You can help support this website by buying me a coffee!
3 minutes reading time
(658 words)
Set up MaxMind GeoIP Blocking in OPNsense
How to configure MaxMind GeoIP to block countries in OPNsense. Including troubleshooting steps for what to do if OPNsense GeoIP blocking is not working.
GeoIP setup is in the OPNsense docs (link below) but sometimes it's useful to see a step by step guide with an example showing all the settings.
MaxMind GeoIP's Setup
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
If you're looking for an example of whitelisting in OPNsense, take a look at this guide
Whitelist countries in OPNsense using MaxMind GeoIP and firewall aliases
https://techlabs.blog/categories/opnsense/whitelist-countries-in-opnsense-using-maxmind-geoip-and-firewall-aliases
Whitelist countries in OPNsense using MaxMind GeoIP and firewall aliases
https://techlabs.blog/categories/opnsense/whitelist-countries-in-opnsense-using-maxmind-geoip-and-firewall-aliases
Sign up for a free MaxMind account
MaxMind
https://www.maxmind.com
Signup for GeoLite2
https://dev.maxmind.com/geoip/geoip2/geolite2
Generate a license key
Account - Manage License Keys
Generate new license key
Give the new license key a description that identifies what its being used for e.g. OPNsense
Will this key be used for GeoIP update - No
Copy the license key and save it in your password manager
You won't be able to show the key again after it has been created
Get the URL for GeoIP database updates
GeoIP2 / GeoLite2 - Download Files
GeoLite2 Country: CSV Format - Get Permalinks
Copy the database URL
# Database URL https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
Configure OPNsense to use GeoIP
Firewall - Aliases - GeoIP Settings
Enter Database URL
You'll need to replace YOUR_LICENSE_KEY
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
The GeoIP country list has updated successfully
Create firewall alias for blocked countries
Firewall - Aliases - Add
Name blocked_countries
Type GeoIP
Expand the list of countries for the region e.g Asia
Select the countries you want to block e.g. China
e.g. China and Russia Blocked
Apply the changes
Create firewall rule to block countries
Firewall - Rules - WAN - Add
Action Block
Interface WAN
Direction In
TCP/IP Version IPv4
Protocol Any
Source blocked_countries
Give the rule a description
Leave the other settings as the defaults
Move the new firewall rule to the top of the list
Tick the rule you want to move then click move selected rules before this rule
Apply changes
OPNsense has now been configured to use GeoIP and the MaxMind country database will update every week.
Troubleshooting GeoIP not working in OPNsense
MaxMind GeoIP database has not updated
Notice that the last updated date hasn't changed, this means that GeoIP update is not working and the country database hasn't been downloaded
If GeoIP is not working, you should check the following:
1. When generating the MaxMind key, did you select this option
"Will this key be used for GeoIP update - No"
2. Check the download URL is correct by pasting it into a web browser - does the file download OK?
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
3. Check that you have the correct update URL. OPNsense needs the .zip download not the .tar.gz
Wrong download URL .tar.gz
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=tar.gz
Right download URL .zip
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
Error - In order to use GeoIP, you need to configure a source in the GeoIP settings tab
This error is most likely caused by having the wrong database URL.
The correct download URL is below, you will need to replace YOUR_LICENSE_KEY
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
Comments 10
Hi - this is a really great cookbook and I was so happy to discover it. I did everything, generated the license file at maxmind, followed EXACTLY your screenshots but when I have entered the database url with my generated licsense at the GeoIP Tab in the URL Field it doesn't work. No Error Message - nothing. The last updated field remains empty and no message as you claimed "The GeoIP country list has updated successfully".
When I enter this URL, which I have entered in the URL Field in my Chrome Browser the files are download completly correct to the download folder. [link removed]
(I did not show my license key here ... )
I am using the brand new version of opnsense Version 22.1.2_1. Do you have any clue why this doesn't work? could it be the new version?
Thank You - Screenshots here [link removed]
Hi Joerg, when you generated the license key, did you select the option "Will this key be used for GeoIP update - No"?
I have Maxmind GeoIP blocking working on Opensense version 22.1.2_1, so I don't think that's the issue.
Also, the download URL you are using has ASN instead of Country.
Can you please try going through the steps for "Generate a license key" and "Get the URL for GeoIP database updates" again?
I hope that helps. Good luck!
Thanks mate for the quick reply, I really apprecite that.
Your hint regarding using ASN instead of Country in the URL did make things clearer. It is working now :-)
There is a little mistake in your cookbook - when you take a look at the page where you come to the point "Get the URL for GeoIP database update" - one can see on your screenshot that you recommend using "GeoLite2 ASN: CSV Format" instead of "GeoLite2 Country: CSV Format".
In the further course your URL is correct, but I was misled by the screenshot.
Thanks for your help and maybe you consider to change that screenshot in your cookbook.
Stay safe !!
Hi again, thank you for the feedback! I have updated the screenshots in the guide. Glad you were able to get it working
Hi,
I've been using this method since late feb. 2022 - works wonders.
Do you know if it *just works* if I opt for the full GeoIP2-Country (ie. not the Lite-version)?
(ie. do I just need to update the download URL?)
Hi Kim, I haven't tried this with MaxMind GeoIP2 paid products, but I think you are correct. You will just need to update the database URL. Please reply back and let me know if it works? Thanks
Works fine with the 'regular' GeoIP2-Country db
https://download.maxmind.com/app/geoip_download?edition_id=GeoIP2-Country-CSV&license_key=&suffix=zip
hi thanks for this post. i did everything as described and for testing, i enabled all countries for the block list even in the country where i life. but i'm still able to access the webserver i published over nginx... does this not work when nginex is used? i guess it should because the fw block rule is before the rules which allow nginex access....
How would you just choose the country you want to allow, but block everything else?
The tip from the website is what I am trying to do.
Geo ip lists can be rather large, especially when using IPv6. When creating rules, always try to minimize the number of addresses needed in your selection. A selection of all countries in the world not being the Netherlands can usually be rewritten as only addresses from the Netherlands for example.
Hi, finally found time to finish writing this guide on Whitelisting in OPNsense. Hope you find it useful!
Whitelist countries in OPNsense using MaxMind GeoIP and firewall aliases
https://techlabs.blog/categories/opnsense/whitelist-countries-in-opnsense-using-maxmind-geoip-and-firewall-aliases