Geoblocking on a MikroTik Router
February 22nd 2024
Since there is a boatload of scattered information on how to Geoblock on MikroTik routers I've decided to make my own script. There are already existing tools out there:
For example:
- mikrotikconfig.com where you can't even pick a name for the address-list and need to upload the script file to your router in order to execute it.
- iwik.org (according blogpost) does things a little better. You can at least automate the import on your router but still, you can't pick a name for the address-list and add multiple countries into one list.
And there is yet another big problem with all of those: You have to trust them to not inject malicous commands in the generated scripts.
This script is here to improve this. You give it a list of countries, some more options and you receive a MikroTik script which creates an address-list containing the specified countries.
Unfortunately it's a bash-script which only runs on Linux.
Prerequisites
You should already have some knowledge about address-lists, geoblocking and networking in general.
Caution!
First of all: Don't trust me or this code. Use it at your own risk and only if you understand what it's doing.
Also adding a lot of IPs to an address-list on your MikroTik Router can make your Browser Tab crash when using Webfig and showing all IPs in that address-list. Be aware.
The script
This script will download
and parse Country-Subnet-Lists from ripe.net and return them as MikroTik commands so you can simply pipe the output into ssh admin@my-router
and be done with it.
Example
./mikrotik-geo-addresslist.sh -c GB -n GB -a 192.168.0.0/24
will return
/log info "Loading GB ip address list"
/ip firewall address-list remove [/ip firewall address-list find list=GB]
/ip firewall address-list add address=192.168.0.0/24 list=GB
/ip firewall address-list add address=1.2.3.4/16 list=GB
/ip firewall address-list add address=fe80::/64 list=GB
...
You can pipe the output directly into SSH to execute it on your router:
./mikrotik-geo-addresslist.sh -c GB -n GB -a 192.168.0.0/24 | ssh admin@192.168.0.1
Now you can use the GB
address-list in your firewall for whatever you want.