100H - block external IP address ... not all IP's are blocked !

SiegfriedH · December 2025

TNX for fast answer.

So I use this you wrote above till a fix via firmware is available.

PeterUK · December 2025

Ok Melen thanks for the info I think I put it in ideas so that the IP Reputation filter have a option to use only External Block List.

I think the layout for External Block List where it is in the UI is misleading when you enable it at least to me.

Zyxel_Melen · December 2025

Hi @SiegfriedH

After checking with our team, the external block list IP reputation does block the traffic from LAN to WAN and from WAN to LAN. It does not block only the traffic from WAN to ZyWALL.

Result from WAN to LAN:

Since this is the current spec design, we created an idea post for this. Our product team will monitor the idea post to evaluate it.

USG FLEX H - external block list also blocks traffic from WAN to ZyWALL — Zyxel Community

SiegfriedH · January 3

So I've another Problem, please see screenshots:
see Entry 334 - access forward, although the IP address ist blocked via external Block list.

I made a routing through the firewall to internal web-server.
When a policy control is made like the screenshots than a blocked IP adress is routed through to internal IP.

I thought, that a blocked IP address via external bliock list is always blocked.

What can I do to block a IP address 100% although a routing to the internal web-server is active?

LG Siegfried

PeterUK · January 3

Looks like the block list was only designed to block internal to external so there needs to be options like

block for:

internal to external (including General)

internal to internal

external (including General) to external (including General)

external (including General) to internal

external (including General) to zywall

So your only option to do block as it is it to do your own block list in address object to add to the control policy for source

SiegfriedH · January 5

So what should I do now to block all external IP's in the external block list, although there are 3 routing from external to internal web-server?
Is there an easy way to do so?

PeterUK · January 5

So you would need to add IP's in block list to USG address object one by one then make control policy for from WAN to LAN and WAN to zywall with a source address group all them IP's

Zyxel_Melen · January 6

Hi @SiegfriedH

Your result is not an expected behavior, which is different from our test result (the same NAT rule, security policy, and the external block list).

Could you help query this IP (204.76.203.212) in Security Services > Reputation filter > IP Reputation tab? In here we can check if the device adds this signature.