Community discussions

 
NodeMax
newbie
Topic Author
Posts: 38
Joined: Sun Sep 22, 2013 11:39 am

Feature Request - Block Country by IP Using Firewall

Wed Jan 21, 2015 5:50 pm

Hi,

In CloudFlare you can block a country which they will be doing by IP block.

On Microtik CCR I really would like to be able to block Countries by using the firewall.

So tick boxes. Create a Rule. Select Countries, set rule to drop packets

Now could use MaxMind binary DB or another ...

Make my life so much easier.

regards

Tony
 
evince
Member
Member
Posts: 307
Joined: Thu Jul 05, 2012 12:11 pm
Location: Weiswampach - Luxemburg
Contact:

Re: Feature Request - Block Country by IP Using Firewall

Thu Jan 22, 2015 4:07 pm

+1 it coul'd be a great feature :)
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Re: Feature Request - Block Country by IP Using Firewall

Fri Jan 23, 2015 8:44 am

Why you want to block countries according to ip addresses?
 
evince
Member
Member
Posts: 307
Joined: Thu Jul 05, 2012 12:11 pm
Location: Weiswampach - Luxemburg
Contact:

Re: Feature Request - Block Country by IP Using Firewall

Fri Jan 23, 2015 10:49 am

Imagine you want to block China ... There is too many ip addresses to add
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Re: Feature Request - Block Country by IP Using Firewall

Fri Jan 23, 2015 11:08 am

ok, I can imagine that.

But why I should do it? Should not be internet open and unblocked by definition? If there is no attack from the IPs, why to block them?
 
jdog
newbie
Posts: 35
Joined: Tue Jan 20, 2015 3:40 pm

Re: Feature Request - Block Country by IP Using Firewall

Fri Jan 23, 2015 2:52 pm

This would be impossible as there would need to be a central database of what IPs belong to what country, and that database would have to be set up for public query through some standard format (Which doesn't exist as far as I know).

On top of this, geolocation data is not perfect either.

You're better managing the blocking yourself, but just remember, the internet was never meant to have countries blocked or separated like that. So you're not going to find any "Easy" system to do that. It breaks the entire scope of what the internet was meant to do, so there will not be any simple system to do it.
 
arnoldmikro
newbie
Posts: 25
Joined: Sun Apr 14, 2013 5:12 pm
Location: miami fl usa

Re: Feature Request - Block Country by IP Using Firewall

Fri Jan 23, 2015 6:55 pm

Take a look at MikroTikConfig.com I have not tried the config but it gives you a check box listings of countries
 
eavictor
just joined
Posts: 4
Joined: Mon Sep 08, 2014 8:49 am

Re: Feature Request - Block Country by IP Using Firewall

Fri Jan 23, 2015 7:47 pm

Add these commands in /system schedule
Then setup startup and run interval you want
/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CN
/import file-name=CN
/file remove CN
I'm currently using this script to keep all China IPs up to date.

PS: you can change the country code like TW US JP :D
l'm also searching for a job in Taiwan or Japan.
 
User avatar
saaremaa
Member Candidate
Member Candidate
Posts: 156
Joined: Tue Feb 02, 2010 7:48 pm
Location: Baltijos šalių miestas

Re: Feature Request - Block Country by IP Using Firewall

Fri Jan 23, 2015 9:40 pm

-1
(IMHO) you can do it yourself without the development of Mikrotik.
CMDR Saaremaa (Gutamaya Sierra Alpha Alpha)
 
User avatar
kometchtech
Member Candidate
Member Candidate
Posts: 194
Joined: Sat Jun 15, 2013 4:25 am
Location: Japan
Contact:

Re: Feature Request - Block Country by IP Using Firewall

Fri Jan 23, 2015 9:47 pm

There is a web site that implements the Country Block function in the Script below.

http://blog.erben.sk/2014/02/06/country-cidr-ip-ranges/

Take more time and effort because it managed by Script, but the size of the log output increases.
--
Routerboard Users Group JP
http://www.rb-ug.jp/
CCR1009-8G-1S-1S+, RB750Gr3, CRS226-24G-2S+, RB850Gx2, RB960PGS, CRS317-1G-16S+,
RB2011UAS, CRS125-24G-1S, RB962UiGS-5HacT2HnT, CRS212-1G-10S-1S+, RB3011UiAS
 
NodeMax
newbie
Topic Author
Posts: 38
Joined: Sun Sep 22, 2013 11:39 am

Re: Feature Request - Block Country by IP Using Firewall

Sat Jan 24, 2015 1:26 am

Why May you want to do this? block traffic by Country on a CCR

Say you run an anycast network and you have 30 pops all 72 core 10gb interface CCR.

An attack starts and you look at the botnet and it happens to be all machines from countries in Asia attacking 1 IP

Your client base happens to be UK, and Europe

So either you suffer or you login to the the affected CCR's open up the firewall and drop http traffic from those countries where the attacks are coming from to that IP

Your websites are fine and all traffic from UK and Europe are not affected, business as normal.

This is why cloudflare do so well they have the ability on their anycast network to mitigate attacks, most business websites have their clients not worldwide but regional and as attacks get more frequent and bigger it would be very useful to drop traffic by Country to mitigate attacks.

Or may be you run a VOIP network in the USA a botnet starts dossing your UDP ports from a country you have no customers in, drop UDP packets from that country, 1 tick in the firewall for that country, drop UDP problem solved.

So many IP's you say can't do it !

Take the MaxMind Country binary DB, load the DB in memory on CCR. Microtik interface the binary DB and give tick boxes by country
Free version or a monthly paid updated binary DB

IP blocks are country specific so you can easily block IP's by country at IP block level.

http://dev.maxmind.com/geoip/legacy/geolite/
http://dev.maxmind.com/geoip/legacy/install/country/

API's
http://dev.maxmind.com/geoip/legacy/downloadable/

C API
https://github.com/maxmind/geoip-api-c/ ... /README.md

Anyway its possible, in fact easy for Microtik if they want to add a fantastic feature to the CCR
 
NodeMax
newbie
Topic Author
Posts: 38
Joined: Sun Sep 22, 2013 11:39 am

Re: Feature Request - Block Country by IP Using Firewall

Sat Jan 24, 2015 2:15 am

latest maxmind DB
https://www.maxmind.com/en/geoip2-country

So is it possible to write a script on Microtik that can interface the Maxmind Bindary DB?
 
edwardfoster
just joined
Posts: 2
Joined: Fri Jan 30, 2015 2:02 pm

Re: Feature Request - Block Country by IP Using Firewall

Fri Jan 30, 2015 2:04 pm

Great feature .
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: Feature Request - Block Country by IP Using Firewall

Thu Sep 07, 2017 5:17 pm

Has this feature ever been implemented?
 
nicutdk
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Sat Sep 24, 2016 12:06 pm

Re: Feature Request - Block Country by IP Using Firewall

Mon Sep 11, 2017 5:26 pm

+100 for this feature...

With that feature will prevent SPAM. I use and after one month SPAM reduce with ~30%

Regards
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1717
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Feature Request - Block Country by IP Using Firewall

Mon Sep 11, 2017 5:41 pm

Try this: viewtopic.php?f=9&t=98804&hilit=intrusDave

Since last Friday: 33 000 tries to send mail from blocked IPs vs 2500 accepted IPs
Real admins use real keyboards.
 
ec2020
just joined
Posts: 4
Joined: Fri Oct 27, 2017 3:10 am

Re: Feature Request - Block Country by IP Using Firewall

Fri Oct 27, 2017 3:14 am

IP2Location is providing free ACL list by country for Mikrotik. All system administrators can download the free list from block visitors by country.

Who is online

Users browsing this forum: Google [Bot] and 38 guests