How to block using address-list in MikroTik

If you have multiple destination websites (addresses) you wish to block and you may want to add more addresses sometime in the future. It is a good idea to group those addresses into a list with a name that you can then block using that name. Time to time, you just need to add to the list without the need of writing a new blocking rules.

E.g. You want to block three websites e.g. a.com (122.3.2.1), b.com (100.1.2.3) and c.com (29.9.9.1). What you need to do is to issue: nslookup a.com … Or whatever way you do to get IP address of what websites (or anything?) you want to block. Then add the translated IP addresses into a list (let say name: BlockList). Finally, apply a firewall filter rule to block them with an action: reject or drop.

Here is how to do using command lines:

/ip firewall address-list add address=122.3.2.1 list=BlockList

/ip firewall address-list add address=100.1.2.3 list=BlockList

/ip firewall address-list add address=29.9.9.1 list=BlockList

/ip firewall filter add action=reject chain=forward dst-address-list=BlockList in-interface=lan out-interface=internet

… Later you can just add more address, last rule will automatically be applied. Note that you can also use this list to apply with other things like mangle…

Some Basic MikroTik Commands

Here are some basic commands.

  1. To create a name for network card

/interface print

/interface set numbers=0 name=internet

/interface set numbers=1 name=lan

  1. To assign ip address to network card

/ip dhcp-client add interface=internet

/ip address add address=10.0.0.1/24 interface=lan
/ip address add address=10.0.0.1 netmask=255.255.255.0 interface=lan

  1. To create NAT rule (to allow all clients to internet)

/ip firewall nat add chain=srcnat action=masquerade out-interface=internet

  1. To assign dns (your primary dns is x.x.x.x)

/ip dns set servers=x.x.x.x,8.8.8.8 allow-remote-requests=yes

  1. To create dhcp (the easiest way)

/ip dhcp-server setup (just follow the instruction, note to select interface “lan”)

Or if you want to do it manually, follow this:

/ip pool add name=YOUR_POOL_NAME ranges=10.2.0.1-10.2.0.100

/ip dhcp-server add name=YOUR_DHCP_NAME address-pool=YOUR_POOL_NAME interface=YOUR_INTERFACE

You can find more commands from MikroTik official Wiki where you can find both GUI and CLI procedure: https://wiki.mikrotik.com/wiki/Manual:TOC

How to allow remote to your Raspberry box (any server) from outside via MikroTik box

Now I would like to show you all how to allow remote access to your internal server from outside (the internet) using MikroTik router – Port Forwarding.

What I have:

  • public address (internet address): 10.11.12.137 (I assume it)
  • your internal server: 10.0.0.2 (SSH server, you can use with any other service)

How to configure on your MikroTik:

I will use command lines because it’s quick and easy, if you use GUI like webfig or winbox, you can just open terminal from the menu at the left-hand side as well.

There are two things you need to do:

  1. Enable NAT rule as ‘dstnat’
  2. Enable Filter rule as ‘forward’

ip firewall nat add chain=dstnat dst-address=10.11.12.137 dst-port=22 protocol=tcp action=dst-nat to-addresses=10.0.0.2

ip firewall filter
add chain=forward connection-state=established,related action=accept

If you want to redirect port for some security purposes like you want to access to port 8022 from outside and want to still be able to access your server, let just add a little bit to  the previous rules:

ip firewall nat add chain=dstnat dst-address=10.11.12.137 dst-port=8022 protocol=tcp action=dst-nat to-addresses=10.0.0.2 to-ports=22

ip firewall filter
add chain=forward connection-state=established,related action=accept

That’s it, thanks you…