pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-02-07 21:46:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
docs-v2/manage/asnblocking.mdx
Thomas Wilde 0ec73abcf3 Add ASN blocking documentation and configuration guides 
- Add manage/asnblocking.mdx documentation page covering ASN-based access control
  - Explains benefits of blocking by Autonomous System Number
  - Documents common ASNs (cloud providers, ISPs, VPN services, CDNs)
  - Provides configuration patterns for VPN/proxy blocking, datacenter filtering
  - Includes manual ASN entry support and ASN lookup resources

- Add self-host/advanced/enable-asnblocking.mdx setup guide
  - Documents GeoLite2-ASN database installation steps
  - Includes config.yml parameter (maxmind_asn_db_path)
  - Mirrors enable-geoblocking.mdx structure for consistency

- Update docs.json navigation
  - Add asnblocking to Access Control group (after geoblocking)
  - Add enable-asnblocking to Advanced Configuration section

- Update self-host/community-guides/geolite2automation.mdx
  - Add GeoLite2-ASN to GEOIPUPDATE_EDITION_IDS
  - Add maxmind_asn_path configuration example
  - Update text to reference both geoblocking and ASN blocking features
2025-12-22 10:11:50 -05:00

115 lines
4.7 KiB
Plaintext
Raw Permalink Blame History

---
title: "ASN Blocking"
description: "Configure ASN blocking to restrict access based on Autonomous System Numbers"
---
<Note>
ASN blocking is available in Pangolin community! Protect your resources by blocking or allowing specific networks and service providers.
</Note>
## Benefits of ASN Blocking
ASN blocking provides several important security and operational advantages:
### Security Benefits
- **Block Malicious Networks**: Prevent access from autonomous systems known for hosting malicious activity, botnets, or spam operations
- **Control Cloud Provider Access**: Restrict or allow access from specific cloud providers (AWS, Azure, GCP, etc.)
- **Block VPN/Proxy Services**: Deny access from commercial VPN and proxy service providers to prevent anonymous access
- **Datacenter Filtering**: Block traffic from datacenter networks while allowing residential ISPs
- **Compliance Requirements**: Meet regulatory requirements that restrict access from certain network types or providers
## Implementing ASN Blocking with Bypass Rules
ASN blocking in Pangolin is implemented using [bypass rules](/manage/access-control/rules) with ASN-based matching. You can create rules that either allow or deny access based on the visitor's Autonomous System Number.
<Frame caption="Screenshot of ASN rules from the Pangolin Dashboard.">
<img src="/images/asn_rules.png" alt="Pangolin Dashboard"/>
</Frame>
### Setting Up ASN Blocking Rules
1. Navigate to your target resource and select the **Rules** tab
2. Create a new rule and select **ASN** as the match type
3. Choose an ASN from the dropdown of common providers, or manually enter a specific ASN number
4. Choose your rule action:
- **Allow**: Bypass authentication for users from specific ASNs
- **Deny**: Block all access from specific ASNs
- **Pass to Auth**: Let users from specific ASNs proceed to authentication
### Common ASNs
The dropdown includes many commonly-used ASNs such as:
- **Cloud Providers**: Amazon (AS16509), Google Cloud (AS15169), Microsoft Azure (AS8075), DigitalOcean (AS14061)
- **Major ISPs**: Comcast (AS7922), AT&T (AS7018), Verizon (AS701), Deutsche Telekom (AS3320)
- **VPN/Proxy Services**: NordVPN (various), ExpressVPN (various), Mullvad (AS42831)
- **CDN Providers**: Cloudflare (AS13335), Fastly (AS54113), Akamai (various)
If the ASN you need isn't in the dropdown, you can manually enter the ASN number (e.g., AS12345 or just 12345).
### Common ASN Blocking Patterns
#### Block VPN and Proxy Services
Create deny rules for known VPN and proxy ASNs to prevent anonymous access:
1. Create **Deny** rules for each VPN/proxy provider ASN
2. Select ASNs from the dropdown or enter them manually
3. Set appropriate priorities
#### Block Datacenter Traffic
Block access from datacenter and hosting provider ASNs while allowing residential users:
1. Create **Deny** rules for major cloud and hosting provider ASNs
2. Include providers like AWS, GCP, Azure, DigitalOcean, etc.
3. This helps ensure only real users from residential ISPs can access your resources
#### Allow Only Specific Networks
Create a default deny rule and explicitly allow only approved ASNs:
1. Create a **Deny** rule matching all traffic with priority 100
2. Create **Allow** rules for specific approved ASNs with higher priority (e.g., 10, 20, 30)
#### Regional ISP Control
Allow access only from specific country ISPs while blocking others:
1. **Combine with Country Rules**: Use ASN rules to specify which ISPs are allowed
2. Create **Allow** rules for major residential ISPs in your target countries
3. Block datacenter and VPN ASNs that might circumvent country restrictions
### Best Practices
<Warning>
ASN blocking affects all users from that network. Be careful when blocking large ISPs or cloud providers, as legitimate users or your own infrastructure may be affected.
</Warning>
### Finding ASN Numbers
If you need to find the ASN for a specific network or provider:
1. Use online tools like [bgp.he.net](https://bgp.he.net/) or [ipinfo.io](https://ipinfo.io/)
2. Search by company name, IP address, or ASN number
3. Enter the ASN in the rule configuration (with or without the "AS" prefix)
### Rule Priority Example
```
Priority 1: Allow - ASN: AS7922 (Comcast)
Priority 2: Allow - ASN: AS7018 (AT&T)
Priority 3: Deny - ASN: AS13335 (Cloudflare - VPN)
Priority 4: Deny - ASN: AS16509 (Amazon - Datacenter)
```
This configuration allows access from residential users on Comcast and AT&T while blocking Cloudflare's VPN service and Amazon datacenters.
### Advanced Patterns
#### Block Bot Networks
Identify and block ASNs associated with automated bot traffic:
1. Monitor your access logs for suspicious ASNs
2. Create **Deny** rules for ASNs showing bot-like behavior
3. Regularly review and update your blocklist
Reference in New Issue View Git Blame Copy Permalink