GEO-IP blocks internal LAN IPs

hardstyler
hardstyler Posts: 4  Freshman Member
First Comment First Anniversary
edited April 2021 in Security

Hi all!

Never solved this bad programmed feature: geo ip blocking is great but since the day introduced Zyxel never solved an important issue:

internal LAN IPs (lan1, lan2, dmz) are also checked for the country of origin, so now writing and this is an example:

190.168.x.x = Venezuela

194.166.x.x = Austria

191.168.x.x = Brazil

195.168.x.x = Slovakia

They are common IPs in use in SOHO ambients.

If you use the IPs in the example and set correctly the rules in the firewall as in this video: https://www.youtube.com/watch?v=uMv05II9VYs (and there is no other solution), firewall blocks all traffic!!!!

the video explains only one policy for the firewall section (any to any except Zywall), but there is another rule to set of course that is any to Zywall. But this doesn't change nothing cause if you use IPs on your lan that are the same countries they correspond, you obtain no traffic and also kicked off by the firewall interface.

You could tell me: change IPs on the lan side!!! Is not possible, cause IP blocks change and when they change, and you cannot expect it, you will be kicked by the firewall anyway till you change another time lan IPs.

Comments

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,391  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @hardstyler,

    In the security policy rule, you can assign a specific zone in “From” and “To” to limit the source/destination IP coming from/to a certain “zone”.

    In the following example, create a address object with Venezuela.

    Modify the IP address as 190.168.1.1 which belongs to Venezuela.

    Create a security policy rule to block traffic from Venezuela to ZyWALL.

    From: WAN, To: ZyWALL, Source: All Venezuela, action: deny

    From one PC 190.168.1.2 in LAN1, it is still able to access the web GUI 190.168.1.1 successfully because the traffic if from zone “LAN1” and not “WAN”.

    Hence, it doesn’t hit the block_test rule.


  • hardstyler
    hardstyler Posts: 4  Freshman Member
    First Comment First Anniversary

    Solved, thank you!

Security Highlight