I’d want this implemented at a higher level than having to list a zillion IP blocks.
In the Content Blocking settings, allow blocking by country. i.e. Just as one can now block by topic under Web Blocking, set up a similar scheme that allows blocking of IP addresses by the country those IP addresses are assigned to. For example, so by clicking boxes, one can block all connections to & from a specific country. So if I want to block all connections to & from Russia, I just have to check one box. Peplink can then manage what blocks belong to what countries behind the scenes. There is no reason I should have to know that info.
After some more thorough thinking I came to this conclusion:
These days, ipv4 space moves fast across countries, netblocks are being traded every minute due to the high demand and geolocation blocking will cost extra money, as the only reliable and regulary updated databases like maxmind’s geoip charge for their more accurate databases.
Furthermore every hit from an ip would need to be looked up up through external means (IC2?), due to the size of these databases which makes it unable to simply load them into memory/flash due to the limited size of the memory/flash.
You could minimize that traffic by assigning a firewall entry upon the netblock assigned to the ip connecting.
Thus, based on the above stated, I think this feature will be a no go, as the requirements needed for this feature to be operational, would have a huge impact on the performance of the devices.
I think you are overstating the difficulty of this.
For example, if I go to a service like CIPB (https://www.countryipblocks.net/) and generate a web.config file to block every block assigned to the US, UK, Japan, & China, which combined have a little over 60% of all IPv4 addresses, it’s only 13MB as a text file (< 700KB zipped), which implies the entire planet’s block list is less than double that size as a web.config text formatted block file (<1.4MB zipped). We can quibble about the details of this crude assessment of storage requirements, but even if it’s off by an order of magnitude, clearly the local storage requirements of the IP block list, especially if compressed, should not be an issue.
Keeping the data set of what IP block belongs to what country is a temporal granularity issue. If I were the product manager, I’d suggest providing some automatic free periodic IP block update that Peplink strives to keep less than 90 days out of date (like CIPB does), and either sell a premium subscription with near real time updated data base access (like CIPB does) or cut a revenue sharing deal with someone like CIPB to allow the unit to directly access their services. Real time database access, particularly if the results are locally cached, should be no more onerous than DNS lookups. (Alternatively, the “most up to date” IP block data could be treated much like anti-virus signatures are, and simply have the unit update it’s IP-country list once per day. Again, the entire planet’s database, compressed, it less than a few MB.)
A lot of people like myself would find this feature useful.
While the geolocation blocking and the dynamic black/greylisting is one of the uses of the bulk importing of the IPs, there are other uses for the feature. Please do not let the complexity of automating blacklisting and locking detract from the effort to implement the ability to import firewall rules in bulk. We are spending hours configuring the routers with the list of about 60 VOIP servers for each client deployment (so far tens, but it is about to turn into hundreds) using PEP gear…
I agree with others on this topic. My 580’s should be able to do country blocking at the very least and specific ports would be good as well. My mail server gets hit all the time from .ua, .ru, etc… that we have no business with. It’s unfortunate that an expensive router like this can’t have this option.
We never use it for VPN nor bought it intending to. Our core value is HA, DNS, Multi-Wan and Firewall. In today’s world Firewall is even more important then ever. Unfortunate the firewall is one of its weakest links. You can’t even make groups or add multiple non-sequential ports in one rule.
I cannot believe country blocking is not implemented. It would seem simple to add. I’ve looked at the feature set of v7 and it seems more and more geared to VPN. Which is fine as long as you bring the Firewall up to similar quality. We love the 580 and support is excellent but long term this is a growing problem. Maybe we should use drop in mode with something else?
I like the idea of groups of filters and port forwarding rules being configurable in IC2 and then pushed down to groups of devices. That would be smart, and allow for easy import of a CSV of rules / ports too.
I might have a feature request I want to add to this post.
I think it would also come in handy if there is a possibility to push a single or multiple firewall rule(s) to all the objects in the InControl2 group.
Something like a “Bulk Firewall Rule Configurator”.
This can save my customers a lot of time and effort to set up identical firewall rules on multipe sites. Is there anyone else who think this might be a nice addition to the InControl2 features?