GeoBlocking for MikroTik
đ How It Works
Our automated scripts manage IP address lists by country with auto-cleanup capabilities:
- Downloads country IP lists from our server daily
- Creates/updates address-lists (e.g.,
geo-block-ru,geo-block-cn) - Automatically removes old lists when you change the country configuration
- Firewall rules need to be added manually (one-time setup)
â ī¸ Important: Country codes must be in lowercase using 2-letter ISO codes (e.g., "ru", "cn", "ir", "kp").
1. Installation
Paste these commands into your WinBox Terminal to download and install the automation scripts:
IPv4 Script:
/tool fetch url="http://lists.cycr.xyz/public/mikrotik/update_ipv4.txt" dst-path=v4.txt; :delay 2s; /system script add name="Update-Geo-IPv4" source=[/file get v4.txt contents]; /file remove v4.txt
IPv6 Script:
/tool fetch url="http://lists.cycr.xyz/public/mikrotik/update_ipv6.txt" dst-path=v6.txt; :delay 2s; /system script add name="Update-Geo-IPv6" source=[/file get v6.txt contents]; /file remove v6.txt
2. Configure Countries
Go to System â Scripts and edit both scripts to set which countries to block:
:local countries {"ru";"cn";"ir";"kp";"br";"vn"}
Replace with your desired country codes. Remember: lowercase only!
3. First Run (Manual)
Run the scripts manually to download and populate the address lists:
/system script run Update-Geo-IPv4
/system script run Update-Geo-IPv6
This will take a few minutes depending on the number of countries. You can monitor progress in Log.
4. Add Firewall Rules (One-Time Setup)
After the address lists are created, choose your blocking strategy:
⥠Option A: RAW (Recommended)
Block incoming + outgoing | Maximum performance
Block incoming + outgoing | Maximum performance
đ Option B: Filter
Block incoming only | Allow outgoing
Block incoming only | Allow outgoing
â
Recommended: RAW firewall processes packets before routing, providing maximum performance and blocking traffic in both directions (incoming + outgoing).
IPv4 RAW Rules:
/ip firewall raw add chain=prerouting src-address-list=geo-block-ru action=drop comment=GeoBlock-ru place-before=0
/ip firewall raw add chain=prerouting src-address-list=geo-block-cn action=drop comment=GeoBlock-cn place-before=0
/ip firewall raw add chain=prerouting src-address-list=geo-block-ir action=drop comment=GeoBlock-ir place-before=0
/ip firewall raw add chain=prerouting src-address-list=geo-block-kp action=drop comment=GeoBlock-kp place-before=0
/ip firewall raw add chain=prerouting src-address-list=geo-block-br action=drop comment=GeoBlock-br place-before=0
/ip firewall raw add chain=prerouting src-address-list=geo-block-vn action=drop comment=GeoBlock-vn place-before=0
IPv6 RAW Rules:
/ipv6 firewall raw add chain=prerouting src-address-list=geo-block-ru action=drop comment=GeoBlock-ru place-before=0
/ipv6 firewall raw add chain=prerouting src-address-list=geo-block-cn action=drop comment=GeoBlock-cn place-before=0
/ipv6 firewall raw add chain=prerouting src-address-list=geo-block-ir action=drop comment=GeoBlock-ir place-before=0
/ipv6 firewall raw add chain=prerouting src-address-list=geo-block-kp action=drop comment=GeoBlock-kp place-before=0
/ipv6 firewall raw add chain=prerouting src-address-list=geo-block-br action=drop comment=GeoBlock-br place-before=0
/ipv6 firewall raw add chain=prerouting src-address-list=geo-block-vn action=drop comment=GeoBlock-vn place-before=0
How it works:
chain=prerouting- Processes packets before routing (catches both incoming and outgoing)src-address-list=geo-block-XX- Matches source IPs from the country listaction=drop- Silently drops packets (no ICMP response)place-before=0- Places rule at the top for maximum performance
âšī¸ Note: Filter rules block only incoming traffic. Outgoing connections to blocked countries will still work (useful if you need to access services in those countries).
IPv4 Filter Rules (Incoming Only):
/ip firewall filter add chain=input src-address-list=geo-block-ru action=drop comment=GeoBlock-ru place-before=0
/ip firewall filter add chain=input src-address-list=geo-block-cn action=drop comment=GeoBlock-cn place-before=0
/ip firewall filter add chain=input src-address-list=geo-block-ir action=drop comment=GeoBlock-ir place-before=0
/ip firewall filter add chain=input src-address-list=geo-block-kp action=drop comment=GeoBlock-kp place-before=0
/ip firewall filter add chain=input src-address-list=geo-block-br action=drop comment=GeoBlock-br place-before=0
/ip firewall filter add chain=input src-address-list=geo-block-vn action=drop comment=GeoBlock-vn place-before=0
/ip firewall filter add chain=forward src-address-list=geo-block-ru action=drop comment=GeoBlock-ru place-before=0
/ip firewall filter add chain=forward src-address-list=geo-block-cn action=drop comment=GeoBlock-cn place-before=0
/ip firewall filter add chain=forward src-address-list=geo-block-ir action=drop comment=GeoBlock-ir place-before=0
/ip firewall filter add chain=forward src-address-list=geo-block-kp action=drop comment=GeoBlock-kp place-before=0
/ip firewall filter add chain=forward src-address-list=geo-block-br action=drop comment=GeoBlock-br place-before=0
/ip firewall filter add chain=forward src-address-list=geo-block-vn action=drop comment=GeoBlock-vn place-before=0
IPv6 Filter Rules (Incoming Only):
/ipv6 firewall filter add chain=input src-address-list=geo-block-ru action=drop comment=GeoBlock-ru place-before=0
/ipv6 firewall filter add chain=input src-address-list=geo-block-cn action=drop comment=GeoBlock-cn place-before=0
/ipv6 firewall filter add chain=input src-address-list=geo-block-ir action=drop comment=GeoBlock-ir place-before=0
/ipv6 firewall filter add chain=input src-address-list=geo-block-kp action=drop comment=GeoBlock-kp place-before=0
/ipv6 firewall filter add chain=input src-address-list=geo-block-br action=drop comment=GeoBlock-br place-before=0
/ipv6 firewall filter add chain=input src-address-list=geo-block-vn action=drop comment=GeoBlock-vn place-before=0
/ipv6 firewall filter add chain=forward src-address-list=geo-block-ru action=drop comment=GeoBlock-ru place-before=0
/ipv6 firewall filter add chain=forward src-address-list=geo-block-cn action=drop comment=GeoBlock-cn place-before=0
/ipv6 firewall filter add chain=forward src-address-list=geo-block-ir action=drop comment=GeoBlock-ir place-before=0
/ipv6 firewall filter add chain=forward src-address-list=geo-block-kp action=drop comment=GeoBlock-kp place-before=0
/ipv6 firewall filter add chain=forward src-address-list=geo-block-br action=drop comment=GeoBlock-br place-before=0
/ipv6 firewall filter add chain=forward src-address-list=geo-block-vn action=drop comment=GeoBlock-vn place-before=0
How it works:
chain=input- Blocks traffic to the router itselfchain=forward- Blocks traffic passing through the routersrc-address-list=geo-block-XX- Matches source IPs from the country list- Outgoing traffic (router â blocked country) is not blocked
5. Scheduler Setup (Automation)
Configure daily automatic updates at 04:00 AM:
/system scheduler add name="Sched-IPv4" interval=1d start-time=04:00:00 on-event="Update-Geo-IPv4"
/system scheduler add name="Sched-IPv6" interval=1d start-time=04:15:00 on-event="Update-Geo-IPv6"
The scripts will automatically update the address lists every day. No need to touch the firewall rules again!
6. Managing Countries
To add a country:
- Edit the
countrieslist in both scripts (add the country code) - Run the scripts manually or wait for the scheduler
- Add the corresponding firewall rules manually (see step 4)
To remove a country:
- Remove the country code from the
countrieslist in both scripts - Run the scripts - the address lists will be automatically removed
- Manually remove the firewall rules for that country
Example: Remove China, add Poland
# 1. Edit scripts: change {"ru";"cn";"ir"} to {"ru";"pl";"ir"}
# 2. Run scripts to update lists
# 3. Remove rules for "cn":
# If using RAW:
/ip firewall raw remove [find comment=GeoBlock-cn]
/ipv6 firewall raw remove [find comment=GeoBlock-cn]
# If using Filter:
/ip firewall filter remove [find comment=GeoBlock-cn]
/ipv6 firewall filter remove [find comment=GeoBlock-cn]
# 4. Add rules for "pl":
# If using RAW:
/ip firewall raw add chain=prerouting src-address-list=geo-block-pl action=drop comment=GeoBlock-pl place-before=0
/ipv6 firewall raw add chain=prerouting src-address-list=geo-block-pl action=drop comment=GeoBlock-pl place-before=0
# If using Filter:
/ip firewall filter add chain=input src-address-list=geo-block-pl action=drop comment=GeoBlock-pl place-before=0
/ip firewall filter add chain=forward src-address-list=geo-block-pl action=drop comment=GeoBlock-pl place-before=0
/ipv6 firewall filter add chain=input src-address-list=geo-block-pl action=drop comment=GeoBlock-pl place-before=0
/ipv6 firewall filter add chain=forward src-address-list=geo-block-pl action=drop comment=GeoBlock-pl place-before=0
đ Verification
Check if everything is working correctly:
Check Address Lists:
/ip firewall address-list print count-only where list~"geo-block"
/ipv6 firewall address-list print count-only where list~"geo-block"
Check Firewall Rules:
# If using RAW:
/ip firewall raw print where comment~"GeoBlock"
/ipv6 firewall raw print where comment~"GeoBlock"
# If using Filter:
/ip firewall filter print where comment~"GeoBlock"
/ipv6 firewall filter print where comment~"GeoBlock"
View specific country list:
/ip firewall address-list print where list=geo-block-ru
RAW Access
đ Public Repositories
Access raw data files and generated scripts directly for manual use or third-party tools.
Available Resources:
- Country Scripts (RSC): Individual MikroTik scripts per country (e.g.,
ru-ipv4.rsc,cn-ipv6.rsc) - Automation Scripts:
update_ipv4.txtandupdate_ipv6.txt - Raw Data (TXT): Plain text IP lists for custom integrations
đ Supported Countries
All countries use ISO 3166-1 alpha-2 codes (lowercase). Examples:
ru = Russia
cn = China
us = United States
de = Germany
pl = Poland
ir = Iran
kp = North Korea
br = Brazil
vn = Vietnam
ua = Ukraine
gb = United Kingdom
fr = France
...
Full list of 250+ countries available in the repository. Each country has both IPv4 and IPv6 lists.