Easiest way to geoblock country?

[Mark Kaine]

So I've been trying to look this up and there are many ways to do it, most seem messy and convoluted (blocking ip ranges etc)

 

but some say just to block a whole country by blocking just for example .cn or .ru etc...

 

That sounds great and i don't care if it blocks *all* of a country as long its blocking the majority of a country = )

 

So the question is how do I do this? Firewall?  Better in windows,  in router or both?

 

My router is simple enough if it has the possibility i guess, windows would maybe be more convenient,  but I'd need a good tutorial... 

 

ps: inbound or outbound doesn't matter, i want to block *all* connections,  simply. ~

[manikyath]

blocking a top level domain does nothing, geographically.

 

it is simply a matter of blocking those IP ranges assigned to certain regions.

[Mark Kaine]

Just now, manikyath said:

blocking a top level domain does nothing, geographically.

 

it is simply a matter of blocking those IP ranges assigned to certain regions.

hmm i see, so all those reddit posts were full of it? Damn...

 

Do you know a good tutorial for doing the ip ranges and how to get them ? And windows or router? (its really confusing there's 2 options here, i would think router would be more thorough? )

[PDifolco]

6 minutes ago, manikyath said:

blocking a top level domain does nothing, geographically.

 

it is simply a matter of blocking those IP ranges assigned to certain regions.

Yeah but then anyone in said countries can use a VPN to access from another country..
Why even bother doing that ? Are you a North Korean official ?

 

[manikyath]

2 minutes ago, Mark Kaine said:

hmm i see, so all those reddit posts were full of it? Damn...

 

Do you know a good tutorial for doing the ip ranges and how to get them ? And windows or router? (its really confusing there's 2 options here, i would think router would be more thorough? )

i'd say block it on the router.

 

as for which ranges, i'm sure there's a public list of who owns which ranges, the below seems a good start.

https://lite.ip2location.com/ip-address-ranges-by-country?lang=en_US

[Mark Kaine]

Just now, PDifolco said:

Yeah but then anyone in said countries can use a VPN

i didn't understand this either,  why "top level" wouldn't work i just want to block everyone with a .** domain i dont really care where they are, because simply doing that would catch most anyways lol (and i do not expect a solution to work 100%... if it works 80% or so is good enough lol)

[Mark Kaine]

2 minutes ago, manikyath said:

i'd say block it on the router.

 

as for which ranges, i'm sure there's a public list of who owns which ranges, the below seems a good start.

https://lite.ip2location.com/ip-address-ranges-by-country?lang=en_US

ah, ok, i see thanks = )

[manikyath]

Just now, PDifolco said:

Yeah but then anyone in said countries can use a VPN to access from another country..
Why even bother doing that ? Are you a North Korean official ?

 

there's reasons to geoblock countries. yes there's ways around everything, but it severely limits options.

 

for a lot of customers i deal with, sign-ins from outsidd the EU are straight up denied. yes VPN's exist, but just one barrier is often enough for malicious entities to 'not bother'.

[manikyath]

Just now, Mark Kaine said:

i didn't understand this either,  why "top level" wouldn't work i just want to block everyone with a .** domain i dont really care where they are, because simply doing that would catch most anyways lol (and i do not expect a solution to work 100%... if it works 80% or so is good enough lol)

because 99% of people dont have a domain.

 

blocking .cn essentially means you cant access aliexpress, but whatever guy is behind 1.124.x.y can still access you.

[Needfuldoer]

4 minutes ago, Mark Kaine said:

i didn't understand this either,  why "top level" wouldn't work i just want to block everyone with a .** domain i dont really care where they are, because simply doing that would catch most anyways lol (and i do not expect a solution to work 100%... if it works 80% or so is good enough lol)

That won't stop anything incoming, for a variety of reasons:

 

Your router/firewall isn't doing a reverse DNS search against every incoming IP address.

 

The vast majority of addresses don't have domain names assigned.

 

Top level domains don't necessarily have to match up with a server in the country it's assigned to.

 

You can manually assign *.tld to 127.0.0.1 in your firewall if you want, but that will only stop those domain names from resolving on devices looking to it for their first level DNS. It won't do anything for incoming wild traffic.

 

Some firewalls have country-based region blocking, but I think you have to run something like OPNSense or Sophos XG to get that. Regular consumer modem/firewall/router combo units usually don't give you that kind of detail.

[Mark Kaine]

12 minutes ago, manikyath said:

because 99% of people dont have a domain.

 

blocking .cn essentially means you cant access aliexpress, but whatever guy is behind 1.124.x.y can still access you.

oh... ok i think i get it...

 

lol, i do remember i did something similar once, but there i would just check the ip adress + isp (which my router plainly told me) and do it one by one, which is of course messy and not really what i have in mind right now...

 

but either way this is tricky,  i mean putting in all those ip ranges manually... oof.

 

It would be nice if that was an inbulit function of the router... but i dont think I'll be that lucky!

 

 

7 minutes ago, Needfuldoer said:

Some firewalls have country-based region blocking, but I think you have to run something like OPNSense or Sophos XG to get that. Regular consumer modem/firewall/router combo units usually don't give you that kind of detail.

yeah... it would be so simple in theory... or just download some list to load into your firewall...

 

well, ill look into it and now i know simply blocking .** won't work. ¯\_(ツ)_/¯ 

[wseaton]

Geo Blocking is like......2007 security practice.

 

In the good old days if a IP address reversed to Amsterdam or S Korea you blocked it. Easy Peezy.

 

Nowadays the bad actors just VPN in, or lease piles of Azure machines in N America thanks to Microsoft's 750 free hour promotional discount for Russian hackers. Source Address means nothing anymore.

[Mark Kaine]

5 minutes ago, wseaton said:

Nowadays the bad actors just VPN

ofc you could block all vpn too! like the big American streaming services do?

 

but that's not the point for me really,  i simply don't want to connect to a certain ip adress range, ie countries ip addresses... if i could additionally block vpns, that would be nice, but is not a priority. 

So if i see this right i need the "good old way" and block those ip ranges in my routers firewall?  

 

[Androkiller]

pfsense + pfblocker

 

now laugh when you see bots portscanning you from the russia getting blocked and many more options.....

[Mark Kaine]

7 minutes ago, Androkiller said:

pfsense + pfblocker

right i need a ublock origin kinda thing just for countries instead of ads

 

 

ps: except i need this in my router or windows firewall,  its useless to me in a browser, unless it still works for the whole system,  outside a browser environment.

 

 

 

[Androkiller]

3 minutes ago, Mark Kaine said:

right i need a ublock origin kinda thing just for countries instead of ads

 

 

but pfblocker will do it for the whole network

there are extensions where you can just add block list for the ip ranges i am sure ublock origin had the feature where you could add custom lists, not sure now as i switched to brave as my webrowser

look at pfblocker doc as it shows the lists https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html#available-lists

this one will be of most interest for you probs https://www.iblocklist.com/lists.php?category=country

 

In brave you can add custom lists by default 

[Mark Kaine]

10 minutes ago, Androkiller said:

but pfblocker will do it for the whole network

yeah, that's what I need! so it changes the windows firewall,  or how does it work?

 

39 minutes ago, wseaton said:

Azure

Also blocked! (if i knew how... )

 

i know that would probably break a lot of websites etc, but at least temporarily that would be acceptable! 

 

 

[LIGISTX]

I think a more important question here is... why are you trying to do this? What are you trying to gain via doing this? As others said above, geo-blocking does very little, and if its within windows firewall, it does virtually nothing. You would want to block bad actors at the firewall between your ISP and your LAN. Your smart TV or smart light switch is much more susceptible to vulnerabilities than windows (although Windows is also not exactly great).

 

The highest chance of getting pwned is via visiting a site with ads that are actually just malware injectors, or opening a malicious PDF or Office Word/Excel/etc file. Blocking "random" IP's isn't really going to do much to reduce your thread surface...

[Mark Kaine]

48 minutes ago, LIGISTX said:

I think a more important question here is... why

you're probably right... because obviously there are some misunderstandings ...

 

48 minutes ago, LIGISTX said:

Blocking "random" IP's isn't really going to do much ...

the thing is ... this worked in the past, but, i had to do it manually,  for each , "user"... and of course it only theoretically worked until they would change their ip adress...

 

But this time, i want to block them *before* they connect to me (also i dont use the router that tells me the ip addresses from "connections" anymore, besides that would be way too tedious) , and as many as possible and not just individuals...  i think the ip range thing would work very well for this , it doesn't matter if it catches *everyone* if its just 50% that would be great! 

It might not work at all, because when i did this it was connecting through psn, now it's steam... but i think the same principle applies,  in the end steam is just a more laggy psn after all .

 

48 minutes ago, LIGISTX said:

more susceptible to vulnerabilities than windows

in my impression windows is *extremely* susceptible to network lag, hence i wish to avoid certain countries.  this isnt about a "security threat" at all (i didn't mention one : p)

 

So in theory... blocking isp/ip ranges would work,  right? 

its just a matter of putting it all in my router? 

 

ps: btw this is a 1:1 p2p connection but matchmaking is still obviously done through steam... i wouldn't do this in an mmo or something,  would only create issues probably,  but in my previous experience it works well enough for individuals and p2p connections. = )

 

 

 

 

 

 

[Blue4130]

7 hours ago, Mark Kaine said:

in my impression windows is *extremely* susceptible to network lag, hence i wish to avoid certain countries.  this isnt about a "security threat" at all (i didn't mention one : p)

 

So in theory... blocking isp/ip ranges would work,  right? 

its just a matter of putting it all in my router? 

 

ps: btw this is a 1:1 p2p connection but matchmaking is still obviously done through steam... i wouldn't do this in an mmo or something,  would only create issues probably,  but in my previous experience it works well enough for individuals and p2p connections. = )

This is for reducing lag in game? I doubt that it will have any effect on lag. I mean, does steam randomly try to route you through China when you are playing in USA? That seems not likely.

[Mark Kaine]

1 hour ago, Blue4130 said:

This is for reducing lag in game? I doubt that it will have any effect on lag. I mean, does steam randomly try to route you through China when you are playing in USA? That seems not likely.

i wouldn't say reducing,  i would say avoid. 

And this is yet another (small) misunderstanding perhaps,  this is a fighting game, which generally means peer-to-peer,  and yes,  indeed Steam "randomly" connects me to whatever region the next player is...

 

This is for the most part the games fault because it barely gives you any options... you can "theoretically" choose a region,  but since everyone can do that if you connect to USA that can just as well be a Japanese player, *in Japan* who just so choose "USA" for their region (for example) 

 

Additionally... you get bars to show the connection quality (which is what really would matter most, obviously)

 

BUT that's not reliable at all, it can easily drop from a 5 bar connection (good)  to 2 or 3 bars (bad)

 

Now, since i know this already since, uh, 15 years, and have like a lot of matches (in that game series) ie 10s of thousands (literally)  i *know* very well which countries will lag the most... so it's relatively easy to avoid by blocking certain ip addresses (it basically works 99% )

 

the only issue (so far) is i don't know the best or easiest way to do this (see my previous posts, i did it manually... a few years ago, it worked well, with the few people i "blocked" but realistically that's not really feasible, or ideal lol...)

 

so "ip ranges" it is i guess.

 

 

and just for clarification, i don't want to block a gazillion countries,  its more like 3 or 4... which i know have basically always a terrible connection.

 

So tldr,  its actually the games fault,  the netcode / matchmaking is just terrible,  its still fun *if* you get a player with a good connection...