will contact him and try the static object from DHCP. Thanks again.

  • If users come from the internet, you (and your Firewall) can't see the MAC address.

    The only option I use until now are dynamic DNS-entries. Users (or they notebooks) can have a dyndns-hostname from everywhere, and you can create an exception for these DNS-host.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Dirk.

    can't see the MAC address

    When having a look into the firewall logs, I could see the "From MAC" - or wasn't that the MAC of the client pc?

    DynDNS maybe could work for users in private locations but won't for hotels. And: Some of those people are using LTE and for that as far as I know you can't use DynDNS..

  • This is the mac from next Routing-HOP. (Please try to compare this MAC with your Client-Device)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Ah OK, thanks for the hint, I will compare next time the users is there... Seems that there is no general solution for such problem.

    By the way: The user was in Belgrad, Serbia. But when we tried with general exception (from any IP in Serbia for any service) it didn't work. When we selected all european countries for this test exception, it worked... Seemed that sophos didn't correctly assign the source IP to Serbia.

  • That's on the ISP, not Sophos.  Geo information comes from the source.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)