Community discussions

MikroTik App
just joined
Topic Author
Posts: 20
Joined: Tue Jul 24, 2018 1:58 am

Allow only one country to access router

Sun Dec 09, 2018 1:12 am


I've setup a list of IP-s from this site
And I've setup a rule:
/ip firewall filter
chain=input action=drop src-address-list=!CountryIPAllow in-interface=ether1 log=no log-prefix=""

What I've intended with this rule: Don't allow connection from anywhere except from "CountryIPAllow"

But the problem is, if this rule is enabled, all my computers and phones etc have internet access, but my router doesn't get updates and can't ping anything.
So no internet for my router.
Maybe someone can explain me how to fix it.

Thank you!
User avatar
Forum Guru
Forum Guru
Posts: 7336
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Allow only one country to access router

Sun Dec 09, 2018 2:55 am

In general, input rules are to the router, forward rules are from the LAN to the LAN/LAN to WAN/WAN to LAN.
Thus you have restricted your router, not your LAN.

What is your concern?
People on your internet going to certain countries?
People from some countries trying to ping your router?
People from some countries trying to get on your servers?

Without articulating your requirements without discussing solutions or equipment, help will be hard to find.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
User avatar
Forum Guru
Forum Guru
Posts: 1130
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK

Re: Allow only one country to access router

Sun Dec 09, 2018 11:12 am

I use similar to exclude a few countries from reaching me and my router (and vice versa). Your router is most likely trying to reach DNS outside your country and updates will be coming from MT (Latvia?) so a different approach is probably needed.

If this is for access control you would be better really restricting the locations rather than blanketing “a country” as otherwise you get results as you have found. Maybe “a” public subnet at most? Maybe lock it down to an internal range and VPN in?
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
Posts: 26
Joined: Sun Jul 01, 2018 2:03 pm

Re: Allow only one country to access router  [SOLVED]

Sun Dec 09, 2018 2:23 pm

what is the order of your firewall rules?
If this is the first rule (or anywhere before accept related, established in input chain), then for example when your router tries to connect to mikrotik update server in Latvia, the server reply would be blocked by this rule.

So make sure, you have correct accept rule for established, related packets in input chain _before_ this drop rule.

Who is online

Users browsing this forum: johnson73, keithy, pizzonia, seriosha and 148 guests