Community discussions

MikroTik App
 
User avatar
jspool
Member
Member
Topic Author
Posts: 468
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Feature Request: GeoBlocking Firewall

Sun Jul 03, 2016 2:22 am

Most commercial firewalls offer geo blocking in a non PITA way,  It would be nice to have this available to Mikrotik users without needing to build it and maintain it on our own.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10200
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: GeoBlocking Firewall

Sun Jul 03, 2016 1:40 pm

MikroTik routers are routers with connection-tracking firewall, not "firewalls" in the sense that those expensive boxes are.
(with account for all kinds of reputation- and marking services included in the price)
 
User avatar
jspool
Member
Member
Topic Author
Posts: 468
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: Feature Request: GeoBlocking Firewall

Sun Jul 03, 2016 5:49 pm

I am aware of its current capabilities as I have deployed near a thousand of them now.  But some things could be added. Much like banning an IP after x amount of login attempts. I'm not talking with firewall rules I am referring to something that's built into ROS. Geo firewall would be well received by many users as would SMS and email notification of successful and failed login attempts.
They could add another level to their license to cover such features and I and no doubt others would be happy to pay.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7044
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: GeoBlocking Firewall

Mon Jul 04, 2016 12:20 pm

All of your mentioned features already possible.
"banning an IP after x amount" - look for examples in wiki.
"email notification" - see /system logging actions.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1140
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature Request: GeoBlocking Firewall

Mon Jul 04, 2016 2:54 pm

Most commercial firewalls offer geo blocking in a non PITA way,  It would be nice to have this available to Mikrotik users without needing to build it and maintain it on our own.
+1
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: GeoBlocking Firewall

Mon Jul 04, 2016 4:58 pm

"banning an IP after x amount" - look for examples in wiki.
If you mean this, it limits ssh access based on number of connections, not failed login attempts. Imagine how much nicer it would be, if number of allowed login attempts was handled internally by system, instead of user-configured firewall rules. If it was configurable per-service, similar to current "Available From" option (that too could be done only using firewall rules and yet it exists as separate option - and it's a good thing).
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7044
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: GeoBlocking Firewall

Mon Jul 04, 2016 6:56 pm

Sounds very neat. What other features you would like to see?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: GeoBlocking Firewall

Tue Jul 05, 2016 12:29 am

Well, the key part of this system-controlled anti-bruteforcer would be counting of actual failed logins, something you currently can't do in simple and reliable way for all services. It could be just self-contained feature "block address for <time> if it has <number> of failed logins in last <time period>". I think it would be useful for many people, because blocking of excessive login attempts is generally desirable feature.
It could also be extended if needed. It could have an option to add address to standard "/ip firewall address-list" and let users use the list in their rules (could be useful e.g. for exceptions). Or there could be some "on-address-blocked" event with possibility to run custom script.

Regarding geoblocking (so that I'm not completely off main topic), what about support for MaxMind's GeoIP databases? Both commercial and free ones (less accurate and updated less often) are available. There's even some existing code for iptables (http://xtables-addons.sourceforge.net). You wouldn't necessarily need to distribute the database with RouterOS, users could upload what they get themselves.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1140
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature Request: GeoBlocking Firewall

Mon Sep 11, 2017 2:18 am

Another use case for geoip would be country whitelisting during an attack.

Let's say you have clients that only have traffic from a specific country and they get DDoS attacked (depending on where someone lives most attacks are out of country IPs), you can easily allow only this country's traffic and block all other during the attack.
So worldwide it won't be accessible but from the country that needs it will be just fine.
Any false positives (ie missing country's prefixes) can be added manually then. Much easier than manually maintaining whole countries prefix lists.
 
User avatar
jspool
Member
Member
Topic Author
Posts: 468
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: Feature Request: GeoBlocking Firewall

Mon Sep 11, 2017 2:38 am

Another use case for geoip would be country whitelisting during an attack.

Let's say you have clients that only have traffic from a specific country and they get DDoS attacked (depending on where someone lives most attacks are out of country IPs), you can easily allow only this country's traffic and block all other during the attack.
So worldwide it won't be accessible but from the country that needs it will be just fine.
Any false positives (ie missing country's prefixes) can be added manually then. Much easier than manually maintaining whole countries prefix lists.
Sophos UTM has a very nice geo blocking feature and it is quite handy. It would probably involve Mikrotik subscribing to a service that keeps the IP ranges for each country up to date as much as possible and then a periodic update of those ranges to the routers.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10200
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: GeoBlocking Firewall

Mon Sep 11, 2017 11:54 am

Sophos UTM has a very nice geo blocking feature and it is quite handy. It would probably involve Mikrotik subscribing to a service that keeps the IP ranges for each country up to date as much as possible and then a periodic update of those ranges to the routers.
... and then "us", who use MikroTik routers on internal networks and who are not interested in discrimination of users based on the country where they were born, to pay for that subscription through the purchase price of our routers?
NO, THANK YOU!
When you want to do that, please make it an optional additional package with a clear subscription price.
 
User avatar
jspool
Member
Member
Topic Author
Posts: 468
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: Feature Request: GeoBlocking Firewall

Mon Sep 11, 2017 8:04 pm

Sophos UTM has a very nice geo blocking feature and it is quite handy. It would probably involve Mikrotik subscribing to a service that keeps the IP ranges for each country up to date as much as possible and then a periodic update of those ranges to the routers.
... and then "us", who use MikroTik routers on internal networks and who are not interested in discrimination of users based on the country where they were born, to pay for that subscription through the purchase price of our routers?
NO, THANK YOU!
When you want to do that, please make it an optional additional package with a clear subscription price.
Wow awful emotional over that one, Are you manstruating? There are valid uses for geo blocking and I think anyone that has network experience would realize that. Contrary to snowflake beliefs everything is not about racial discrimination. I also did not suggest that Mikrotik charge for this service. I noted that they could subscribe to a listing service and utilize for their products.

I also do not think that added features that require subscription should be forced on a customer base. I agree that subscription based services should be something that is an optional add on.

Stay logical my friends.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26326
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature Request: GeoBlocking Firewall

Tue Sep 12, 2017 9:35 am

The GeoIP database that we already subscribe to has 1.9Gb worth of data. That is only the plain text of IP address + City/Country.

We can't build this into the RouterOS release, even as a package, it would be too heavy for most RouterBOARD models, and we already have L7 being improperly used on hAP units.

And this is IPv4. IPv6 is a whole other story.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1140
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature Request: GeoBlocking Firewall

Tue Sep 12, 2017 6:10 pm

The GeoIP database that we already subscribe to has 1.9Gb worth of data. That is only the plain text of IP address + City/Country.

We can't build this into the RouterOS release, even as a package, it would be too heavy for most RouterBOARD models, and we already have L7 being improperly used on hAP units.

And this is IPv4. IPv6 is a whole other story.
City information is too much. I don't think anyone needs that much detail. Country alone is just fine.
Besides most of the databases out there have the city part wrong so they are useless anyway (at least for my country...).

Just an example: All IPv4 + IPv6 + ASNs for all countries, generated daily by using data from all the RIRs is roughly 7.5MB.

Surely by relying only on RIR data they wont be that accurate since not every prefix owner keeps their whois data up to day, but it's better than nothing and by a quick glance at my country's prefixes I found all the big/important ones (from our local ISPs).

Just a random site while looking into this https://www.cc2asn.com/ (which by the way is open source https://github.com/toringe/cc2asn )
The data is all based on publicly available information from the five RIRs (regional Internet registry) in the world; ARIN, RIPE NCC, APNIC, LACNIC and AfriNIC.

Each RIR publish a delegation file using the statistics exchange format. The delegation files are updated once every day. CC2ASN parses these files and restructurize the data, based on country code.

The data is then made available through both a whois-server and a http-server.
You could build a similar closed service or API only for RouterOS so that it will get its data periodically from you directly behind the scenes as an address list or something. Not come with preloaded thousands of prefixes into ROS. That doesn't make sense since this data keeps changing.

My country's total prefixes are less than 500. Not that large of a number for ROS to handle even on small RB models.
Or if you need to avoid support requests for the reasons you mentioned (small hardware) you can provide this service only to high end RBs (much like the Cloud service which is available only on routerboards and not on x86).


For the time being I'll probably write a script to make use of cc2asn to see how it works out.
 
ec2020
just joined
Posts: 4
Joined: Fri Oct 27, 2017 3:10 am

Re: Feature Request: GeoBlocking Firewall

Sat Oct 28, 2017 9:57 am

The GeoIP database that we already subscribe to has 1.9Gb worth of data. That is only the plain text of IP address + City/Country.

We can't build this into the RouterOS release, even as a package, it would be too heavy for most RouterBOARD models, and we already have L7 being improperly used on hAP units.

And this is IPv4. IPv6 is a whole other story.
Blocking by city is too heavy for router. IP2Location is providing free ACL list by country for Mikrotik. System administrators can download the free list from block visitors by country. The script is very handy, you do not need to modify for the ACL import.
 
hturkan
just joined
Posts: 10
Joined: Mon Dec 19, 2016 9:38 am

Re: Feature Request: GeoBlocking Firewall

Sun Oct 29, 2017 3:09 pm

Hi @jspool
MikroTik Country IP List Implemantation website
https://mikrotikconfig.com/firewall/
Thanks
 
User avatar
jspool
Member
Member
Topic Author
Posts: 468
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: Feature Request: GeoBlocking Firewall

Sun Oct 29, 2017 11:44 pm

@hturkan I am aware of such methods. My post was more about native features vs scripting.
 
iwikus
newbie
Posts: 33
Joined: Sat Jun 16, 2007 9:55 am

Re: Feature Request: GeoBlocking Firewall

Fri Jan 28, 2022 12:22 am

I have it implemented this simple way:
/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/SK
/import file-name=SK
More on the blog. http://blog.erben.sk/2014/02/06/country-cidr-ip-ranges/
Yes, native version could be useful. Maybe some day, when we now have 7!

Image
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2985
Joined: Mon Apr 08, 2019 1:16 am

Re: Feature Request: GeoBlocking Firewall

Fri Jan 28, 2022 12:41 am

I used to have this in the Fortigates @work. (https://community.fortinet.com/t5/Forti ... a-p/197042)

But:
- We all learned to fake our location for Netflix and TV region limitations and hackers certainly do this. (free anonymizers, or just use NordVPN)
- AFAIK this will never work with IPv6 (or is it and is this causing that huge database ???)

Who is online

Users browsing this forum: Amazon [Bot], andkar, gigabyte091, godel0914, jace, kivimart, onnoossendrijver, qadir52786, STMT and 77 guests