Skip to main content

RouterOS v6


In order to get everything up and running, we've got a couple of questions that you need to think of, like:




1. Do you want to use the access-list or the routing table to drop traffic?

Pro: The route 'blackhole' feature will save you some firewall rules and all returning traffic is being blackholed.

Con: Importing all the routes is time expensive.

2. For which IP version are you going to drop traffic?

3. And at last, which country's do you want to drop?

Note: where drop is mentioned, you can also use it for permitting traffic and dropping al other. (this is only possible in the access-list method)


Lets get started:


First we're going to construct the URL which generates the GeoIP list for us:

The URL is https://mikrotik-geoip.com/free/?version=6&family=<ipv4>|<ipv6>&type=<firewall>|<route>&country=<ISO-3166 Alpha2 country code>





You can find the ISO-3166 country codes on WikiPedia ISO-3166 Country Codes





So for example, my IP family is IPv4 and I want to use the firewall feature to drop traffic and the country which I want to drop is China. The URL in this case is:

https://mikrotik-geoip.com/free/?version=6&family=ipv4&type=firewall&country=CN

Access-list

[admin@MikroTik] > /tool fetch \
url="https://mikrotik-geoip.com/free/?version=6&family=ipv4&type=firewall&country=CN" \
output=file dst-path=MikroTik-GeoIP.rsc
[admin@MikroTik] > /import file-name=MikroTik-GeoIP.rsc

With this list imported, you can use it in your firewall rules to drop/allow traffic.

Route

[admin@MikroTik] > /tool fetch \
url="https://mikrotik-geoip.com/free/?version=6&family=ipv4&type=route&country=CN" \
output=file dst-path=MikroTik-GeoIP.rsc
[admin@MikroTik] > /import file-name=MikroTik-GeoIP.rsc

Thats all, you're done!

You can use multiple lists if you want, so for example if you want to block China, Russia and Cuba:

(I'll give the URL's for the access-list below)

[admin@MikroTik] > /tool fetch url="https://mikrotik-geoip.com/free/?version=6&family=ipv4&type=firewall&country=CN" \
output=file dst-path=MikroTik-GeoIP-CN.rsc
[admin@MikroTik] > /tool fetch url="https://mikrotik-geoip.com/free/?version=6&family=ipv4&type=firewall&country=RU" \
output=file dst-path=MikroTik-GeoIP-RU.rsc
[admin@MikroTik] > /tool fetch url="https://mikrotik-geoip.com/free/?version=6&family=ipv4&type=firewall&country=CU" \
output=file dst-path=MikroTik-GeoIP-CU.rsc
[admin@MikroTik] > /import file-name=MikroTik-GeoIP-CN.rsc
[admin@MikroTik] > /import file-name=MikroTik-GeoIP-RU.rsc
[admin@MikroTik] > /import file-name=MikroTik-GeoIP-CU.rsc

What about IPv6?




If you take the examples from above, but change the family=ipv4 to family=ipv6 . Thats it!