All tags RSS feed icon

How to Use Geo Blocking Rules with Port Forwarding on OPNsense

Published

Guide on how to configure GeoIP-based firewall rules alongside NAT port forwarding in OPNsense 25.7.

1. Introduction

When you expose any internal service (SSH, web app, remote desktop, or even a game server) through port forwarding, you inherently open a door into your network. One way to minimize risk is by restricting access based on geographic regions — for instance, allowing connections only from your home country or a set of trusted regions.

This post shows how to combine GeoIP filtering and port forwarding in OPNsense 25.7.6, using the built-in firewall aliases and the MaxMind GeoLite2 database.

2. Prerequisites

Before setting up Geo blocking, ensure:

  1. OPNsense is updated to the latest patch: System → Firmware → Updates → Check for updates
  2. You have a MaxMind account (required to access the GeoLite2 database).
  3. Port forwarding (NAT) is already configured for the target service (e.g., port 22 → internal server 192.168.10.10).

3. Setting Up MaxMind GeoIP

3.1 Why a MaxMind Account Is Required

Due to MaxMind’s recent data protection policy changes, anyone using their GeoLite2 database must have a personal account. By creating this account, you accept their data usage terms and gain access to the GeoLite2 downloads that OPNsense uses for GeoIP lookups.

It’s simple to set up — here’s how.

3.2 Create a MaxMind Account

  1. Visit www.maxmind.com.
  2. Create a free account using a valid email address. MaxMind will send a verification link to this address — make sure it’s accessible.

3.3 Generate a License Key

  1. After logging in, click on My License Key.
  2. Click Generate New Key.
  3. When prompted whether you use geoipupdate, select No.
  4. Save the generated License Key ID somewhere safe — you’ll need it for OPNsense.

You do not need to download any configuration files from MaxMind.

3.4 Construct the Download URL

Next, create the GeoLite2 download link that OPNsense will use. Replace AccountID and LicenseKey in the example below with your actual details:

https://AccountID:[email protected]/geoip/databases/GeoLite2-Country-CSV/download?suffix=zip

You can test the link by pasting it into your browser — it should download a .zip file containing the GeoLite2 country data.

3.5 Configure GeoIP in OPNsense

  1. In OPNsense, go to Firewall → Aliases → GeoIP settings.
  2. Check Enable GeoIP.
  3. In the URL field, paste the custom link you created.
  4. Click Apply.

Once applied, OPNsense will download the database and store it locally. If this is your first time setting it up, continue by creating a GeoIP alias as described in the next section.

4. Creating a GeoIP Alias for Allowed Countries

Let’s say you only want SSH access from the United States and Canada.

  1. Go to Firewall → Aliases → Add.

  2. Configure as follows:

Field Value
Name ALLOW_SSH_COUNTRIES
Type GeoIP
Countries United States, Canada
Description Permitted countries for SSH access
  1. Save and apply.

This alias dynamically includes all IP ranges associated with the selected countries.

5. Creating the Port Forwarding Rule with Geo Blocking

Assume you have an internal SSH server on 192.168.10.10, port 22, and you want to forward WAN port 2222 to it while restricting access to specific countries using your GeoIP alias.

  1. Go to Firewall → NAT → Port Forward.

  2. Click Add to create a new rule.

  3. Configure as follows:

Setting Value
Interface WAN
Protocol TCP
Source ALLOW_SSH_COUNTRIES (your GeoIP alias)
Destination Port Range 2222
Redirect Target IP 192.168.10.10
Redirect Target Port 22
Description SSH Port Forward (GeoIP Restricted)
  1. Check Add associated filter rule and click SaveApply changes.

This method embeds the GeoIP alias directly in the NAT rule’s Source field. When OPNsense generates the matching WAN firewall rule, it automatically includes your geographic restriction.

This ensures only clients from the specified countries can reach the forwarded port while blocking all other regions at the firewall level.

6. Verifying Geo Blocking Operation (Optional)

To test the configuration:

  1. Try connecting from an allowed region (e.g., a VPN endpoint in the US). The connection should succeed.
  2. Try connecting from a blocked region (e.g., via a European VPN server). The connection should time out.

You can also verify live firewall activity under: Firewall → Log Files → Live View

Filter by Destination port = 2222 to see allowed and denied attempts.

7. Best Practices and Considerations

  • Don’t rely solely on Geo blocking. Combine it with key-based authentication, fail2ban, for stronger security.

  • Consider multiple aliases. For different services (e.g., web vs. SSH), create distinct GeoIP aliases like ALLOW_WEB_COUNTRIES, ALLOW_VPN_COUNTRIES.

  • Enable logging. Turn on “Log packets that are handled by this rule” to monitor traffic patterns and adjust rules as needed.

8. Final Thoughts

Geo blocking isn’t foolproof, but it adds a valuable layer of protection for services you must expose to the internet.

If you’re building out a broader segmentation or VPN access model, check out my related posts:

Tags: OPNsense Firewall