Hi,
We have a single Country Object setup for the United Kingdom, and a firewall rule Wan -> Lan Source UK, Pass, next a block everything else.
In the syslog we are seeing the obvious Blocks:
[FILTER][Block][WAN->LAN/RT/VPN, 286:40:44 ][@S:R=2:4, 79.124.62.110:40414->192.168.54.29:11868][TCP][HLen=20, TLen=44, Flag=S, Seq=873819315, Ack=0, Win=1024]
But also PASS:
[FILTER][Pass][WAN->LAN/RT/VPN, 286:40:35 ][@S:R=2:3, 52.114.88.57:443->192.168.54.46:53436][TCP][HLen=20, TLen=373, Flag=AP, Seq=405853158, Ack=2578146627, Win=64948]
52.114.88.57 - is the USA, so why is it being let through?
Is it the Draytek country lookup not working correctly (they don't seem to have a Geo Check IP anywhere), or something else?
Simon.

gtpc_ltd wrote: 52.114.88.57 - is the USA, so why is it being let through?

It seems to depend on who you ask...

https://dnslytics.com/ip/52.114.88.57 says it's UK

[FILTER][Pass][WAN->LAN/RT/VPN, 289:29:42 ][@S:R=2:3, 84.17.55.133:65082->192.168.54.29:5060][UDP][HLen=20, TLen=381]
Poland?

gtpc_ltd wrote:
[FILTER][Pass][WAN->LAN/RT/VPN, 289:29:42 ][@S:R=2:3, 84.17.55.133:65082->192.168.54.29:5060][UDP][HLen=20, TLen=381]
Poland?

No, what you are seeing is a UK CDN service that is hosting content from a Polish site.

ISP DataCamp Limited
Usage Type Data Center/Web Hosting/Transit
Hostname(s) unn-84-17-55-133.cdn77.com
Domain Name datacamp.co.uk
Country Poland
City Warsaw, Mazowieckie

https://www.abuseipdb.com/check/84.17.55.133