Not all traffic reaching your network is created equal. If your business operates exclusively in the DACH region, there is little reason for SSH connections from Southeast Asia or SMTP traffic from South America to reach your OPNsense firewall. GeoIP blocking lets you filter network traffic based on the country of origin — a simple yet effective measure for reducing your attack surface.

Why GeoIP Filtering Makes Sense

The majority of automated attacks — brute-force attempts, credential stuffing, exploit scans — originate from a relatively small number of countries. That does not mean all traffic from those regions is malicious. But it does mean that a large portion of unwanted traffic can be eliminated by geographic filters before it ever reaches your services.

For SMBs, three key benefits stand out:

Reduced attack surface — Fewer source IPs mean fewer potential attack vectors. Services that only need to be accessible to customers in specific countries benefit enormously from country-level restrictions.
Compliance requirements — Certain industries mandate that access to sensitive data be geographically restricted. GeoIP blocking is one building block for meeting such requirements.
Less log noise — When the bulk of unwanted traffic is dropped at the firewall, logs become more manageable and real threats are easier to spot.

How GeoIP Databases Work

GeoIP blocking relies on databases that map IP address ranges to geographic locations. The two most common providers are MaxMind (GeoLite2) and DB-IP. Both maintain regularly updated datasets that assign IP blocks to countries.

Accuracy at the country level exceeds 99 percent. At the city or region level, reliability drops significantly, but for firewall-level GeoIP blocking, country-level mapping is entirely sufficient.

OPNsense supports GeoIP databases natively. Under Firewall > Aliases, you can specify a URL to a GeoIP database that OPNsense downloads regularly and uses as the basis for firewall rules.

Setting Up GeoIP Aliases in OPNsense

The setup involves two steps: first configure the GeoIP data source, then create aliases for the desired countries.

1. Configure the GeoIP Data Source

Under Firewall > Aliases > GeoIP Settings, enter the URL of your GeoIP database. For MaxMind GeoLite2, you need a free account and a license key. DB-IP offers a freely available lite version without registration.

2. Create Country Aliases

Under Firewall > Aliases, create a new alias of type GeoIP. Here you can select individual countries or entire regions:

Name:       GeoIP_DACH
Type:       GeoIP
Countries:  Germany, Austria, Switzerland

For a blacklist approach, create an alias with the countries you want to block instead:

Name:       GeoIP_Blocked
Type:       GeoIP
Countries:  [list of countries to block]

Firewall Rules with GeoIP Aliases

Once the aliases are in place, you can reference them in firewall rules — just like any other alias. The key question is: whitelist or blacklist?

Whitelist approach (recommended): Allow traffic only from specific countries and block everything else. This is more restrictive but significantly more secure. A typical rule on the WAN interface:

Action:      Pass
Interface:   WAN
Source:      GeoIP_DACH
Destination: This Firewall
Dest. Port:  443 (HTTPS)

Followed by a block rule for all other sources on the same port.

Blacklist approach: Block traffic from known high-risk countries and allow the rest. Easier to implement but less thorough — new threat sources are only caught once added to the blacklist.

For most SMBs, the whitelist approach is the better choice — especially for services that only need to be accessible to a known audience.

Combining GeoIP with Other Rules

GeoIP blocking reaches its full potential when combined with additional security measures:

IDS/IPS (Suricata) — GeoIP reduces the volume of traffic that Suricata needs to analyze. This saves resources and lowers the false-positive rate.
Blocklists — In addition to GeoIP, IP-based blocklists (Spamhaus, Abuse.ch) can block known attacker IPs regardless of location.
Rate limiting — For countries that are allowed, additional rate limiting can curb excessive access from individual IPs.
Port-specific rules — GeoIP can be applied granularly per service. For example, you might allow HTTPS globally but restrict SSH to the DACH region only.

Automatic Database Updates

IP assignments change constantly. New blocks are allocated, existing ones reassigned. An outdated GeoIP database leads to misclassifications — either legitimate access gets blocked or unwanted traffic slips through.

OPNsense updates GeoIP databases automatically via the configured alias update mechanism. Verify that updates complete by checking the alias update log regularly. A typical interval is once per week.

Limitations and Bypass Methods

GeoIP blocking is not a silver bullet. There are legitimate scenarios where the filtering fails:

VPNs and proxies — An attacker in a blocked country can route traffic through a VPN server in an allowed country. Commercial VPN services make this trivial.
CDNs and cloud providers — Services like Cloudflare or AWS distribute traffic across global nodes. An IP assigned to one country may serve traffic from another.
Tor exit nodes — Tor traffic appears with the exit node’s IP, not the actual user’s. Exit nodes are frequently in allowed countries.
IP misclassifications — Edge cases exist where IPs are assigned to the wrong country, especially with recently reassigned address blocks.

GeoIP blocking is therefore always an additional layer of defense, never the only one.

Logging and Monitoring with DATAZONE Control

Enable logging on your GeoIP rules to see what traffic is actually being blocked. The OPNsense firewall logs show source IP, destination port, and timestamp for every blocked connection. By analyzing these logs, patterns emerge: which countries generate the most blocked traffic? Which ports are targeted most frequently?

With DATAZONE Control, GeoIP blocking can be monitored systematically. Key metrics include:

Alias update status — Are the GeoIP databases being updated regularly?
Blocked connections per country — Which regions generate the most rejected traffic?
False positives — Are customers or partners reporting being blocked incorrectly?
Rule utilization — How much traffic is being processed by GeoIP rules overall?

Dashboards with these metrics give the IT team a quick overview and enable data-driven adjustments to country lists.

Real-World Use Cases

DACH-only for admin portals: A company restricts access to internal web portals and VPN gateways to Germany, Austria, and Switzerland. This reduces brute-force attempts on the VPN gateway by over 90 percent.

Block top-attack countries: An e-commerce company that must be reachable worldwide blocks the ten countries with the highest share of automated attacks against its infrastructure, based on its own firewall log analysis over several months.

Conclusion

GeoIP blocking in OPNsense is a pragmatic measure that delivers a noticeable security improvement with minimal effort. It replaces neither intrusion detection nor patch management nor proper authentication — but it significantly reduces the attack surface and log noise. Combined with other measures, it creates a layered defense that effectively filters out automated attacks.

Looking to set up GeoIP blocking on your OPNsense firewall or optimize your existing firewall configuration? We can help with planning and implementation — learn more about our OPNsense services or contact us directly.

OPNsense GeoIP Blocking: Filter Access by Country