Mastering EdgeRouter Security: Why Command Line and GeoIP Blocking Are Game-Changers
- Tony Fortunato
- 2 days ago
- 2 min read
Updated: 1 day ago
Using the Command Line Interface (CLI) on #Ubiquiti EdgeRouters opens the door to powerful, fine-tuned control that the graphical UI simply can't match. Whether you're configuring advanced routing rules, managing firewall policies, or scripting automated tasks, the CLI provides a deeper, more efficient means of managing your network infrastructure. It enables network administrators to execute changes quickly, troubleshoot with precision, and unlock features that may not be accessible via the GUI—making it an indispensable tool for professionals seeking robust and scalable setups.
One of the most impactful security features you can implement via the CLI is GeoIP blocking. By filtering traffic based on geographic origin, administrators can dramatically reduce attack surfaces, blocking high-risk countries from accessing sensitive services like SSH, VPN, or remote management. When combined with the CLI, setting up GeoIP filtering becomes a flexible and powerful defense mechanism, protecting your network from unwanted intrusion while giving you granular control over who can connect and from where. This level of security customization is vital in today’s threat landscape, especially for SMBs and IT professionals managing remote access points.
Urls
EdgeRouter - Add Debian Packages to EdgeOS
EdgeRouter - How to Create a WAN Firewall Rule
Firewalling by country on Edgerouter
Ubiquiti EdgeRouter GeoIP Blocking Setup - How To
Ubiquiti Edgerouter VPN Configuration
Here are all the commands that I used in the video:
terminal length 0
cat /var/log/charon.log | grep init
show version
configure
set system package repository stretch components 'main contrib non-free'
set system package repository stretch distribution stretch
set system package repository stretch url http://archive.debian.org/debian
commit ; save
sudo apt-get update
sudo apt-cache search dnsutils
sudo apt-get install dnsutils
Test that the utilities successfully installed with the following command
sudo dig @8.8.8.8 google.com
sudo apt-get install wget
sudo apt-get install nano
set firewall group network-group countries_allowed description countries_allowed
To check that your firewall group was created from the CLI, type
show firewall group
commit
save
exit
mkdir /config/zonefiles
cd /config/scripts
sudo nano country-load
---------------
#!/bin/bash
countryList=“ca"
firewallGroupName=countries_allowed
function loadcountry () {
firewallGroupName=$1
country=$2
echo "Downloading country definition for $country..." >> /var/log/alex
wget http://www.ipdeny.com/ipblocks/data/countries/${country}.zone -O /config/zonefiles/${country}.zone -q
echo "Adding rules to firewall group $firewallGroupName..." >> /var/log/alex
for rule in `cat /config/zonefiles/${country}.zone`; do
ipset add $firewallGroupName $rule
done
}
ipset -F $firewallGroupName
for country in $countryList; do
loadcountry $firewallGroupName $country
done
---------------
sudo chmod 755 country-load
sudo ./country-load
sudo ipset -L countries_allowed
sudo ipset –L | grep ip address
sudo ipset add countries_allowed 24.138.184.164/20
sudo ipset del countries_allowed 24.138.184.164/20
show configuration commands | grep ike | grep WAN_LOCAL
show configuration commands | grep l2tp | grep WAN_LOCAL
configure
set firewall name WAN_LOCAL rule 30 source group network-group countries_allowed
set firewall name WAN_LOCAL rule 60 source group network-group countries_allowed
commit
save
exit
last point.. make sure you watch your firewall rule order..
