pfBlockerNG + GeoIP and the unintended consequences

For anyone using pfBlockerNG with GeoIP enabled there are a couple of hidden gotchas if you like Streaming Services !

During this COVID-19 crisis I was able to work from home remotely. During this time I noticed that every hour at 1 minute past the hour that various streaming services would loose connectivity for approximately 60 seconds. Apart from being very annoying and embarrassing, my co-workers began to set their clocks in meetings each time I dropped out.

So after ruling out the usual DHCP issues on my WAN, ISP issues, low level hardware issues etc I then remembered some weeks before this COVID-19 malarkey installing pfBlockerNG using instructions from one of my favourite YouTube channels Lawrence Systems (click). There are no such things as co-incidences.

So investigating various options and double checking configurations I noted this unassuming check box at the bottom of the pfBlockerNG IP configuration page;

So thinking about this a little, what it means is every hour on the hour this will force any current IP states in the firewall found to be within a blocked range to be cleared. This includes established states. It was about then the penny dropped, what if the streaming services I was currently using were in a GeoIP blocked group, every hour on the hour any established connection would close, then be forced to renegotiate a connection. Sigh. So this is how I had configured my GeoIP settings;

What you can’t see here is within Oceania I’d unblocked my own country “Australia” from these rules. What made me twig to this being the problem is some of the streaming services I use were not being interrupted, upon a little digging all of these used a CDN (mainly Cloudflare) and were coming from IP ranges that were not being blocked. Where as services like Foxtel Go, Microsoft Teams and even ssh connections to my virtual server in Japan were dropping with frightening regularity.

To stop this from happening all I needed to do was not enable the kill states and away it went again. I could have also taken a longer route and identified IP ranges for stream services I wanted to allow, and may investigate this further. YMMV.