The Vigor router incorporates a Country Object feature, streamlining the process for network administrators to permit or restrict access to IP addresses originating from specific countries.

The insights provided in this application draw inspiration from the following URL:  https://www.draytek.com/support/knowledge-base/5466.

 

The primary focus is on managing traffic flowing from internal LAN users towards WAN destinations. Conversely, tackling inbound traffic is more intricate due to the prevalence of hackers utilizing proxies or VPNs to evade country code identification.

Additionally, the landscape sees a constant influx of new WAN IP addresses, each being allocated to novel country locations. This ongoing expansion significantly complicates the task of maintaining up-to-date records.

 

This case study below demonstrates how to allow the LAN hosts to access the UK websites only.
1. Create a Country Object. Go to Objects Setting >> Country Object page. Click an available index, give a profile Name and select Country.
Fig 1

To block all websites except for those in the UK, we will need to create two firewall rules. The first one to block all websites, and the second to allow access to websites in the UK.

2. Create the rule blocks all sites, go to Firewall >> Filter Setup >> Default Data Filter Set, and click an available rule to edit.
a. Select “Any” for Source IP, Destination IP, and Service Type
b. Select “Block if no further Match” for Action, so the router will check the other rules first

Fig 2

3. Create another rule to allow access to the websites of the UK. Go back to Default Data Filter page, and click an available rule which follows behind the rule created in the previous step.
a. Click Edit behind the Destination IP/Country to select Country Object created in the first step
b. Select “Pass Immediately” for Action

Fig 3

4. Now create another rule to allow DNS to go through

Fig 4

5: Now try to access a few websites to verify the firewall setting.

Fig 5

6: Note – a good tool to use is the syslog
When the DNS filter is off the syslog shows a block on 8.8.8.8 Hence step 4 included above.
Fig 6