+1Most commercial firewalls offer geo blocking in a non PITA way, It would be nice to have this available to Mikrotik users without needing to build it and maintain it on our own.
If you mean this, it limits ssh access based on number of connections, not failed login attempts. Imagine how much nicer it would be, if number of allowed login attempts was handled internally by system, instead of user-configured firewall rules. If it was configurable per-service, similar to current "Available From" option (that too could be done only using firewall rules and yet it exists as separate option - and it's a good thing)."banning an IP after x amount" - look for examples in wiki.
Sophos UTM has a very nice geo blocking feature and it is quite handy. It would probably involve Mikrotik subscribing to a service that keeps the IP ranges for each country up to date as much as possible and then a periodic update of those ranges to the routers.Another use case for geoip would be country whitelisting during an attack.
Let's say you have clients that only have traffic from a specific country and they get DDoS attacked (depending on where someone lives most attacks are out of country IPs), you can easily allow only this country's traffic and block all other during the attack.
So worldwide it won't be accessible but from the country that needs it will be just fine.
Any false positives (ie missing country's prefixes) can be added manually then. Much easier than manually maintaining whole countries prefix lists.
... and then "us", who use MikroTik routers on internal networks and who are not interested in discrimination of users based on the country where they were born, to pay for that subscription through the purchase price of our routers?Sophos UTM has a very nice geo blocking feature and it is quite handy. It would probably involve Mikrotik subscribing to a service that keeps the IP ranges for each country up to date as much as possible and then a periodic update of those ranges to the routers.
Wow awful emotional over that one, Are you manstruating? There are valid uses for geo blocking and I think anyone that has network experience would realize that. Contrary to snowflake beliefs everything is not about racial discrimination. I also did not suggest that Mikrotik charge for this service. I noted that they could subscribe to a listing service and utilize for their products.... and then "us", who use MikroTik routers on internal networks and who are not interested in discrimination of users based on the country where they were born, to pay for that subscription through the purchase price of our routers?Sophos UTM has a very nice geo blocking feature and it is quite handy. It would probably involve Mikrotik subscribing to a service that keeps the IP ranges for each country up to date as much as possible and then a periodic update of those ranges to the routers.
NO, THANK YOU!
When you want to do that, please make it an optional additional package with a clear subscription price.
City information is too much. I don't think anyone needs that much detail. Country alone is just fine.The GeoIP database that we already subscribe to has 1.9Gb worth of data. That is only the plain text of IP address + City/Country.
We can't build this into the RouterOS release, even as a package, it would be too heavy for most RouterBOARD models, and we already have L7 being improperly used on hAP units.
And this is IPv4. IPv6 is a whole other story.
You could build a similar closed service or API only for RouterOS so that it will get its data periodically from you directly behind the scenes as an address list or something. Not come with preloaded thousands of prefixes into ROS. That doesn't make sense since this data keeps changing.The data is all based on publicly available information from the five RIRs (regional Internet registry) in the world; ARIN, RIPE NCC, APNIC, LACNIC and AfriNIC.
Each RIR publish a delegation file using the statistics exchange format. The delegation files are updated once every day. CC2ASN parses these files and restructurize the data, based on country code.
The data is then made available through both a whois-server and a http-server.
Blocking by city is too heavy for router. IP2Location is providing free ACL list by country for Mikrotik. System administrators can download the free list from block visitors by country. The script is very handy, you do not need to modify for the ACL import.The GeoIP database that we already subscribe to has 1.9Gb worth of data. That is only the plain text of IP address + City/Country.
We can't build this into the RouterOS release, even as a package, it would be too heavy for most RouterBOARD models, and we already have L7 being improperly used on hAP units.
And this is IPv4. IPv6 is a whole other story.
/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/SK
/import file-name=SK