I’m using RB2011UIAS-2HND-IN and RouterOS 6.44.5.
I want to block 10000 addresses. How would you recommend me to do that for efficient CPU utilization like it works via iptables and ipset?
use blackhole route
Wouldn’t you mind to explain more on this? Unfortunately, I’m not so much into networking at this point
You are neither too verbose regarding your actual goal. 10000 addresses may be a few prefixes (subnets) or 10000 individual addresses which aren’t “similar” to each other in any way, you may want to block incoming traffic from these IPs to your network or you may want to prevent your users from sending traffic to them…
In any case, to let the packets be dropped as early as possible so that the CPU would spent as little as possible time dealing with them, you need to place a drop rule into /ip firewall raw. The most efficient way is to use a src-address-list (or dst-address-list) and populate it with as little items as possible. So a single item 192.168.0.0/31 should be more efficient than two items, 192.168.0.0 and 192.168.0.1.
So the complete thing to block incoming traffic from 11.22.33.44 and 22.33.44.55 would look like this
/ip firewall address-list add list=blacklist address=11.22.33.44
/ip firewall address-list add list=blacklist address=22.33.44.55
/ip firewall raw add chain=prerouting action=drop src-address-list=blacklist
The last line supposes that there is no other rule in chain=prerouting of your /ip firewall raw table. If there is, you have to set the rules in a correct order, which depends on the required functionality at first, and should be the most efficient one at second.
The drop rule doesn’t check on in-interface or in-interface-list as that’s one more test to do on each packet, but that may be dangerous - if you add your LAN subnet to the address-list by mistake, you lock yourself out of your router, so some safety mesure is recommended - limiting the rule to in-interface-list=WAN is the most obvious one. But again, if you make your LAN interface a member of interface list WAN by mistake, you lock yourself out too. So think twice and use the safe mode.
Hello,
Perhaps you could tell us more about the issue. Why you want to do it.
But quickly, you could create a IP address list (in the IP firewall section) and create a firewall rule that blocks that list.
Cheers,
Sent from my cell phone. Sorry for the errors.
Thank you guys for your replies. Sorry, I didn’t know you might need more details. Those are IPs of advertisement servers and some others. The addresses are mostly independent from each other, so they don’t belong to the same network.
I need to add new values to that list in future. So how should I use /ip firewall raw add chain=prerouting action=drop src-address-list=blacklist in this case? Can I add more addresses to the list after putting this line?
for advertisement, not possible to look at something like PI-HOLE to filter out a lot of crap ?
For the Blacklist that is fine. Just add this rule and then gradually grow your “blacklist” SRC-ADDRESS-LIST by adding entries. No need to touch the “/ip firewall raw add…” statement anymore just the grow the blacklist.
ip firewall address-list add list=blacklist address=ip.to.be.blacklisted
Note that you can use a single IP or range of IPs to add to address list or DNS name.
You can input for example, ‘192.168.0.0-192.168.1.255’ and it will auto modify the typed entry to 192.168.0.0/23 on saving.
Thanks, I will try that out. Just one more question. How can I automate the process? I don’t want to enter each address manually as they are so many. I’d rather like to copy them all into terminal or use a file with all the entries to be added.
You can generate externally a text file like
/ip firewall address-list
add list=blacklist address=1.2.3.4
add list=blacklist address=2.3.4.5
save it with a .rsc suffix (e.g., buildblacklist.rsc), upload it to the Tik, and then use /import buildblacklist.rsc.
Philosophically, have you ever thought about why people place links to advertisements on their pages, and what happens if you don’t let the advertisement contents be loaded at all?
It works! Thank you all guys!
I don’t want to watch ads, it’s my right. Especially on websites where I pay, but still they show me their ads.
Just 1 more question please. How can I revert it back? Just using action=accept would be enough?
Just disable the rule. action=accept is a default one.
Sure, or simply take the whole rule away ?
/ip firewall raw remove numbers=X (the number of this rule)
You could also temporary “disable” it.
/ip firewall raw disable numbers=X (number of the rule)
But you can change the “action” to accept also if you want.
It is important to emphasize that the numbers are actually dynamic aliases of object IDs which are assigned independently within each management session. So each print command related to that type of objects re-assigns them and until the previous print of those objects in that very session they have no meaning. People migrating from GUI (WebFig or Winbox) tend to look up the numbers on GUI and then use them in the terminal or ssh window, which just ends up with an error if no print was used before, but may result in change or removal of a wrong object if print with some filtering conditions was used and then the object number was taken from the GUI for the modification command.
Got it. Thank you!
Hello.
Everything is working fine, but loading some websites takes a lot of time because the browser is stuck waiting for the blocked servers to respond. I guess it’s all because of the drop rule used. Is there any way to set the rule to reject packets instead of dropping them? I think that’s the reason
Replace action=drop by action=reject reject-with=tcp-reset in the rule. But this cannot be done in /ip firewall raw, so you’ll have to move the rule to /ip firewall filter. Not a big deal as we talk about the initial (and also last) packet of a connection so there won’t be tons of them.
Before you think: “hey I can put up a local DNS server that serves a zone like addresstobeblocked.local and I put the addresses in that server (dynamically) and I don’t have to maintain the router’s list”:
Well, that does not work for 10000 addresses. Bummer.
It appears that the address list addition via DNS name itself can handle quite a long list, but the resolution of the DNS name is always done via the router’s own resolver (ip->dns) and it has a limit on the number of addresses it can return from a query.
The limit also appears to depend on the length of the DNS name itself.
It may work up to like 1000 entries. 3000 is for sure too many.
It would be very nice when this was fixed, because it would offer an easy way to distribute address lists like this.