By using this website, you agree to the use of cookies as described in our Privacy Policy.
- Home
- Categories
- Automation
- Azure
- Debian Linux
- Guides
- Guides - Members
- Intune
- Joomla
- Office 365
- OPNsense
- Membership
- Login
3 minutes reading time(658 words)
OPNsense
19475 Hits
10 Comments
How to configure MaxMind GeoIP to block countries in OPNsense. Including troubleshooting steps for what to do if OPNsense GeoIP blocking is not working.
GeoIP setup is in the OPNsense docs (link below) but sometimes it's useful to see a step by step guide with an example showing all the settings.
MaxMind GeoIP's Setup
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
If you're looking for an example of whitelisting inOPNsense, take a look at this guide
Whitelist countries in OPNsense using MaxMind GeoIP and firewall aliases
https://techlabs.blog/categories/opnsense/whitelist-countries-in-opnsense-using-maxmind-geoip-and-firewall-aliases
Sign up for a free MaxMind account
MaxMind
https://www.maxmind.com
Signup for GeoLite2
https://dev.maxmind.com/geoip/geoip2/geolite2
Generate a license key
Account - Manage License Keys
Generate new license key
Give the new license key a description that identifies what its being used for e.g. OPNsense
Will this key be used for GeoIP update - No
Copy the license key and save it in your password manager
You won't be able to show the key again after it has been created
Get the URL for GeoIP database updates
GeoIP2 / GeoLite2 - Download Files
GeoLite2 Country: CSV Format - Get Permalinks
Copy the database URL
# Database URLhttps://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
Configure OPNsense to use GeoIP
Firewall - Aliases - GeoIP Settings
Enter Database URL
You'llneed to replaceYOUR_LICENSE_KEY
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
The GeoIP country list has updated successfully
Create firewall alias for blocked countries
Firewall - Aliases - Add
Name blocked_countries
Type GeoIP
Expand the list of countries for the region e.g Asia
Select the countries you want to block e.g. China
e.g. China and Russia Blocked
Apply the changes
Create firewall rule to block countries
Firewall -Rules - WAN - Add
Action Block
Interface WAN
Direction In
TCP/IP Version IPv4
Protocol Any
Source blocked_countries
Give the rule a description
Leave the other settings as the defaults
Move the new firewall rule to the top of the list
Tick the rule you want to movethen click move selected rules before this rule
Apply changes
OPNsense has now been configured to use GeoIP and the MaxMind country database will update every week.
Troubleshooting GeoIP not working in OPNsense
MaxMind GeoIP database has not updated
Notice that the last updated date hasn't changed, this means that GeoIP update is not working and the country database hasn't been downloaded
If GeoIP is not working, you should check the following:
1. When generating the MaxMind key, did you select this option
"Will this key be used for GeoIP update - No"
2. Check the download URL is correct by pasting it into a web browser - does the file download OK?
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
3. Check that you have the correct update URL. OPNsense needs the .zip download not the .tar.gz
Wrong download URL .tar.gz
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=tar.gz
Right download URL .zip
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
Error - In order to use GeoIP, you need to configure a source in the GeoIP settings tab
This error is most likely caused by having the wrong database URL.
The correct download URL is below, you will need to replace YOUR_LICENSE_KEY
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
Tags:
OPNsense
Related Posts
Whitelist countries in OPNsense using MaxMind GeoIP and firewall aliases
OPNsense
OPNsense NAT port forward rules with NAT reflection (Loopback/Hairpin)
OPNsense
Automatically Install OPNsense updates
OPNsense
Install and configure OPNsense firewall
OPNsense
Turn off the system beep in OPNsense
OPNsense
Comments10
Guest - Joergon Saturday, 05 March 2022 00:00
Hi - this is a really great cookbook and I was so happy to discover it. I did everything, generated the license file at maxmind, followed EXACTLY your screenshots but when I have entered the database url with my generated licsense at the GeoIP Tab in the URL Field it doesn't work. No Error Message - nothing. The last updated field remains empty and no message as you claimed "The GeoIP country list has updated successfully".
When I enter this URL, which I have entered in the URL Field in my Chrome Browser the files are download completly correct to the download folder. [link removed]
(I did not show my license key here ... )
I am using the brand new version of opnsense Version22.1.2_1. Do you have any clue why this doesn't work? could it be the new version?
Thank You - Screenshots here [link removed]
0CancelReply
Hi - this is a really great cookbook and I was so happy to discover it. I did everything, generated the license file at maxmind, followed EXACTLY your screenshots but when I have entered the database url with my generated licsense at the GeoIP Tab in the URL Field it doesn't work. No Error Message - nothing. The last updated field remains empty and no message as you claimed "The GeoIP country list has updated successfully". When I enter this URL, which I have entered in the URL Field in my Chrome Browser the files are download completly correct to the download folder. [link removed](I did not show my license key here ... )I am using the brand new version of opnsense Version22.1.2_1. Do you have any clue why this doesn't work? could it be the new version?Thank You - Screenshots here [link removed]
CancelUpdate Comment
TechLabson Saturday, 05 March 2022 20:39
Hi Joerg, when you generated the license key, did you select the option "Will this key be used for GeoIP update - No"?
I have Maxmind GeoIP blocking working on Opensense version 22.1.2_1, so I don't think that's the issue.
Also, the download URL you are using has ASN instead of Country.
Can you please try going through the steps for "Generate a license key" and "Get the URL for GeoIP database updates" again?
I hope that helps. Good luck!
0CancelReply
Hi Joerg, when you generated the license key, did you select the option "Will this key be used for GeoIP update - No"?I have Maxmind GeoIP blocking working on Opensense version 22.1.2_1, so I don't think that's the issue.Also, the download URL you are using has ASN instead of Country.Can you please try going through the steps for "Generate a license key" and "Get the URL for GeoIP database updates" again?I hope that helps. Good luck!
CancelUpdate Comment
Guest - Joerg on Sunday, 06 March 2022 13:13
Thanks mate for the quick reply, I really apprecite that.
Your hint regarding using ASN instead of Country in the URL did make things clearer. It is working now :-)
There is a little mistake in your cookbook - when you take a look at the page where you come to the point "Get the URL for GeoIP database update" - one can see on your screenshot that you recommend using "GeoLite2 ASN: CSV Format" instead of "GeoLite2 Country: CSV Format".
In the further course your URL is correct, but I was misled by the screenshot.
Thanks for your help and maybe you consider to change that screenshot in your cookbook.
Stay safe !!
0CancelReply
Thanks mate for the quick reply, I really apprecite that. Your hint regarding using ASN instead of Country in the URL did make things clearer. It is working now :-) There is a little mistake in your cookbook - when you take a look at the page where you come to the point "Get the URL for GeoIP database update" - one can see on your screenshot that you recommend using "GeoLite2 ASN: CSV Format" instead of "GeoLite2 Country: CSV Format". In the further course your URL is correct, but I was misled by the screenshot. Thanks for your help and maybe you consider to change that screenshot in your cookbook. Stay safe !!
CancelUpdate Comment
TechLabson Tuesday, 08 March 2022 19:37
Hi again, thank you for the feedback! I have updated the screenshots in the guide. Glad you were able to get it working
0CancelReply
Hi again, thank you for the feedback! I have updated the screenshots in the guide. Glad you were able to get it working :)
CancelUpdate Comment
Guest - Kimon Thursday, 14 April 2022 20:35
Hi,
I've been using this method since late feb. 2022 - works wonders.
Do you know if it *just works* if I opt for the full GeoIP2-Country (ie. not the Lite-version)?
(ie. do I just need to update the download URL?)
0CancelReply
Hi,I've been using this method since late feb. 2022 - works wonders.Do you know if it *just works* if I opt for the full GeoIP2-Country (ie. not the Lite-version)?(ie. do I just need to update the download URL?)
CancelUpdate Comment
TechLabson Tuesday, 19 April 2022 20:15
Hi Kim, I haven't tried this with MaxMind GeoIP2 paid products, but I think you are correct. You will just need to update the database URL. Please reply back and let me know if it works? Thanks
0CancelReply
Hi Kim, I haven't tried this with MaxMind GeoIP2 paid products, but I think you are correct. You will just need to update the database URL. Please reply back and let me know if it works? Thanks
CancelUpdate Comment
Guest - Kimon Tuesday, 19 April 2022 20:36
Works fine with the 'regular' GeoIP2-Country db
https://download.maxmind.com/app/geoip_download?edition_id=GeoIP2-Country-CSV&license_key=&suffix=zip
1CancelReply
Works fine with the 'regular' GeoIP2-Country db :)https://download.maxmind.com/app/geoip_download?edition_id=GeoIP2-Country-CSV&license_key=&suffix=zip
CancelUpdate Comment
Guest - Andreon Saturday, 01 October 2022 07:35
hi thanks for this post. i did everything as described and for testing, i enabled all countries for the block list even in the country where i life. but i'm still able to access the webserver i published over nginx... does this not work when nginex is used? i guess it should because the fw block rule is before the rules which allow nginex access....
0CancelReply
hi thanks for this post. i did everything as described and for testing, i enabled all countries for the block list even in the country where i life. but i'm still able to access the webserver i published over nginx... does this not work when nginex is used? i guess it should because the fw block rule is before the rules which allow nginex access....
CancelUpdate Comment
Guest - Docon Saturday, 15 October 2022 15:16
How would you just choose the country you want to allow, but block everything else?
The tip from the website is what I am trying to do.
Geo ip lists can be rather large, especially when using IPv6. When creating rules, always try to minimize the number of addresses needed in your selection. A selection of all countries in the world not being the Netherlands can usually be rewritten as only addresses from the Netherlands for example.
0CancelReply
How would you just choose the country you want to allow, but block everything else? The tip from the website is what I am trying to do.Geo ip lists can be rather large, especially when using IPv6. When creating rules, always try to minimize the number of addresses needed in your selection. A selection of all countries in the world not being the Netherlands can usually be rewritten as only addresses from the Netherlands for example.
CancelUpdate Comment
TechLabson Monday, 06 February 2023 20:39
Hi, finally found time to finish writing this guide on Whitelisting in OPNsense. Hope you find it useful!
Whitelist countries in OPNsense using MaxMind GeoIP and firewall aliases
https://techlabs.blog/categories/opnsense/whitelist-countries-in-opnsense-using-maxmind-geoip-and-firewall-aliases
0CancelReply
Hi, finally found time to finish writing this guide on Whitelisting in OPNsense. Hope you find it useful! Whitelist countries in OPNsense using MaxMind GeoIP and firewall aliases[url=https://techlabs.blog/categories/opnsense/whitelist-countries-in-opnsense-using-maxmind-geoip-and-firewall-aliases]https://techlabs.blog/categories/opnsense/whitelist-countries-in-opnsense-using-maxmind-geoip-and-firewall-aliases[/url]
CancelUpdate Comment
First PagePrevious Page1Next PageLast Page
You can help support this website by buying me a coffee!
