How to configure a country-based firewall rule

Using InControl version 2.8.2 and above, it is now possible to configure and deploy country-based firewall rules to Peplink routers running firmware 8.0.1 and above.

This feature can be used to block traffic from a specific country.

In the correct InControl2 organization in Group Level select Network settings > Firewall Rules .


Enable firewall rule management by InControl2

Before agreeing that the firewall rules will be governed by InControl2, make sure to plan carefully whether to clear or preserve firewall rules of devices that receive no firewall rules from IC2 upon policy removal. .

Create a new Rule Set and add an inbound firewall rule by clicking the add rule button.
Select Region as Source and select the county of choice and other required options and save the firewall rule.

Configure the required options for the Firewall Rule Set and save this ruleset.

Log on to the local router web admin console to check that the new firewall rule has been pushed to the local router.


For more information about firewall rules management using InControl2 (including importing existing firewall rules configured on the local device) read the following article https://forum.peplink.com/t/firewall-rule-management-in-incontrol2/

6 Likes

Hi Erik,

i’am a little bit confused about that function. Because when i block a specific ip in and out, it works for me well. But when i’am blocking a country, it will not work for me.

And the function to block ip’s from a specific country is really cool!

So what can i do? or what can be my failure?

Hi Dieter,

Can you post some screenshots of you configuration? Or, if you prefer not to share this information you can contact your Peplink partner or raise a ticket with Peplnk support.

Hi Erik,

thank’s for the quick respond.

Here are my config’s. I tried several Countrys and only one per entry. The one wich only includes the IP from NL (Netherland or other IP’s) still works.

Is there a way to block country’s on the SURF SOHO without incontrol? I know you can do it with a pi-hole. Maybe a billable feature?

Thanks in advance.

1 Like

@happysurfer

Country’s list of IP address is too dynamic that need to update from IC2 time to time. Any reason why you are not using IC2 ?

1 Like

I am a home user and do not require it at this time.

@happysurfer

The rules only need to push from IC2 for 1 time will do.

1 Like

I have followed these instructions and can’t seem to get it to work correctly. I have SSH port forwards setup on my device, then also configured access runs for allowing only certain IP addresses into those port forwards. The SSH port forwards work well and the blocks seem to work (allows are the 1st 2 lines with IP addresses listed). However, there are some more port forwards I have that are over port 80. I would like to limit those to only incoming US traffic. I have configured the following setup, pictured with this post. I have this pushed to my devices, but I can still connect to the units when I run my NordVPN software while selecting an overseas server. I check my IP address and it is showing that my IP should look like an overseas IP. I can still however connect to the devices using the port 80 forward. This clearly should be dropped based on the picture and the access rules I have setup. Please help me get this figured out.

@Erik_deBie any thoughts to the above?

@WaterFarmer, you want to block TCP 80 (out of US’s IP) from WAN to Peplink device or from WAN to LAN?

1 Like

I would like to block any outside the US IP from coming in the Wan to the Lan devices. But shouldn’t my rules above allowing all US traffic then the default being to drop all traffic stop all outside traffic coming from outside of the US and dropping that traffic?

I would suggest you guys look into this issue. I had my data usage go up to over 25MB a day from units that would usually use around 1MB a day when using the allow US rule above. It was allowing other outside IP addresses, even from outside the US to connect to my SSH devices. I even had a deny all SSH rule prior to the allow for the US traffic. Something is seriously wrong, I just removed the allow the US traffic rule and the traffic from outside countries trying to connect to my SSH devices has stopped again. Just thought I would pass this on, it looked like a great feature but clearly was not working and caused further issues on my devices.

i seem to have locked myself out of Balance20 web admin after enabling country block. inControl also now sees device as offline… but internet is still up and working.

I added incoming block rules for Russia, Iran, Iraz, Ukraine, China, North/South Korea, Thailand and Vietnam.

Any ideas?

Hi @sitloongs. Just a note: That’s really quite limiting to have to use IC2 in order to take advantage of country blocking.

@WaterFarmer

In your SSH devices, do you have the logs for the IP list that try to connect the devices before ? If yes, can you please open a ticket and share the IP list ? This will help support team to verify whether those IP is in US country.

Beside that, do you enable event logging for the inbound firewall rules created ? Suppose if you enable event logging, you should able to check the logs for all the incoming connection.

1 Like

@stego

Suppose firewall rules have no way to block the IC2 connection. Would you open a ticket for support team to check ?

1 Like

@Rick-DC

This is well noted and because the country IP is too dynamic that need to update from time to time and the feature currently only available via IC2.

1 Like

Thanks @sitloongs

I have an existing ticket already open for another issue with regards to Bonjour Forwarding.

I mentioned this latest issue in the ticket log in hopes they can troubleshoot further.

Hi @sitloongs. Understood completely. My only point is this is a powerful feature but if it can’t be used … :confused:

1 Like