Skip to main content

MikroTik Router Automated Firewall Address List

Yes, you can create a firewall address list remotely and upload it to a MikroTik router, which is particularly useful for managing the Town of Collbran’s network issues (e.g., blocking `23.162.216.0/24` or other suspicious IPs like `79.127.159.187` and `176.65.148.175` to control address list growth and ensure Colorado Privacy Act compliance). Below, I’ll explain how to formulate an address list, upload it to a MikroTik router, and integrate it into your firewall, using secure and efficient methods compatible with RouterOS (e.g., v7.18.2).

### Overview
A MikroTik firewall address list is a dynamic or static list of IP addresses or ranges used in firewall rules (e.g., to block or allow traffic). You can create this list on a remote system (e.g., your PC), format it as a RouterOS script, and upload it to the router via SSH, WinBox, or the WebFig interface. This approach is ideal for bulk updates or managing lists programmatically.

### Steps to Formulate and Upload a Firewall Address List

#### 1. **Formulate the Address List**
Create a text file containing the address list entries in RouterOS script format. Each entry adds an IP or range to a named list (e.g., `Blocked_IPs`).

- **Format**:
  ```
  /ip firewall address-list
  add list=Blocked_IPs address=IP_ADDRESS comment="DESCRIPTION"
  ```
- **Example** (based on your context):
  Create a file named `address_list.rsc` with:
  ```
  /ip firewall address-list
  add list=Blocked_IPs address=79.127.159.187 comment="Suspicious IP from sniffer"
  add list=Blocked_IPs address=176.65.148.175 comment="Suspicious DDoS source"
  add list=Blocked_IPs address=23.162.216.0/24 comment="Heavy traffic range"
  ```
- **Programmatic Creation** (optional):
  If you have a large list of IPs (e.g., from logs or an external source), use a script to generate the `.rsc` file. Example in Python:
  ```python
  ips = ["79.127.159.187", "176.65.148.175", "23.162.216.0/24"]
  with open("address_list.rsc", "w") as f:
      f.write("/ip firewall address-list\n")
      for ip in ips:
          f.write(f'add list=Blocked_IPs address={ip} comment="Added remotely"\n')
  ```
  Run this script to generate `address_list.rsc`.

#### 2. **Upload the File to the Router**
You can upload the `.rsc` file using one of these methods:

- **Method 1: SSH (Recommended for Automation)**
  1. **Enable SSH**:
     Ensure SSH is enabled on the router:
     ```
     /ip service set ssh disabled=no
     /ip ssh set allow-none-crypto=no always-allow-password-login=yes
     ```
     Set a strong password for the admin user:
     ```
     /user set admin password=ComplexP@ssw0rd123
     ```
  2. **Upload File**:
     Use SCP (Secure Copy) to transfer the file. On Linux/macOS:
     ```bash
     scp address_list.rsc admin@<router_ip>:/address_list.rsc
     ```
     On Windows, use a tool like WinSCP or PowerShell:
     ```powershell
     scp address_list.rsc admin@<router_ip>:/address_list.rsc
     ```
     Replace `<router_ip>` with your router’s IP (e.g., `69.85.70.36`).
  3. **Import the File**:
     Connect via SSH:
     ```bash
     ssh admin@<router_ip>
     ```
     Import the script:
     ```
     /import file=address_list.rsc
     ```

- **Method 2: WinBox**
  1. Open WinBox and connect to your router.
  2. Go to **Files** in the left menu.
  3. Drag and drop `address_list.rsc` from your PC to the Files window.
  4. In WinBox’s **System > Scripts** menu, create a new script:
     - Name: `ImportAddressList`
     - Source: `/import file=address_list.rsc`
  5. Run the script to apply the address list.

- **Method 3: WebFig**
  1. Open a browser and navigate to `http://<router_ip>` (or `https://<router_ip>` if WWW-SSL is enabled).
  2. Log in and go to **Files**.
  3. Click **Upload** and select `address_list.rsc`.
  4. Go to **System > Scripts**, create a new script with:
     ```
     /import file=address_list.rsc
     ```
  5. Run the script.

#### 3. **Verify the Address List**
After importing, check the address list:
```
/ip firewall address-list print where list=Blocked_IPs
```
Example output:
```
Flags: D - DYNAMIC
 #   LIST        ADDRESS             CREATION-TIME        COMMENT
 0   Blocked_IPs 79.127.159.187      jun/04/2025 16:43:00 Suspicious IP from sniffer
 1   Blocked_IPs 176.65.148.175      jun/04/2025 16:43:00 Suspicious DDoS source
 2   Blocked_IPs 23.162.216.0/24     jun/04/2025 16:43:00 Heavy traffic range
```

#### 4. **Integrate with Firewall Rules**
Ensure the address list is used in firewall rules to block traffic. Example:
```
/ip firewall filter
add chain=forward src-address-list=Blocked_IPs action=drop comment="Block suspicious IPs outgoing"
add chain=forward dst-address-list=Blocked_IPs action=drop comment="Block suspicious IPs incoming"
add chain=input src-address-list=Blocked_IPs action=drop comment="Block suspicious IPs to router"
```
Verify rules:
```
/ip firewall filter print where comment~"Block suspicious IPs"
```

#### 5. **Automate Updates (Optional)**
For ongoing management, automate address list updates:
- **Script on Remote Server**:
  Use a cron job or scheduled task to generate and upload `address_list.rsc`. Example (Linux):
  ```bash
  #!/bin/bash
  python3 generate_address_list.py
  scp address_list.rsc admin@<router_ip>:/address_list.rsc
  ssh admin@<router_ip> "/import file=address_list.rsc"
  ```
  Schedule with `crontab -e`:
  ```
  0 2 * * * /path/to/update_script.sh
  ```
- **RouterOS Fetch Tool**:
  Host the `.rsc` file on a web server and use MikroTik’s fetch tool:
  ```
  /tool fetch url="http://<your_server>/address_list.rsc" mode=http
  /import file=address_list.rsc
  ```
  Schedule on the router:
  ```
  /system scheduler
  add interval=1d name=update-address-list on-event=":delay 5s; /tool fetch url=\"http://<your_server>/address_list.rsc\" mode=http; /import file=address_list.rsc" policy=read,write,policy,test
  ```

#### 6. **Collbran-Specific Considerations**
- **Address List Growth**: Your issue with exponential address list growth (likely from the `Nginx` `detect-ddos` rule) can be managed by uploading a curated list of IPs (e.g., `23.162.216.0/24`) to `Blocked_IPs` and disabling dynamic additions:
  ```
  /ip firewall raw disable [find comment~"Nginx"]
  /ip firewall address-list remove [find dynamic=yes]
  ```
- **Compliance**: Ensure logs capture blocked traffic for CPA auditing:
  ```
  /system logging
  add topics=firewall action=disk
  ```
- **ISP Requirements**: Verify with your ISP that bulk address list updates align with their DDoS protection policies.

### Security Best Practices
- **Secure Access**: Use SSH with strong passwords or public key authentication. Disable unused services:
  ```
  /ip service disable telnet,ftp,api
  ```
- **Backup Before Changes**:
  ```
  /export file=backup-before-address-list.rsc
  ```
- **Test Changes**: Apply the address list in a test environment or during a maintenance window to avoid disrupting Collbran’s network.
- **Limit Scope**: Restrict address list imports to trusted sources to prevent malicious scripts:
  ```
  /ip firewall filter
  add chain=input protocol=tcp dst-port=22 src-address=<your_management_ip> action=accept
  add chain=input protocol=tcp dst-port=22 action=drop
  ```

### Troubleshooting
- **Import Errors**:
  If `/import` fails, check the file format:
  ```
  /log print where topics~error
  ```
  Ensure no syntax errors in `address_list.rsc`.
- **File Upload Issues**:
  Verify connectivity and permissions:
  ```
  /ping <your_pc_ip> count=4
  /file print
  ```
- **Address List Not Applied**:
  Confirm the list exists and rules reference it:
  ```
  /ip firewall address-list print
  /ip firewall filter print where src-address-list=Blocked_IPs
  ```

### Example Workflow
1. Create `address_list.rsc` on your PC:
   ```
   /ip firewall address-list
   add list=Blocked_IPs address=23.162.216.0/24 comment="Block heavy traffic"
   ```
2. Upload via SCP:
   ```bash
   scp address_list.rsc admin@69.85.70.36:/address_list.rsc
   ```
3. SSH and import:
   ```bash
   ssh admin@69.85.70.36
   /import file=address_list.rsc
   ```
4. Verify:
   ```
   /ip firewall address-list print where list=Blocked_IPs
   ```
5. Ensure firewall rules use the list:
   ```
   /ip firewall filter print where comment~"Block suspicious IPs"
   ```

### Next Steps for Collbran
- **Test the Upload**: Try uploading a small address list (e.g., just `23.162.216.0/24`) and verify it blocks traffic from `00:1C:0F:D2:5C:1B`.
- **Monitor Growth**:
  ```
  /ip firewall address-list print count-only interval=10s
  ```
- **Share Outputs**:
  - `/ip firewall address-list print`
  - `/log print where topics~error`
- **Focus Area**: Do you want to automate this process or need help with a specific upload method (e.g., SSH vs. WinBox)?

Let me know if you need a tailored script or assistance with a particular step!

Back to top