If you enable Region Blocking under the CyberSecure tab of Unifi Network and select Russian Federation as a region to block, then MakeMKV will be unable to perform its SDF/HK downloads.
The bottom of the CyberSecure page has a "Detection Exclusions" setting, and you'd think you can put your internal client IP into that setting to bypass the region blocking. You'd be wrong.
Unifi confirmed for me the exclusion setting is only for the IDS/IPS features and does not bypass the region blocking feature.I went this route to fix it.
- Do a network capture and identify the IP MakeMKV is attempting to contact for downloads. For Windows I use Microsoft Network Monitor as it easily shows what process initiated the network traffic. It still works on Windows 11.
- Create a firewall rule in the Internal -> External zone, allowing the internal client IP to use IPv4 TCP:443 to contact the external host IP.
- Create a firewall rule in the Internal - > External zone for region blocking and enable the same regions you have in CyberSecure settings.
- Confirm the Internal-> External region blocking rule is in the processing order after the client allow rule created before. Reorder the rule if needed. If you don't do this, then the block rule is applied before ever getting to the allow rule.
- Create a firewall rule in the External - > Internal zone for region blocking and enable the same regions you have in CyberSecure settings.
- Confirm the External -> Internal region blocking rule is in the processing order after the default "Allow Return Traffic" rule. Reorder the rule if needed. If you don't do this, then your client can send outbound, but the return traffic will fail, and you'll see the client sending retries.
- Completely disable region blocking under the CyberSecure tab to allow the FW rules to take over this task.