Skip to main content

MikroTik Router Automated Firewall Address List

Yes, you can create a firewall address list remotely and upload it to a MikroTik router, which is particularly useful for managing the Town of Collbran’s network issues (e.g., blocking `23.162.216.0/24` or other suspicious IPs like `79.127.159.187` and `176.65.148.175` to control address list growth and ensure Colorado Privacy Act compliance). Below, I’ll explain how to formulate an address list, upload it to a MikroTik router, and integrate it into your firewall, using secure and efficient methods compatible with RouterOS (e.g., v7.18.2).

Overview
A MikroTik firewall address list is a dynamic or static list of IP addresses or ranges used in firewall rules (e.g., to block or allow traffic). You can create this list on a remote system (e.g., your PC), format it as a RouterOS script, and upload it to the router via SSH, WinBox, or the WebFig interface. This approach is ideal for bulk updates or managing lists programmatically.

Steps to Formulate and Upload a Firewall Address List

  1. Formulate the Address List
    Create a text file containing the address list entries in RouterOS script format. Each entry adds an IP or range to a named list (e.g., `Blocked_IPs`).

- **Format**:
  ```
  /ip firewall address-list
  add list=Blocked_IPs address=IP_ADDRESS comment="DESCRIPTION"
  ```
- **Example** (based on your context):
  Create a file named `address_list.rsc` with:
  ```
  /ip firewall address-list
  add list=Blocked_IPs address=79.127.159.187 comment="Suspicious IP from sniffer"
  add list=Blocked_IPs address=176.65.148.175 comment="Suspicious DDoS source"
  add list=Blocked_IPs address=23.162.216.0/24 comment="Heavy traffic range"
  ```
- **Programmatic Creation** (optional):
  If you have a large list of IPs (e.g., from logs or an external source), use a script to generate the `.rsc` file. Example in Python:
  ```python
  ips = ["79.127.159.187", "176.65.148.175", "23.162.216.0/24"]
  with open("address_list.rsc", "w") as f:
      f.write("/ip firewall address-list\n")
      for ip in ips:
          f.write(f'add list=Blocked_IPs address={ip} comment="Added remotely"\n')
  ```
  Run this script to generate `address_list.rsc`.

#### 2. **Upload the File to the Router**
You can upload the `.rsc` file using one of these methods:

- **Method 1: SSH (Recommended for Automation)**
  1. **Enable SSH**:
     Ensure SSH is enabled on the router:
     ```
     /ip service set ssh disabled=no
     /ip ssh set allow-none-crypto=no always-allow-password-login=yes
     ```
     Set a strong password for the admin user:
     ```
     /user set admin password=ComplexP@ssw0rd123
     ```
  2. **Upload File**:
     Use SCP (Secure Copy) to transfer the file. On Linux/macOS:
     ```bash
     scp address_list.rsc admin@<router_ip>:/address_list.rsc
     ```
     On Windows, use a tool like WinSCP or PowerShell:
     ```powershell
     scp address_list.rsc admin@<router_ip>:/address_list.rsc
     ```
     Replace `<router_ip>` with your router’s IP (e.g., `69.85.70.36`).
  3. **Import the File**:
     Connect via SSH:
     ```bash
     ssh admin@<router_ip>
     ```
     Import the script:
     ```
     /import file=address_list.rsc
     ```

- **Method 2: WinBox**
  1. Open WinBox and connect to your router.
  2. Go to **Files** in the left menu.
  3. Drag and drop `address_list.rsc` from your PC to the Files window.
  4. In WinBox’s **System > Scripts** menu, create a new script:
     - Name: `ImportAddressList`
     - Source: `/import file=address_list.rsc`
  5. Run the script to apply the address list.

- **Method 3: WebFig**
  1. Open a browser and navigate to `http://<router_ip>` (or `https://<router_ip>` if WWW-SSL is enabled).
  2. Log in and go to **Files**.
  3. Click **Upload** and select `address_list.rsc`.
  4. Go to **System > Scripts**, create a new script with:
     ```
     /import file=address_list.rsc
     ```
  5. Run the script.

#### 3. **Verify the Address List**
After importing, check the address list:
```
/ip firewall address-list print where list=Blocked_IPs
```
Example output:
```
Flags: D - DYNAMIC
 #   LIST        ADDRESS             CREATION-TIME        COMMENT
 0   Blocked_IPs 79.127.159.187      jun/04/2025 16:43:00 Suspicious IP from sniffer
 1   Blocked_IPs 176.65.148.175      jun/04/2025 16:43:00 Suspicious DDoS source
 2   Blocked_IPs 23.162.216.0/24     jun/04/2025 16:43:00 Heavy traffic range
```

#### 4. **Integrate with Firewall Rules**
Ensure the address list is used in firewall rules to block traffic. Example:
```
/ip firewall filter
add chain=forward src-address-list=Blocked_IPs action=drop comment="Block suspicious IPs outgoing"
add chain=forward dst-address-list=Blocked_IPs action=drop comment="Block suspicious IPs incoming"
add chain=input src-address-list=Blocked_IPs action=drop comment="Block suspicious IPs to router"
```
Verify rules:
```
/ip firewall filter print where comment~"Block suspicious IPs"
```

#### 5. **Automate Updates (Optional)**
For ongoing management, automate address list updates:
- **Script on Remote Server**:
  Use a cron job or scheduled task to generate and upload `address_list.rsc`. Example (Linux):
  ```bash
  #!/bin/bash
  python3 generate_address_list.py
  scp address_list.rsc admin@<router_ip>:/address_list.rsc
  ssh admin@<router_ip> "/import file=address_list.rsc"
  ```
  Schedule with `crontab -e`:
  ```
  0 2 * * * /path/to/update_script.sh
  ```
- **RouterOS Fetch Tool**:
  Host the `.rsc` file on a web server and use MikroTik’s fetch tool:
  ```
  /tool fetch url="http://<your_server>/address_list.rsc" mode=http
  /import file=address_list.rsc
  ```
  Schedule on the router:
  ```
  /system scheduler
  add interval=1d name=update-address-list on-event=":delay 5s; /tool fetch url=\"http://<your_server>/address_list.rsc\" mode=http; /import file=address_list.rsc" policy=read,write,policy,test
  ```

#### 6. **Collbran-Specific Considerations**
- **Address List Growth**: Your issue with exponential address list growth (likely from the `Nginx` `detect-ddos` rule) can be managed by uploading a curated list of IPs (e.g., `23.162.216.0/24`) to `Blocked_IPs` and disabling dynamic additions:
  ```
  /ip firewall raw disable [find comment~"Nginx"]
  /ip firewall address-list remove [find dynamic=yes]
  ```
- **Compliance**: Ensure logs capture blocked traffic for CPA auditing:
  ```
  /system logging
  add topics=firewall action=disk
  ```
- **ISP Requirements**: Verify with your ISP that bulk address list updates align with their DDoS protection policies.

### Security Best Practices
- **Secure Access**: Use SSH with strong passwords or public key authentication. Disable unused services:
  ```
  /ip service disable telnet,ftp,api
  ```
- **Backup Before Changes**:
  ```
  /export file=backup-before-address-list.rsc
  ```
- **Test Changes**: Apply the address list in a test environment or during a maintenance window to avoid disrupting Collbran’s network.
- **Limit Scope**: Restrict address list imports to trusted sources to prevent malicious scripts:
  ```
  /ip firewall filter
  add chain=input protocol=tcp dst-port=22 src-address=<your_management_ip> action=accept
  add chain=input protocol=tcp dst-port=22 action=drop
  ```

### Troubleshooting
- **Import Errors**:
  If `/import` fails, check the file format:
  ```
  /log print where topics~error
  ```
  Ensure no syntax errors in `address_list.rsc`.
- **File Upload Issues**:
  Verify connectivity and permissions:
  ```
  /ping <your_pc_ip> count=4
  /file print
  ```
- **Address List Not Applied**:
  Confirm the list exists and rules reference it:
  ```
  /ip firewall address-list print
  /ip firewall filter print where src-address-list=Blocked_IPs
  ```

### Example Workflow
1. Create `address_list.rsc` on your PC:
   ```
   /ip firewall address-list
   add list=Blocked_IPs address=23.162.216.0/24 comment="Block heavy traffic"
   ```
2. Upload via SCP:
   ```bash
   scp address_list.rsc admin@69.85.70.36:/address_list.rsc
   ```
3. SSH and import:
   ```bash
   ssh admin@69.85.70.36
   /import file=address_list.rsc
   ```
4. Verify:
   ```
   /ip firewall address-list print where list=Blocked_IPs
   ```
5. Ensure firewall rules use the list:
   ```
   /ip firewall filter print where comment~"Block suspicious IPs"
   ```

### Next Steps for Collbran
- **Test the Upload**: Try uploading a small address list (e.g., just `23.162.216.0/24`) and verify it blocks traffic from `00:1C:0F:D2:5C:1B`.
- **Monitor Growth**:
  ```
  /ip firewall address-list print count-only interval=10s
  ```
- **Share Outputs**:
  - `/ip firewall address-list print`
  - `/log print where topics~error`
- **Focus Area**: Do you want to automate this process or need help with a specific upload method (e.g., SSH vs. WinBox)?

Let me know if you need a tailored script or assistance with a particular step!

Back to top