OPNsense GeoIP Setup and Application Guide

Posted on by Rico

🧠 1. What Is GeoIP?

In enterprise network security, it’s common to require:

“Block traffic from certain countries, or allow VPN access only from specific regions.”

The GeoIP feature in OPNsense makes this possible.
It uses IP geolocation data to create dynamic IP lists for each country or region,
allowing you to apply firewall rules based on geographic location.

⚙️ 2. How GeoIP Works

  • OPNsense uses the MaxMind GeoLite2 database (or Zenarmor’s built-in IP data).
  • The system downloads a country-to-IP mapping file (GeoLite2-Country.mmdb) and updates it regularly.
  • When you create a GeoIP Alias, OPNsense automatically generates an IP list for each selected country.

💡 In simple terms:

Create a GeoIP alias like BLOCK_CN_RU,
and OPNsense will automatically pull all IP ranges for China and Russia —
then you can reference it directly in firewall rules.

🧩 3. Setup Steps

Step 1️⃣: Get Your MaxMind License Key

  1. Register a free account on MaxMind’s website.
  2. Generate a GeoLite2 License Key.

Step 2️⃣: Enable GeoIP in OPNsense

  1. Navigate to Firewall → Aliases → GeoIP Settings
  2. Enter: https://AccountID:LicenseKey@download.maxmind.com/geoip/databases/GeoLite2-Country-CSV/download?suffix=zip
  3. Click Apply — OPNsense will download and install the database.

Step 3️⃣: Create GeoIP Aliases

  1. Go to Firewall → Aliases → Add
  2. Choose type: GeoIP
  3. Select the countries you want to include (e.g., CN, RU, TW)
  4. Save — OPNsense will automatically build the IP list.

🔒 4. Practical Use Cases

Example 1: Block Specific Countries

Alias Name: BLOCK_CN_RU
Type: GeoIP
Countries: China, Russia

Rule:

Action: Block
Source: BLOCK_CN_RU
Destination: any

→ Blocks all inbound traffic from those countries.

Example 2: Allow VPN Access by Country

Alias Name: VPN_ALLOWED
Countries: Taiwan, Malaysia, Thailand

Rule:

Action: Pass
Source: VPN_ALLOWED
Destination: WAN address (VPN Port)

→ Only users from selected countries can connect to VPN.

Example 3: Traffic Analysis

Create multiple aliases:

  • ASIA_COUNTRIES
  • EUROPE_COUNTRIES

Then use Reporting → Insight to analyze traffic by region.

⚡ 5. Best Practices & Notes

ItemRecommendation
Update frequencyWeekly or monthly automatic updates.
PerformanceRequires more RAM (8 GB+) for large pf tables.
Use casesInbound/outbound filtering, VPN, NAT rules.
Policy designCreate “BLOCK_ALL_EXCEPT_TW” for whitelist mode.
Combine with threat feedsIntegrate URL Table feeds for stronger protection.

✅ 6. Conclusion

GeoIP is one of the most powerful location-based filtering tools in OPNsense.

It allows you to:

  • Control access by country or region
  • Reduce external attack surfaces
  • Improve VPN and server security
  • Automate updates without manual effort

📘 Meta Description

Learn how to configure OPNsense GeoIP filtering using the MaxMind GeoLite2 database.
This guide explains setup steps, practical use cases, and best practices for country-based access control.