Geoblock via Alias Not Working

[Psychic49]

As a test, I created an alias for Canada (also did the MaxMind setup beforehand) and created a WAN rule as seen below: WAN out, any source, destination Canada alias, IPv4+IPv6, Any protocol, Reject.

However, nothing is getting blocked. I've ran a few simple tests such as going to google.ca, but so far no results.

https://i.imgur.com/QTNeOOS.png

[mimugmail]

If you want to block connections to canada, add a rule in lan and source lan net, destination canada in direction IN.
Really, there are no real use cases for direction OUT

[Psychic49]

Can you please elaborate on this? I thought by default, incoming connections were blocked unless explicitly permitted. Therefore, wouldn't it make sense to instead block outbound traffic?

Also, creating an outbound block rule in the LAN vs the WAN, I don't understand how they are necessarily different. If I create an outbound block rule for 8.8.8.8 on the LAN, traffic will still have to pass through the WAN if they wanted to try to reach 8.8.8.8, so why wouldn't a simple WAN outbound block to 8.8.8.8 suffice?

I don't understand your proposed rule. If the source is LAN net and the destination is Canada, how can the direction ever be "IN"?

I apologize for my lack of understanding, this is my first deep-dive into firewalls.

[mimugmail]

You always create a rules close to the source direction inbound. Just Like the default accept rules on LAN. When you already accept there, too late to block outbound on WAN

[Psychic49]

But if you deny on the WAN, it shouldn't matter that it is accepted on the LAN because it won't make it out of the WAN.

I have noticed that the default LAN accept rules are inbound, and that is what I am trying to understand. Why are they "inbound"? Wouldn't you instead want to allow any OUTBOUND traffic, and keep the implicit deny for inbound traffic?

Unless "in" means "out" and "out" means "in", this doesn't make sense to me.

Please chime in if you think you can help my understanding.

[mimugmail]

You always create a rules close to the source direction inbound. Just Like the default accept rules on LAN. When you already accept there, too late to block outbound on WAN

This still stands ..

[Psychic49]

I banged my head on the wall for awhile, but I finally figured it out. IN and OUT do not mean what I thought they meant. Everything is relative to the firewall, NOT the interface.

Therefore, the correct rule to geo block canada...the reason the direction is "IN" is because the traffic is coming INTO the router from the LAN, it's not going out of the router to the LAN.

^^for anyone else who was struggling with IN vs OUT