IP Geo Blocking not working on Balance 20x

Hi everyone

I need some help w/ the Geo-IP blocking feature. Either its not working properly or I didnt set it up correctly.

I have a peplink balance 20x with a windows server 2016 behind it. This runs my company’s various software databases and programs for remote use. Since my operations are US based only, I do not need or want people who are international to be able to access it. So i blocked IPs from all other countries via the in-control portal.

Problem is, hackers from other countries (namely russia), are still able to see my server and are attempting to login to it. I can see this in the event viewer on windows server, which gives me the IP address of the person whom attempted to login, albeit unsuccessfully since they cant guess the user/password and I have 2FA…

So why are they still able to see the server even with their country’s IP addresses supposedly blocked with the traffic policies I have in place on the router?

I may file a support ticket on this as well but wanted to document it here. Please see pics below…

1 Like

Can you post what the firewall rule looks like as it is inside the balance20x?
This shows what you setup via ic2, but I don’t know if this has been downloaded to your 20x.

Hi Jonathan,

I just checked and there is 10pgs of rules in the firewall.


(upload://oWh5q2SWr1Zk6jMlYijm30ODw3W.jpeg)

well i may have figured it out myself. I didnt notice the “default” rule at the bottom before. and when i clicked the ? info button, it says “If an inbound IP session does not match any of the rules listed, the Default rule will be applied.”

My default rule was set to allow.

I have since changed it to deny.

i will keep an eye on the server event viewer and see if the hacking attempts have stopped…

I might still file a ticket with peplink to get their feedback, it looks like it should have blocked it.

1 Like

I did indeed file a support ticket right after making this thread. They have since looked into it and escalated it to the right department.

1 Like

sounds good, keep us updated.

Please update this thread when this problem is resolved. My 20X exhibits the same problem.

A firewall rule, inbound or outbound, with a smaller set of regions will work as expected. The name of each country/region will be explicitly written in the ‘Source’ column. However, when too many regions populate the list, something breaks and the value in the ‘Source’ column reads ‘Unknown.’ When this happens, the rule does not function, despite what is displayed in InControl2. I do not know the exact number of regions at which this happens.

It seems more regions are blocked than are allowed, so perhaps it would be better to set the ‘Action’ of the Default rule to :no_entry_sign:. Then, make :white_check_mark: rules for regions from which access is permitted. Allow few rather than block many.

-Steve

I just connected my B20x to IC2 and added 2 country blocks, Russia and China. I enabled logging so will see if anything comes up.

Some will argue that country blocks won’t stop professional hackers, since they will most likely conduct their attacks from different hop locations globally using VPNs.

Also, IoT devices phone home (eg China?) may not work properly… Id argue at worst they’re not sending telemetry to their mothership, so it cant all be bad.

The inbound firewall rules only apply to the following types of traffic:

  • Inbound drop-in WAN traffic where the WAN is in drop-in mode
  • Inbound traffic that is defined in Port Forwarding
  • Inbound traffic that is defined in Inbound NAT Mappings

In my case, country blocks won’t apply since none of the above applies to me yet. I will be port forwarding to a helium hotspot miner in the future so I’ll be revisiting this then.