OPNsense Integration — ipinsights.io

Overview

OPNsense supports remote URL Table (IPs) aliases natively — no plugins required. The firewall will fetch the list on a configurable refresh interval and present every entry as a pf table that can be used in any rule. The ipinsights.io blocklist is published as a plain-text, one-IP-per-line file ready for this format.

Prerequisites

OPNsense 23.x or 24.x with admin access to the WebGUI
Outbound HTTPS access from the firewall to https://ipinsights.io
A working DNS resolver on the firewall

Step 1 — Create the Alias

Navigate to Firewall → Aliases and click + Add. Set:

Enabled                 ✓
Name                    ipinsights_block
Type                    URL Table (IPs)
Refresh Frequency       1 day  / 4 hours    (any value ≤ 4 hours is wasted — feed regenerates every 4h)
Content                 https://ipinsights.io/downloads/blocklist.txt
Statistics              ✓                    (optional — adds counters)
Description             IP Insights — global threat intelligence blocklist

Click Save, then Apply.

Step 2 — Add the Block Rules

Under Firewall → Rules → Floating, create two rules near the top of the ruleset:

Rule 1 — block inbound
  Action         Block
  Quick          ✓
  Interface      WAN
  Direction      in
  TCP/IP Version IPv4
  Protocol       any
  Source         ipinsights_block
  Destination    any
  Description    IP Insights — inbound block

Rule 2 — block outbound
  Action         Block
  Quick          ✓
  Interface      WAN
  Direction      out
  TCP/IP Version IPv4
  Protocol       any
  Source         any
  Destination    ipinsights_block
  Description    IP Insights — outbound block

Apply the changes. The outbound rule is highly recommended — it catches infected internal hosts beaconing to command-and-control IPs.

Step 3 — Verify

From a root shell on the firewall (System → Diagnostics → Command):

pfctl -t ipinsights_block -T show | wc -l
pfctl -ss | grep ipinsights_block
tail -f /var/log/filter.log | grep ipinsights

You should see thousands of entries in the table and, within a few minutes on a public-facing WAN, matching entries appearing in the filter log.

Troubleshooting

Table empty after save — open the alias, click Apply again, then run configctl filter refresh_aliases from the diagnostics shell.
Updates failing — check /var/log/aliases.log. Most commonly the firewall cannot resolve ipinsights.io; verify System → Settings → General → DNS Servers.
False positive — create a permit-first alias for trusted partners and place a pass rule for it above the deny rule, then report the FP via support.

API Key: The public blocklist is unauthenticated. An API key (from your profile page) is only needed for live per-IP lookups.

Request Higher API Limit

Running a high-volume OPNsense deployment? If the default rate limit isn't enough for your environment, submit a request below and we'll review it.

Your Name *

Email Address *

Company / Organisation

Current Limit *

Requested Limit *

Use Case * Maximum 5,000 characters.