Well, I've been battling an inbound country blocking exception for days and I just found this topic.
Synology support from Thailand needed to access my NAS over SSH, and HTTPS over port 5001. So, I built a DNAT with an auto FW rule to handle the SSH, and let my existing HTTPS/5001 web publishing rule handle the rest. I also built a country block exception for Taiwan from Synology's support IP addresses on destination ports 22 and 5001.
I can connect just fine from a US address, which is allowed by country blocking along with Canada - in other words, these countries are switched "off." All other countries are set to block traffic "from" them, including Taiwan.
But unfortunately, Synology support can't connect and the FW log stubbornly shows GEOIP blocks for the inbound traffic on both ports.
Upon reinspection, the DNAT and auto FW rule looked to be correctly constructed, and the country block exception, also.
I ran the source IPs through the MaxMind database and confirmed they were in the excepted country.
I've now disabled Country Blocking and I'm waiting for Synology support to try again. It occurs to me that I could also switch Taiwan to "off" in Country Blocking, and achieve the same result.
/sigh ....sure would like this to work as designed.
edited to add: In fact, Synology was able to access my appliance five times overnight, after I disabled Country Blocking altogether. I've since re-enabled Country Blocking, but switched Taiwan to "off," and I'm waiting to see a connection attempt.
Timothy, please have a ticket submitted to Sophos Support. They won't fix it unless we complain when it doesn't work!
Cheers - Bob
Timothy, please have a ticket submitted to Sophos Support. They won't fix it unless we complain when it doesn't work!
Cheers - Bob