Home Networking

Geoblocking is a pretty common practice in enterprise networking.

I block all inbound connections from China and Russia via GeoIP blocking in Opnsense and no one in my household has ever complained. Considering setting it up to blocking outgoing as well, but any Chinese device I'm suspicious of is already isolated from the WAN.

I do this, the only problematic thing is the NTP request from my Philips Hue bridge.

It’s a common feature in a lot of threat management software / firewall systems. Ubiquiti and pfSense both offer it off the top of my head. I’ve used both with no noticeable issues on smart / IOT devices.

If you aren't running a server/service, the best option is generally to unwrap a tinfoil layer.

Hilariously, posts like these also generally involve users running 'windows chocolate fireguard ', and quite happy with that gaping inadequacy..🤣🤣🤣

Just put it on a seperate network, with no internet connection. Use a server as a passthrough, so you have control. Stay away from anythibg cloud based. Pretty easy stuff honestly.

I block a handful of countries I just have no business interacting with. In and out. Doesn’t cause any problems. But you know Microsoft and Amazon aren’t checking ID before letting anyone put a server in one of their DCs? TikTok is all hosted on US servers but that doesn’t mean there isn’t a back door or a copy job sending the data off shore. So I go the extra distance to block a huge list of domestic and safe country international domains that I don’t want traffic going to or from.

Pretty sure you can block all the Chinese IPs and still disclose information to China. Discord for example is a massive business which China had heavily invested in. Part of their constitution is Chinese owned companies must disclose information.

https://www.vintageisthenewold.com/game-pedia/is-discord-owned-by-tencent#:~:text=Tencent%2C%20the%20owner%20of%20Discord,and%20retain%20personal%20information%20indefinitely.

go for it. we block everything except for US.

They will just use IP addresses from friendly countries by means of VPN.

I don't bother with blocking individual countries. Sure I could just block the whole 210.0.0.0/6 but with ipv6 it becomes untenable and not to mention that once a bad actor successfully attacks someone in your home country, then they can use that machine as a springboard to attack you - and how can you discern the difference anymore?

Just need to do the best I can to ensure people don't get in the usual ways...

All you'll do is put a very small impediment in the path of the noobiest of script kiddies.

Absolutely anyone who is capable of working a web browser can easily use a VPN or compromised system to get around your IP address block.

I block the entire cn TLD (and the RU, PK, Top, biz, info, and IN TLDs) and haven't had any issues.

I also go a step further and block all IPs in those geolocations in my Router.

The inbound connections will revert to bots in your region.

Wouldn’t they just exploit VPN strategy to get around these possible blocks? I assume they also assume these things and establish workarounds.

I block all RU and CN ip addresses. No ill consequences.

Not much, I currently block all connections in/out of China and Russia. Most popular services have localized servers in your region.

It won't do much in the sense that most stuff will keep working but also in the sense that it won't protect you from hackers coming from those countries.

So yes, you can do it, but don't let that give you a false sense of security!

I use pfsense which has geoip blocking, however this is only going to be a threat if you have open ports, most if not all firewalls are default deny, so what I do is only allow North America and South America (family there).

I might suggest just looking at crowdsec.

Then you’d be left will only paper plates and plastic cups…

~~World~~ Wide Web - not so fast!

Is even blocking China going to work? If someone was nefarious and even have way smart wouldn't they go through a proxy in the US or somewhere else deemed safe.

I've done it with my Unifi Dream Machine. I haven't noticed any issues.

At the firewall level I do block outbound to suspect nations, and inbound from all foreign nations. No ill effects that I've noted, but I'm also pretty particular about not getting "smart" or "connected" devices with the weird name brands off Amazon.

If it's a folding picnic table, sure I'm good with FooJoy, but anything that connects to a computer or the network, I stick with reputable brands.

Pihole only does domain blocking. Let’s say spookydomain[.]cn resolves to 1.2.3.4. You could block spookydomain[.]cn through pihole but nothing would stop a computer from directly interacting via IP address or from the Chinese to buy spookydomain[.]org and evade the block. To do a true country block, you’d need to do it at the firewall and have up to date geoip data.

you don't do that already? i block the vast majority of the world by default on my udm pro se. It won't fix everything but it will at least thwart those looking for an easy hit.

I did that, with a few exceptions, and it still works fine.

I block most of the world from incoming connections.

Outbound is less restrictive.. But I still block a bunch of countries that are deemed high-risk.

China is def on both lists..

I have all countries blocked with allows before if it needs to get to my country based AWS/Azure routes.

Checkout PFSense and PFBlocker-NG. It's a geofence blocker to DENY all incomming requests from various IP subnets that you select on the public side. If you have any open ports (say for games or otherwise on your home network) this will really cut back on system load/login attempts. It can just drop the packets entirely, not even entertaining them.

You'd ideally want to use a VPN and not expose any other ports on the firewall. For example never open an SSH port. If you do use a keypair and make it a non-standard port. But having a VPN would prevent you from even needing to open SSH ports as the VPN would essentially put you on the LAN. Most consumer routers will let you setup a VPN server for your LAN now.

But something like hosting a webserver at home this (Geoblocking) can really help with. In addition to using cloudflare as your domain registrar for DDOS protection.

Here's a video on it:

https://www.youtube.com/watch?v=oNo77CMoxUM

If you have a consumer firewall you may or may not have access to doing this. (Geoblocking)

With pihole you could create lists of domains (say from certain countries) that you do not want to resolve for name resolution. But it would not stop those countries from attempting to access open ports on your network. I.e. ingress vs egress

By default your home firewall/router, if it is a consumer model, should not have any ports open.

Hope this helps!

https://imgur.com/a/eyWo8hW

I block almost all Eastern Europe, Russia, the stans, almost all of Africa, Indonesia, China, North Korea and more. No problem. Unifi router allows users to just block by clicking the map.

Note that GeoIP is unreliable so you may accidentally block some IPs that aren't Chinese. Even whois is not 100% reliable given how often IPv4 addresses are traded these days.

If some Chinese-made technology really phones home, it's more likely that they'd communicate with a US-based server that would then communicate to servers in China behind-the-scenes.

We block all traffic that isn't from NA and Europe in our company (for our hosted applications). We don't have users outside that so have no reason to accept connections.

It's just part of our general security strategy

You can do it easily, its common practice. It's also pretty ineffective. You ever notice how VPN's advertise you can access content outside of your geo location? Surrpise, China can do that too!

You could also go the extra step, and only have local automations in the home :) home assistant + choosing products well enables total local smarthome stuff. Although I don't have a robot vacuum.

All my services are self hosted too. Obviously there are limitations: I don't have fancy voice assistants like Alexa of the likes. But on the flip side I don't have spies in the house (well, there are... The android phones, and the windows and Mac computers...)

I've had china geo-blocked for about 6 months now. No issues so far.

It don't matter a whole lot, either they are using some cloud computing platform that is us based, or a VPN to bypass your restrictions.

Someone will always be scanning your network, looking for targets. Don't be surprised.

I have denied all then only white listed US, US outlying areas, and Canada. I don’t do business outside those. This is at the firewall/IP level. Blocking outgoing DNS would probably only affect maybe Alibaba. TikTok for instance runs domestic servers so you have to explicitly block Bytedance.

The number of random attacks per day from China, Russia, and Singapore is hundreds. That’s what firewalls are for.

This is only going to do so much. If a connection is trully malicious, it’ll probably route through a domestic or EU IP (azure, digital ocean, linode, aws, hetzner, etc)

That said it would be interesting to monitor and see who all your devices are talking too

It's a sophistry to geoblock China on security grounds and recommend and upvotes that advice, but then recommend Chinese hardware like TP Link Omada for the bedrock hardware for your home network. Yet I see TP Link Deco and Omada recommended on here every day, and upvoted into positive numbers too.

How could you possibly trust that geoblocking on Chinese hardware even works on their hardware? They get firmware updates from servers hosted in the USA, which in turn get firmware images from China. Obviously TP Link servers in the U.S. don't block China. So how effective is geoblocking if you went ahead and bought your hardware from a Chinese controlled company to save $100?

Same goes for Chinese security cameras. Everyone talks about using VLANs to isolate them, so their being compromised will not "spread" to the rest of your network. But if a compromised Chinese camera has the ability to crack the "root" account on Linux, Android, and IOS, and the "Administrator" account on Windows if left on the same VLAN, then why would it have any difficulty at all cracking the "admin" account on your router, rendering VLAN separation useless? What makes the router OS so much more resistant to takeover from that compromised IoT device versus other OSes?

It's the logic gymnastics that "security experts" on here must do to justify geoblocking China, but then recommending (or upvoting) TP Link Deco and Omada to save $100 that's hard to take seriously. Are they a threat or not? If so, how can you allow the recommendation of China owned company hardware to users with a straight face? Where is the precaution now?

What about smartphones? Smartphones all have GPS tracking, a camera, a microphone, and an Internet connection that's pretty much always on. They are the ultimate spying device that everyone carries voluntarily, even after experiencing events like talking about a certain product on the phone to your mother, and getting ads for that exact product as embedded ads hours later.

We might trust Alphabet and Apple not to sell our information to China and Russia directly, as they actually want to comply with Western laws. But isn't it also logical to believe that Alphabet and Apple sell personalized ad information to "reputable" buyers, who in turn sell it to a company that is degree less reputable, who in turn sells it to another company that's two degrees less reputable, and so on, until it gets to a seller that doesn't discriminate against any buyers, or are a front for the Chinese and Russian government itself?

They might not even need to buy this information through layers of middle men. TikTok has over 100 Million users in the US, mostly as an App on smartphones. TikTok is a Chinese owned company, and are very much a target for a complete banning by the U.S. government, but not quite there yet for everyone else (maybe due to foreign lobbying efforts?). Even with all these warning signs, 100 Million US users do not care or take it seriously, and film you and your family on their App behind your geoblocking firewall.

What about hostile governments using services that are completely legal in the U.S. directly? The same Intelligence agencies that recommend you geoblock Chinese inbound and outbound traffic have also warned that China and Russia use platforms like Facebook, X / Twitter, Instagram, and even Reddit as giant Propaganda and misinformation machines to influence politics and thinking in the West. Even now, these foreign influences still propagate unchecked, with only token "moderation" attempts to combat it (and how do we know we can trust these moderators?). The EU is currently threatening to de- platform X because of lax moderation efforts, right now, in real time.

So go ahead and geoblock China and the rest of the evil countries if it makes you feel better. But it's as effective as trying to keep your kid from looking at porn by blocking his MAC Address on your home network. There are so many other ways for access that you do not control that your single act of defiance is essentially meaningless in the bigger picture. Your personal information has already been packaged and sold to every available buyer, because we were all asleep at the wheel at the dawn of Social Media and smartphones, and did not control that information at all. Anyone and Everyone with an App or cookies were tracking and packaging you. Only recently have smartphone OSes begun to lock down your personal information, but it's far too little a decade too late.

The toothpaste is out of the tube.

Did you analyze your traffic first? If you did, you probably wouldn't be asking this question.

Why not track how many network calls to and from IP addresses you can geolocate to China you actually see before doing anything? Geolocation using IP is far from perfect