You can help support this website by buying me a coffee!
4 minutes reading time
(715 words)
Whitelist countries in OPNsense using MaxMind GeoIP and firewall aliases
How to set up whitelisting in OPNsense to allow a country list using MaxMind's free GeoIP database and firewall aliases
Table of Contents
1. Get a MaxMind GeoIP license key
Sign up for a free MaxMind account
MaxMind
https://www.maxmind.com
Sign up for free GeoLite2 databases
https://www.maxmind.com/en/geolite2/signup
https://www.maxmind.com
Sign up for free GeoLite2 databases
https://www.maxmind.com/en/geolite2/signup
Generate a license key
Generate a license key
Manage License Keys - Generate new license key
License key description: OPNsense
Will this key be used for GeoIP update: No
GeoIP update is MaxMinds software used to get automatic updates of their GeoIP databases.
In this example, we are using the CSV GeoIP database, which cannot be updated using GeoIP.
In this example, we are using the CSV GeoIP database, which cannot be updated using GeoIP.
Copy the license key and save it in your password manager
You won't be able to see the key again after you leave this page
Click Continue
2. Get URL for GeoIP database updates
GeoIP2 / GeoLite2 - Download Files
GeoLite2 Country: CSV Format - Get Permalinks
Copy the database URL
# Database URL https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-SV&license_key=YOUR_LICENSE_KEY&suffix=zip
3. Configure OPNsense firewall to use GeoIP
Take a backup of your OPNsense firewall config before making these changes.
Firewall - Aliases - GeoIP Settings
URL: enter the MaxMind database URL
You'll need to replace YOUR_LICENSE_KEY
Click Apply
Firewall - Aliases - GeoIP Settings
URL: enter the MaxMind database URL:
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
You'll need to replace YOUR_LICENSE_KEY
Click Apply
The last updated time shows the GeoIP country list has updated successfully
4. Create firewall alias for whitelisted countries
Firewall - Aliases - Add
Name: whitelist_countries
Type: GeoIP
Click on the drop-down list of countries for a region e.g Europe
Select the countries you want to add to the whitelist
Save and Apply the changes
5. Create firewall alias for a specific country
Next we will create a whitelist to allow only the UK
Firewall - Aliases - Add
Name: allow_uk
Type: GeoIP
Region: select UK
Save and Apply the changes
6. Example: Allow one specific country
In this example, we will edit the firewall NAT rules to only allow one country to access specific network ports used by our phone system. No client devices outside of the UK should be connecting to the phone system using these ports.
We will edit the firewall NAT rules for the phone system ports and set the source to the allow_uk alias we created in the previous step.
Firewall - NAT - Port forward
Edit the firewall rule: 3cx-server HTTPS
The SIP rule has been already restricted to the source IP address range of our SIP provider
Source - Advanced
Source: allow_uk
Save and Apply changes
Repeat the steps to add the source whitelist to the other phone system firewall NAT rules
7. Example: Allow all whitelisted countries
In this example, we will apply the whitelist_countries firewall alias to the firewall NAT rules to restrict access to the web server
Firewall - NAT - Port forward
Edit the web server firewall rules
Source: whitelist_countries
Repeat the steps for both the HTTP and HTTPS NAT rules
Comments