FloFaber.com
About

Geoblocking on a MikroTik Router

February 22nd 2024

Since there is a boatload of scattered information on how to Geoblock on MikroTik routers I've decided to make my own script. There are already existing tools out there:

For example:

  • mikrotikconfig.com where you can't even pick a name for the address-list and need to upload the script file to your router in order to execute it.
  • iwik.org (according blogpost) does things a little better. You can at least automate the import on your router but still, you can't pick a name for the address-list and add multiple countries into one list.

And there is yet another big problem with all of those: You have to trust them to not inject malicous commands in the generated scripts.

This script is here to improve this. You give it a list of countries, some more options and you receive a MikroTik script which creates an address-list containing the specified countries.

Unfortunately it's a bash-script which only runs on Linux.

Prerequisites

You should already have some knowledge about address-lists, geoblocking and networking in general.

Caution!

First of all: Don't trust me or this code. Use it at your own risk and only if you understand what it's doing.

Also adding a lot of IPs to an address-list on your MikroTik Router can make your Browser Tab crash when using Webfig and showing all IPs in that address-list. Be aware.

The script

This script will download and parse Country-Subnet-Lists from ripe.net and return them as MikroTik commands so you can simply pipe the output into ssh admin@my-router and be done with it.

Example

./mikrotik-geo-addresslist.sh -c GB -n GB -a 192.168.0.0/24

will return

/log info "Loading GB ip address list"
/ip firewall address-list remove [/ip firewall address-list find list=GB]
/ip firewall address-list add address=192.168.0.0/24 list=GB
/ip firewall address-list add address=1.2.3.4/16 list=GB
/ip firewall address-list add address=fe80::/64 list=GB
...

You can pipe the output directly into SSH to execute it on your router:

./mikrotik-geo-addresslist.sh -c GB -n GB -a 192.168.0.0/24 | ssh admin@192.168.0.1

Now you can use the GB address-list in your firewall for whatever you want.