Technical Tip: Recognize anycast address in Geo-IP blocking
Description
This article describes how to recognize anycast address in Geo-IP blocking.
Solution
An anyCast IP can be advertised from multiple locations and the router selects a path based on latency, distance, cost, number of hops, etc.
This technique is widely used by providers to route users to the closest server.
Since the IP is hosted in multiple geographic locations, there is no way to specify one single location to that IP.
This version introduces an option to bypass anyCast IP ranges in Geo-IP blocking.
ISDB contains a list of confirmed anyCast IP ranges that can be used for this purpose.
When source/destination is set to Geo-IP, enable the 'geoip-anycast' option is possible.
When enabled, IPs where the anyCast option is set to 1 in geoip_db are bypassed in country matching and blocking.
Only use CLI to configure this feature.
See the following example.
To enable 'geoip-anycast' setting in a policy.
This article describes how to recognize anycast address in Geo-IP blocking.
Solution
An anyCast IP can be advertised from multiple locations and the router selects a path based on latency, distance, cost, number of hops, etc.
This technique is widely used by providers to route users to the closest server.
Since the IP is hosted in multiple geographic locations, there is no way to specify one single location to that IP.
This version introduces an option to bypass anyCast IP ranges in Geo-IP blocking.
ISDB contains a list of confirmed anyCast IP ranges that can be used for this purpose.
When source/destination is set to Geo-IP, enable the 'geoip-anycast' option is possible.
When enabled, IPs where the anyCast option is set to 1 in geoip_db are bypassed in country matching and blocking.
Only use CLI to configure this feature.
See the following example.
To enable 'geoip-anycast' setting in a policy.
# config firewall policyTo check the 'geoip-anycast' option for an IP address:
edit 1
set name "policyid-1"
set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "test-geoip-CA_1"
set action accept
set schedule "always"
set service "ALL"
set geoip-anycast enable
set logtraffic all
set nat enable
next
end
# diag geoip ip2country 1.0.0.1
1.0.0.1 <----- Australia, is anycast IP.
1.0.0.1 <----- is the anyCast IP.