Firewall: Bulk Pasting List of IP or IP Networks & Geolocation Blocking

I’d want this implemented at a higher level than having to list a zillion IP blocks.

In the Content Blocking settings, allow blocking by country. i.e. Just as one can now block by topic under Web Blocking, set up a similar scheme that allows blocking of IP addresses by the country those IP addresses are assigned to. For example, so by clicking boxes, one can block all connections to & from a specific country. So if I want to block all connections to & from Russia, I just have to check one box. Peplink can then manage what blocks belong to what countries behind the scenes. There is no reason I should have to know that info.

1 Like

Hi all,

We need some discussion on this. Anyway, we consider adding this feature in v6.4 in our initial plan.

Thank you.

1 Like

After some more thorough thinking I came to this conclusion:

These days, ipv4 space moves fast across countries, netblocks are being traded every minute due to the high demand and geolocation blocking will cost extra money, as the only reliable and regulary updated databases like maxmind’s geoip charge for their more accurate databases.
Furthermore every hit from an ip would need to be looked up up through external means (IC2?), due to the size of these databases which makes it unable to simply load them into memory/flash due to the limited size of the memory/flash.
You could minimize that traffic by assigning a firewall entry upon the netblock assigned to the ip connecting.

Thus, based on the above stated, I think this feature will be a no go, as the requirements needed for this feature to be operational, would have a huge impact on the performance of the devices.

I think you are overstating the difficulty of this.

For example, if I go to a service like CIPB ( and generate a web.config file to block every block assigned to the US, UK, Japan, & China, which combined have a little over 60% of all IPv4 addresses, it’s only 13MB as a text file (< 700KB zipped), which implies the entire planet’s block list is less than double that size as a web.config text formatted block file (<1.4MB zipped). We can quibble about the details of this crude assessment of storage requirements, but even if it’s off by an order of magnitude, clearly the local storage requirements of the IP block list, especially if compressed, should not be an issue.

Keeping the data set of what IP block belongs to what country is a temporal granularity issue. If I were the product manager, I’d suggest providing some automatic free periodic IP block update that Peplink strives to keep less than 90 days out of date (like CIPB does), and either sell a premium subscription with near real time updated data base access (like CIPB does) or cut a revenue sharing deal with someone like CIPB to allow the unit to directly access their services. Real time database access, particularly if the results are locally cached, should be no more onerous than DNS lookups. (Alternatively, the “most up to date” IP block data could be treated much like anti-virus signatures are, and simply have the unit update it’s IP-country list once per day. Again, the entire planet’s database, compressed, it less than a few MB.)

A lot of people like myself would find this feature useful.


While the geolocation blocking and the dynamic black/greylisting is one of the uses of the bulk importing of the IPs, there are other uses for the feature. Please do not let the complexity of automating blacklisting and locking detract from the effort to implement the ability to import firewall rules in bulk. We are spending hours configuring the routers with the list of about 60 VOIP servers for each client deployment (so far tens, but it is about to turn into hundreds) using PEP gear…

Sets of profiles managed via IC2 seems to make perfect sense. A bit like the security groups one would find at amazon…

We define it once, even maybe keep it automatically updated with url links to lists of know threats.

1 Like

This is another situation where CSV import and export would be very handy!
Much easier to copy and past rows in excel rather then creating a new rule for every single rule in the GUI.

1 Like

I agree with others on this topic. My 580’s should be able to do country blocking at the very least and specific ports would be good as well. My mail server gets hit all the time from .ua, .ru, etc… that we have no business with. It’s unfortunate that an expensive router like this can’t have this option.

We never use it for VPN nor bought it intending to. Our core value is HA, DNS, Multi-Wan and Firewall. In today’s world Firewall is even more important then ever. Unfortunate the firewall is one of its weakest links. You can’t even make groups or add multiple non-sequential ports in one rule.

I cannot believe country blocking is not implemented. It would seem simple to add. I’ve looked at the feature set of v7 and it seems more and more geared to VPN. Which is fine as long as you bring the Firewall up to similar quality. We love the 580 and support is excellent but long term this is a growing problem. Maybe we should use drop in mode with something else?

1 Like

Agreed. +1

1 Like

Agreed +1

I like the idea of groups of filters and port forwarding rules being configurable in IC2 and then pushed down to groups of devices. That would be smart, and allow for easy import of a CSV of rules / ports too.

1 Like

I don’t even want to past a list of IP’s any longer.

I do want to paste a list of RBL list urls, and set their update frequency.

For now I have created a sub2rbl modified script for padavan firmware on Asus routers that is scheduled to re-import ipset based block lists every 6 hours.

Peplink: start acting fast, we are coming at a point of replacing Peplink routers running firmware 7.0.1 with different hardware to get the firewall features we need in 2017.


Yes, adding RBL list urls! That is the only workable solution these days. I can’t keep up with the IP’s to block… These lists are made for that.

I would like to see this in IC2 also.

Hi Guys,

I might have a feature request I want to add to this post.
I think it would also come in handy if there is a possibility to push a single or multiple firewall rule(s) to all the objects in the InControl2 group.

Something like a “Bulk Firewall Rule Configurator”.

This can save my customers a lot of time and effort to set up identical firewall rules on multipe sites. Is there anyone else who think this might be a nice addition to the InControl2 features?



My company has over 40 peplink 380s and the limitations with rules management are a.huge weak point. Below is a list of improvements we would like to see.

  1. Ability to add multiple IP addresses or a range to a single rule (firewall or outbound policy)
  2. Ability to add multiple ports to a single rule.
  3. Ability to block IPs by country in content blocking.
  4. Ability to block IPs via RBL list or similar in content blocking.
  5. Ability to copy a firewall or outbound policy rule.

Another nice to have would be to make the rules object based but that’s for another discussion.


I realize this post is old. Was there any follow up on this feature request? I just received a peplink router and this feature would be really useful- both for the firewall rules and the content blocking feature.

Any response would be helpful. Alternately, I’m going to create a work around. Let me know if anyone is interested in collaborating. Thanks.


+1 for blacklisting countries in a Balance 305!

1 Like

+1 Agreed, please bring this feature.

1 Like

+1 For Geoblocking here

1 Like

In relation to a previous post

And the replies of both @sitloongs and @Jonathan_Pitts

I’m bringing the conversation back into this thread.

We have created within InControl2 regional blocking rules with logging turned on.

InControl2 Ver 2.8.4 Firewall Rules

Though what should we be seeing within the Web Admin of devices? There appears to be nothing around the regional/geo-blocking.

Peplink FusionHub, Firmware 8.1.0b04 build 4916 - Remote Web Admin

Peplink Balance Two, Firmware 8.1.0b04 build 4919 - Remote Web Admin

And as we have logging turned on, where are the event logs within InControl2?

Peplink FusionHub, InControl2 Ver 2.8.4 Event Logs

Peplink Balance Two, InControl2 Ver 2.8.4 Event Logs

Also for those who do not or can not use InControl2, what options are there for doing this?

Happy to Help,
Marcus :slight_smile: