Mikrotik how to block IP address. Sensitive data

Blocking sites in the Mikrotik router

In this instructions, you will learn how to block any site in the Mikrotik router, a social network of classmates,. etc.P.

In Mikrotik Routeros, starting with version 6.36, it became possible to indicate the DNS sites of sites addressed to lists, and the router itself determines their IP addresses or the IP address ranges. Therefore, the process of blocking sites with the help of a firewall was significantly simplified.

In Routeros 6.36 and above, open the NewTerminal menu and follow the following commands to block sites:

Mikrotik. Blocking an IP address

# Добавляем список запрещенных сайтов с названием BlockedSites/ip firewall address-list add list=BlockedSites address=YouTube.com Disabled = No/IP Firewall Address-List Add List = Blockedsites Address = VK.com Disabled = No/IP Firewall Address-List Add List = Blockedsites Address = OK.ru disabled = no

# Add to the firewall the rule of blocking sites from the list Blockedsites/IP FireWall Filter Add Chain = Forward Src-ddress-List = Blockedsites Protocol = TCP Action = TCP-Reeset Comment = “BloCdes

# Move the Blockedsites rule in the firewall above the rest of the rules/IP FireWall Filter Move [Find Comment = “Blockedsites”] 1

Registration of prohibited sites can be edited in the IP menu. Firewall on the Address Lists tab.

The blocking rule is in the IP menu. Firewall on the Filter Rules tab.

Routeros by the name of the site defines the ranges of IP addresses well, but not perfectly. I failed to block COM and Instagram sites using this method.com, since Mikrotik found not all the necessary ranges of IP addresses. I had to manually find the necessary IP addresses and add them. How to do this is written below.

How to block IP address on Mikrotik Router by Khmer News Technologies

Blocking sites by IP address

Firewall allows you to block the site by its IP address. You can find out the IP address of the site in Windows by typing in the console the NSLOOKUP command name, for example NSLOOKUP VK.com.

To execute the NSLOOKUP command in the Mikrotik router, Open the New Terminal menu and execute the PUT analogue command [: resolve vk.com]

Sitches of social networks have many servers with different IP addresses and the above commands may not show the addresses of all servers. Therefore, it is best to find out which networks belong to this social network with the help of online services of Whois. For example, Ltd owns a network and

In search of IP addresses, the BGP service will also help.he.Net

After we recognized the IP address we need, follow the following commands in the Mikrotik terminal:

# Добавляем список запрещенных IP-адресов с названием BlockedSites/ip firewall address-list add list=BlockedSites address= Disabled = No/IP Firewall Address-List Add List = Blockedsites Address = Disabled = No/IP Firewall Address-List Add List = Blockedsites Address = Disabled = No

# Добавляем в фаервол правило блокировки IP-адресов из списка BlockedSites/ip firewall filter add chain=forward src-address-list=BlockedSites protocol=tcp action=reject reject-with=tcp-reset comment=”BlockedSites” disabled=no

# Move the Blockedsites rule in the firewall above the rest of the rules/IP FireWall Filter Move [Find Comment = “Blockedsites”] 1

Blocking social networks is a rather laborious process, since social networks open duplicates of their sites with other names and IP server addresses. Advanced users bypass restrictions with the help of anonymizer sites. Therefore, blocking access to social networks, you will also have to look for anonymizers’ sites and block them also.

Mikrotik Close access to certain sites

Standard work scheme in the office: First of all, everyone includes their computers and enters popular sites. There are plenty of them in our time. What are classmates or all kinds of network games. If the authorities find bad habits in subordinates, a new task is received by the system administrator: close the listed sites!

This is what we will do now. This will help us with Mikrotik Routerboard 750G or Mikrotik Routerboard 1100. In this case, Routerboard 1100 was installed, since the office network was quite large and it was planned to set a lot of rules in it. Therefore, they took the model more serious. Mikrotik Routerboard 750G is enough for small networks.

For example, we will temporarily forbid access to the ASP24 website.ru

Now we need to find out the IP address ASP24.ru.

We go as in the picture and kick ASP24.ru. See, we need, IP address:

Now, having IP, we can freely prohibit access to this site.

We go to the Action tab. We select Drop in the line and press the OK button.

Now the site is not available to any of the subnet.

Similarly, it is easy to block unwanted sites from visiting. To block some sites, you may need to prescribe several IP addresses, having previously scanned hosting on which the site is located.

If you find an error in the text, select it with the mouse and press Ctrl Enter or click here.

Thank you very much for your help! We will correct the error soon!

Error message

No pictures are displayed, the article amend!

Please make an adjustment of the image, please.

And how to do the opposite, to ban everything, leave access to only one site and incoming RDP connection to the server.

For this, a scho is flooded with a deprivation for one site, the rule of the rule, the yake is permitted by the vikhіdni z’dnanny on the site, and the lower rule of the fence of all the same. In the fence of the rule.0.0.0/0 out.interface (Obov’yazkovo. I need trafic I in the Lokalno Local)

Appeal: 1) vhidy iznteis May name isp_1 2) Remove the trafic to DNS-SERVER (8.eight.eight.8) 3) reservoir blossom

Rules of Vyglyatimatim with the arrival of the rank: 0 Chain = Forward Action = Accept DST-DSADDRESS = 8.eight.eight.8 Out-Interface = ISP_1 LOG = No Log-Prefix = “” 1 Chain = Forward Action = Accept Connection-State = Established, Relateed Log = No Log-Prefix = “” 2 Chain = Forward DSTDRESSS.0.0.0/0 out.interface = ISP_1 log = no log-prefix = “”

Yakshcho Trevtati access to the Decible resource, but often serpent resource addresses, then for Zruchny, Vikoristovati can “DST-DDDRESS-LIST” “DST-DSADDRESS” deputy

Type of locking. What to choose Drop or Reject?

In order to choose, you need to understand the difference between Drop and Reject.

The network has long been holivar on the topic that is better. The choice depends on what tasks you need to solve and what to protect yourself from.

In our example, we will use DROP, this will reduce the load on the processor and reduce the outgoing traffic, since the router will not send the answer (as in reject), but simply drop the connection.

Please note that there is Raw Prerouting and Mangle Prerouting. In our case, RAW Prerouting is used, since this processing is the first.

Mikrotik. protection against brutfort and scanning

In this note, I will describe the main steps to protect against non.thargeted botnet (which scan and brush the IP that will find on the network). As soon as you expose any iron with white IP to the world-it will not pass for 5-10 minutes, as it will begin to scan it, so we will create a few simple rules that will ban the IP botnet and drop their packages.

The main goals are always default ports and services with the most vulnerable applications for them, for example:

Based on appeals to these ports, we will create the rules by which all IP that turn to them will be considered brutoforsers and, accordingly, will be added to the blacklist.

To begin with, we will turn off the extra services on Mikrotik itself (or change their port to non.standard). This is done in IP. Services

Now we will create the white list of IP, on which our head rules will not act. Just in case, you can add a provider’s gateway IP here (it is unlikely that he will knock on our outside, but it may happen that he is a Natm for your provider’s employees and if for some reason they begin to scan your IP and IP The gateway will be in the black list, which will entail if not the absence of the Internet, then a number of small errors. for sure).

My white list for convenience, I called Whitelist. It is created in IP. Firewall. Address List

If you need to add a lot of IP, it is easier to do it through the console:

Then we will create the rules-if some IP turned to the default port (22nd in this example)-it falls into the black list (BlackList), provided that it is not from Whitelist (pay attention to the exclamation mark next to the SRC.Address List). IP. Firewall. Filter Rules. Add

In the screenshot, I indicated in in.Interface, which includes the provider cable. Instead, you can specify in.Interface List. Wan. In addition. if you do not want to ban the IP forever. in the Timeout field of the Action tab you can set the time after which the IP will move out of the list. Example (ban for 12 hours and 3 days):

All created rules should be higher than those allowing in the IP. Firewall list. If everything is done correctly. after a few minutes the first IP will appear in the address sheet of Blacklist. My rules have been working for a long time, so their number is already impressive:

Now it remains only to block all the appeals from the IP from the black list. As you can see in this Traffic Flow diagram, the RAW Preround is closest to the “entrance”.

In it we will create a rule. we will drop all the packages received from the IP from the black list on the external integrate of the microtics. IP. Firewall. Raw. Add.

Mikrotik. We allow and forbid

Using Mikrotik Routerboard, we organized access to the Internet for several computers, for example an office or several neighbors of a united local network. Everything is fine, everyone is happy and use the Internet. In the office, instead of work. “classmates” and “in contact”, or online games. There are also problems with neighbors: they don’t want to pay, but they continue to use the Internet. You need to solve the problem.

Mikrotik Routerboard has Firewall based on Netfilter and Iptables utilities.

Firewall. an inter.grid screen or a network screen. a complex of hardware or software, which controls and filter network packages at various levels of the OSI model in accordance with the specified rules.

Netfilter. inter.grid screen (firewall), built into the Linux nucleus.

IPTables. command line utility, is a standard integent screen management integer (firewall) Netfilter for Linux nuclei.

With their help, you can prohibit certain users with Internet access. We move directly to the setting of Mikrotik Routerboard. We carry out a standard connection procedure to Mikrotik Routerboard via Winbox.

We forbid access to the Internet for a computer with IP address 192.168.one.3. We go to the IP Firewall section.

We are interested in the first Filter Rules tab (filter rules). We create a prohibiting rule for IP 192.168.one.3.

Click plus on the General tab, select Chain (chain). Forward (passing traffic). In SRC.Address introduce the IP address of the computer that needs to be prohibited. We go to the Action tab (action).

Here we choose the action we need, that is, what to do with traffic relevant to this rule. Choose Drop. prohibit the passage of traffic. The rule is created.

Any computer attempts to go online will be stiffly stop.

If you find an error in the text, select it with the mouse and press Ctrl Enter or click here.


Routeros supports Wi-Fi white and black lists. There is a list of Wireless Access List for this. Just add devices there that do not have the right to connect to the network, and then remove the Authentication and Forwarding flags. For these purposes, you can use the command /Interface Wireless Access-List Add.

The case described above will work as Blacklist. To convert it into Whitelist, you need to put the indicated flags and change the type of work of the Wireless Inte Weep using the command /Interface Set 0 Default-Authection = No.

The Authentication Fleet is responsible for customer authentication. If it is installed for a specific integration, authentication is allowed by everyone except those devices that are listed in the access list without a flag. If the flag is not installed on the integration, then only those who are in the list of access with the flag can connect to the network.

FORWARDing setting is responsible for transmitting data between customers of one subnet. Usually it should not be touched, but if you build, for example, a Hotspot network, whose clients will only go to external networks (that is, they do not need internal interaction), turn off this option-this will improve the quality of communication.

Using Wireless Access List, you can configure the complex logic of customers: in terms of signal, time of day, limit the speed of each client or drive it into a certain VLAN without additional gestures. I highly recommend getting to know this tool better.

And Mikrotik knows how to make SSID in the form of emoji, for example: like this:. To do this, you need to translate the characters into Unicode using a tool like this and insert the resulting line into SSID.

How to protect Mikrotik Routerboard from external invasions

Typically, Mikrotik Routerboard is involved at least two intense. One looks at the local network, the other on the Internet. And through the integration that looks on the Internet, the villains will try to penetrate Mikrotik Routerboard.

To see if someone is trying to penetrate the Mikrotik Routerboard, let’s go to the log section.

At the moment, some kind of bastard is brazenly trying to choose a password for Mikrotik Routerboard. This is evidenced by System Error Critical. The options are displayed in red. You can also see the date when they tried to connect, the time, IP address of the villain and the service that there is an attack on the attack. In this case, it is via ssh, that is, ssh service.

What can we do for the sewing of Mikrotik Routerboard? First of all, you need to determine which services are launched on Mikrotik Routerboard. We go to the IP Services section.

In the window that appears, we see a list of advanced services. NAME is the name of the service.

FTP is a FTP server with which you can download files to the server and download them.

SSH is a server with which you can connect to Mikrotik Routerboard using console customers (such as Putty) and manage Mikrotik Routerboard with console teams.

WinBox is a graphic Mikrotik Routerboard Management Inte Weight.

WWW is a web server that makes it possible to connect to Mikrotik Routerboard using a browser.

Port is a port where the services expect connection.

Available from. indicates for which IP address or subnet is allowed access. allows access from any IP address.

Available from can be changed so that access to Mikrotik Routerboard is only from the internal network.

We click twice with the left mouse key on the service that interests us. Replace for the network we need (let’s say 192.168.four.0/24). Now the service is available only for the 192 network.168.four.0/24.

You can also allow access only from the administrator’s computer: click on the right service and indicate the IP address of the administrator.

FTP and WWW services can be completely disabled if they are rarely used.

Choose a service and click a red cross.

That’s all. As we see, after performing the actions, the cracker managed to connect one more time to connect. After applying the settings, his attempts ended.

If you find an error in the text, select it with the mouse and press Ctrl Enter or click here.

We defend ourselves from attacks

Until now, we have considered the rules of the firewall that allow you to process traffic by simple signs: integration, address, port. But the firewall is a much more flexible tool, with it you can build complex logic to counteract different types of attacks.

There are reserved addresses that are not used on the Internet. They are called “Bon-Adris”. We cut off packages from such addresses:

We expect packages only with Unionist addresses, so we will ban everything except them.

Port Scan Detect. a function that allows you to detect port scanner. How she works? The ports set a certain conditional weight. Weight. over, for system ports (until 1024), the weight coefficient is low (Low Ports), and for the rest-high (High Ports). If during the time the Delay Threshold from one host to the router fly to ports, the sum of the weights of which will be larger than Weight Threshold, then the sender’s address will be added to the Blacklist. In our example, if from one host in three seconds ten packs will arrive on ports to 1024th (total weight 10 2 = 20) and twenty packages for ports above the 1024th (20 1 = 20), their total weight will be 40. Please note that Port Scan Detect only works for TCP or UDP traffic.

One of the most common types of attacks is an attack on the refusal of maintenance, or DDOS. It is almost unrealistic to protect against it on your own. But with the help of a simple rule, you can cut off the simplest attempts of attack. We find a host who made more than 100 sessions to us, and add it to the Blacklist. In this rule, it is necessary to use the Connection-STATE = New. But we have already allowed all Established, Related and Untracked, and Invalid dropped, so only New packages will come here. Leaving or not this flag in the rule is your business. I note that with the help of the same feature can be identified in your network of torrents.

ICMP is one of the important protocols in any network. Many admins like to block it, but this is a very bad approach. It is ICMP that allows you to work tracing, indicate the inaccessibility of UDP ports, send different official messages. And if you prohibit it completely, you can catch a bunch of bugs. Each ICMP message has its own purpose, and already by this parameter it is easy to understand whether it makes sense to resolve any types of ICMP from the inside of the network or outside. For example:

  • ICMP Echo Request. our favorite ping, has type 8, code 0;
  • ICMP Echo Reply. response to ping, type 0, code 0;
  • Destination Unreachable. the node is not available, type 3 and codes 0–15, depending on the reason for the inaccessibility:
  • 0. the network is not available;
  • 1. the host is not available;
  • 2. the protocol is not available;
  • 3. the port is not available;
  • 4. fragmentation of the package is necessary, but it is prohibited (costs the DF. Don’t Fragment flag).

The rest is easy to find on the Internet, and it is better to read RFC 792.

Create the ICMP chain and send the entire ICMP traffic to it (you can create two chains: for LAN and WAN-and configure different politicians). We allow only the necessary types of messages and limit the processing by five packages per second:

TCP also supports a bunch of flags, some of which cannot be contained in one package. Combinations of these flags are often used by port scanners to break through poorly configured protection. We will make a separate chain for TCP and drip such “suspicious” packages:

Forward chain

Until now, we mainly looked at the traffic, who flew to the Input Champ, and then, according to some signs, he was directed to different chains. But all this traffic was intended for the router himself. The Output chain is rarely used, but you can filter in it, for example, ICMP windows from a router or IPSEC traffic. It is clear that most of the traffic will fall into Forward. after all, he is a router to redirect packages from one network (locker) to another (Internet or second VLAN LOBA). And in this chain we will control the traffic of users.

I will not talk in detail about what should be allowed or banned. about the main setting techniques and so several articles have already been written and there are a lot of examples on the Internet. Consider a more interesting case: network reputation.

On the Internet there are services containing lists of spammers, Ddosers, distributors of illegal content. If a Trojan-SPAMAMAR fell on cars on your network, then you will also find yourself in these lists. After some time, letters from any client from the inside the network will begin to get into spam from all recipients, then you will be added to public bluels and users will disappear to many resources. Including partners’ networks whose admins use such lists to prohibit potential pests. Imagine what will happen to your award when a letter with a multimillion.dollar contract from your chef will fall at the counterparty in the Spam folder.

Let’s try to protect our prize. To do this, you need to understand what reason we can be added to the lists. There are several reasons for this:

  • We are part of DOS or other botnet;
  • We send spam;
  • other people’s services will brush up from our addresses;
  • We violate copyright (distribute torrents).

Some readers of this article could well participate in the DDOS-beet, without realizing it. UDP Amplification attacks are based on incorrect services settings when you can contact them with a request to find out something from another server. For example, a DNS request may fly to us with a request to cut off the victim’s address. And people like us millions. When a million packets per second come to the victim, it will not be delighted, and we will see CPU loading at 100%, terrible brakes and once we find ourselves in a smaller list. The same scheme works with other UDP services, for example NTP. The conclusion is simple: block traffic to these services outside. But this is still about Input.

Not only a router can be part of such a botnet, but also cars inside the network. For a detective of such hosts, we will use the already famous feature of Connection Limit.

Too “thick” streams can also cause suspicion. We tax them:

On the port of destination, you can determine which service are hosts from the inside of our network. And if this is a well.known port, for example, DBMS, and all our bases are located inside the perimeter, it is logical to assume that hundreds of packages per second to this port on the Internet from the accountant’s computer are not an easy mistake and the personal interest of the accountant himself. We drop suspicious packages and return to the parent chain (last rule):


Turned off Contrack breaks NAT and FIRA FIRVOL, based on flows tracking: Connection-Bytes, Connection-Mark, Connection-Type, Connection-Limit, Connection-Rate, Layer7-Protocol, NEWECOL.

We proceed to the practice of setting. In this article I will tell you about the Filter table. the one that is engaged in filtering traffic. As we found out a little higher, the Input chain is responsible for the traffic to the router, and for the traffic that passes through the router. Forward. Let’s take up the protection of the router himself.

The first and most importantly that you need to remember when working with Firevol, was described in the lost chapter “Words about Igor’s Regiment”: “Remote setting up Firevol. to the Far Road”. So respect the ancestors. honor their covenants and use Safe Mode.

This mode works as follows: you press the Safe Mode button on the Inte Wee, and it remains pressed. Then you do everything that you are going, but these changes will be applied only when you click on the button again. If they lead to a break in the interaction of the router and the WinBox configurator (for example, if you have filtered your own packages or turned off the integration), then the router will return to the state that was before the entrance to Safe Mode.

Only 100 actions are remembered, but this is enough for most cases. There will be no reboot. the rollback instantaneous. From the console, this mode is activated by Ctrl-X.

None of them can be called unambiguously correct. I am an adherent of the second approach, but in unfamiliar networks I use the first.

To resolve the desired traffic, you need to decide on this very traffic. In the case of Input, this is quite simple. This is what you need for the correct operation of the router.

  • Management: Winbox, SSH, in some cases webfig, for example, to view load graphs.
  • If the provider gives out the address by DHCP, then allow this protocol on an external intese.
  • If the router is the DHCP server, then allow this protocol on internal intenses.
  • The same with DNS.
  • If we lift the tunnels, then allow them.
  • OSPF.
  • ICMP.
  • NTP.
  • Neighbor Discovery.
  • SNMP

Determined? Open the right one and close everything else.

Firewall works on the principle of “if [condition], then [action]”. If the conditions specified in the General, Advanced, Extra tabs are met, then action is applied to the package from the Action tab. Today we will have enough SRC/DST Address, Protocol, SRC/DST PORT, In/OUT Interface, Connection-STATE conditions. Their values ​​are clear by name, but if suddenly it is unclear. forward, read about the basics of TCP/IP. The most common actions: Accept-allowed, DROP-is prohibited (the package is simply destroyed), reject-is prohibited, but the sender will receive information that the package was destroyed due to the reason indicated in the Reject-With.

Each rule on the path of the package takes the processor time. And if this is uncritical in small networks, then with serious traffic volumes you need to take into account this moment. Consider the example.

In this case, when trying to connect to the SSH router from address 10.eleven.0.11 Firewall will contact the CPU six times with the question whether to skip this traffic. It looks something like this: “8291. not our port. we miss further. ten.0.0.0/24. not our subset, we miss further. The same for 10.ten.0.0/24, and only the sixth rule is suitable “. At the sixth step, the firewall will understand that the traffic is legitimate and you can skip it.

FTP packages and all other unresolved traffic will pull CPU seven times. the first six and the last drop. And this is in an invented example of the seven rules. In real life, the rules are an order of magnitude or two more.

The first thing we can do is unite two ports in one rule:

Slightly reduced the load. But there are three identical rules with the difference only in addresses. Using the Address List list, we can combine them into one.

Address List-Puck Routeros, which allows you to combine IP addresses, subnets and DNS, one entry.

Create three posts in one Address List.

So out of the seven rules we got two and got rid of excess load. By analogy with the address lists, lists of inteys work (I examined them in the previous article. “Protect Mikrotik”): We combine into one Interface List the intenses of different providers and hang the rules not on the intenses themselves, but on the lists. So we will not only reduce the load, but also simplify the life of the admin: the less rules, the more convenient to serve the system.

Another way to facilitate the work of the firewall is to use Conntrack. It is clear that Establined packages will be much larger than New, Related and Invalid, combined. And since we allowed the first package from the stream, then all other packages in this stream can be considered legitimate. Therefore, we simply create the rule “allow Established” and place it at the very top.

Choose the protocols and ports you need, create the corresponding lists of addresses and intense. Open everything you need and put the last rule Drop All. On this, the main setting of the Input chain can be considered completed.

By the way, by default, the firewall is equipped with a fairly strong setting. it is enough to make a network of almost any size normally. But there are always some features and any config can be improved taking into account its conditions.


Когда файрвол не работает или работает не так, как подразумевалось при настройке, виноват админ. There is no magic. The first thing you should pay attention to when trabruting are packages meters. If the counter does not increase, then traffic does not get into it. And if traffic does not fall, it means that this traffic is simply not there, or it was processed above the rule.

You remember that the rules of the firewall work on the principle of “who is the first to get up. that and the slippers”? If the package has fallen under the rule, then it will not go further. So, you need to look for a problem above. We just copy our rule, Action put an Accept (do not do a drop for trabruting. so when checking you can break access or disrupt the network) and gradually move it up to the first increase in meters in this rule. If traffic has already passed through this rule, then the counters will be non.zero and you can skip the packages we need, just drop the counters in this rule or in all Reset Counters buttons.

Suppose we found a rule in which our traffic falls, but should not fall. You need to understand why this is happening. The LOG option will help us with this. In the Action tab, put the LOG box (you can write a prefix for the rule so that it is easier to catch it in logs) and watch the logs where all the characteristics of the packages are written that fall under the rule. Among the characteristics: a chain, incoming and outgoing intenses, addresses and ports of the source and recipient, protocol, flags, packet size, NAT action.

If even at the very top in the rule the counters do not increase, remove the rules from the condition one by one. Start with integrations. admins are often confused in their ideas about where or where traffic should come from (for example, with a connector to the provider through PPPOE or in tunnels between branches or complex routing). The counters went? Turn on the log and watch the intenses and other parameters.

If this does not help, the time has come for heavy artillery. We go to Tools → Torch and study traffic on a router. Maybe there is no expected traffic at all. Another cool tool is TCPDUMP. Tools → Packet Sniffer. The analysis of the work of these tools draws on a separate article (if it is interesting to you, inform about this in the Комментарии и мнения владельцев to the article).

To simplify trablshuting, you can use the commenting function. If, due to Комментарии и мнения владельцев, the window becomes too large and this prevents you from looking at the rules, use the Inline Комментарии и мнения владельцев (Inline Комментарии и мнения владельцев and the opinions of the owners). So the Комментарии и мнения владельцев will stand in one line with the rule and more rules will fit into the window.

I also recommend distributing the rules in order, following a specific logic. And try to support her on all routers.