Unfortunately its not dynamic list. It might using extra write to internal flash even so you are download directly to usb/micro-sd. Still to figure it out interval update, dont wanna unnecessary write internal nand (they claim they update list every 30 minute, for time being i do update every 6-12 hours)

I see.

If like this, need to reduce the update interval.

Hi, thanks for recommending this blacklist, I didn't realise Mikrotik could be this powerful. After reading the above 2 links and cross referencing with Mikrotik documentation and Google searches, I found that pasting these lines into Terminal window will automatically download the file and add the rules to IPv4 Firewall.



My dumb question is, how to test whether the rules are working? IPv4 Firewall > Raw doesn't seem to be updating after an hour or so of normal surfing. Thank you so much.

yup, mikrotik indeed is a very powerful router, with script it can do a lot of things.

check the rules counter.

firewall will use the rules to inspect network traffic, if the condition is match, it will in effect. like block input/forward packet from certain IP in blacklist.

try add the rule in filter rule, not raw. and the chain to input and forward for each rule, it works for me.



maybe someone with more experience in firewall can comment on this.



This post has been edited by Ebony & Ivory: Mar 27 2018, 01:13 AM

@charymsylyn u might add another this line

With this you will block from internet to ur network (the previous setting block opposite way)

i just fetched the sbl and converted it to dynamic address list manually, a bit hassle,

but at least it reduce write to the tiny flash storage significantly.

it is working fine so far, and i am still figuring how to do it with script.



the address entries is around 20k (blocklist.de+dshield), memory usage is 70MB+



This post has been edited by Ebony & Ivory: Mar 27 2018, 06:16 AM

Someone scanning for Winbox ports.
https://twitter.com/mikrotik_com/status/978533853324283904

Thanks a lot, now can see some hits.

Some useful DNS block (other than squidblacklist, can be customized)
Mikrotik Stop Ad

p/s: dont select all option...it will eat ur memory

halo brader soonwai

do u have any working ddns (afraid.org) script? my previous script is not working ar..

If your router can be seen from any of the management ports, your firewall configuration sucks.
In any of the tutorials i've done, despite not being complete i always block all input on WAN except for NTP and DNS to whitelisted servers. If you want to manage your mikrotik remotely, set up VPN on it and allow VPN because VPN does not interface with the OS directly, only the networking part so you can secure it. It is recommended to run your own internal VPN server (if you use ASUS as APs like i do, can use that too) but make sure that it is secured.

Never use blankets, always specify every access. So if you have an automated whitelist, make sure that the whitelist is specific in every way (service, ports, addresses). Dont allow input from google DNS for everything. only for specifics as an example. Not to mention that google does try to spy on you alongside many other servers so making sure they cant access your network is important even if its google or facebook as they're a pain when you set up an IPS as they always get blocked.

And use drop rather than deny as no response is better than unauthorised response.

Dun have wor. The only script I have for ddns is the namecheap one since that’s the only thing I use. Which script you using? From Mikrotik forum? I’m sure they’ll update it. afraid.org changed their update url format so lots of things stopped working. My old DNS-323 also cannot update already.

This post has been edited by soonwai: Mar 30 2018, 05:18 PM

ya lor from their forum.. suddenly not working.. haihz..
nevermind brader, already fix using this ddns (afraid.org) mikrotik one.. seems working..

anyway, thanks ar for replying..

Anyone have the step by step or terminal script to setup for Unifi IPv6? Thanks advance.

https://klseet.com/5-tm-unifi/unifi-general/258-unifi-ipv6
https://forum.lowyat.net/index.php?showtopi...&#entry63945436

The above 2 links should get you going. Not everything is necessary but they don't hurt so just follow one of them. I used the klseet guide when I first set mine up. I think it's the easiest to follow.

TM Unifi have IPV6 already? So we can have both IPV4 and IPV6 public addresses?

Yeah, quite long already, since 3/4 years ago or thereabouts.

I removed this from my router because it was taking up too much resources until at one point, it rejected my attempt to connect to wifi because there wasn't enough resources for me to connect (based on the log messages). It also didn't make sense to commit resources to block outgoing connection attempts to IP addresses blocked for spam and what not, if I was connecting to them, that means my devices was already compromised in some way and my problem is more serious.

After some Googling, I found someone who created and shared a simple ad-blocking script suitable for low RAM routers like my model so I wanted to share it with others. The code shown when pasted into terminal will auto create the script and even scheduler entry for auto updates. This makes adding this easy enough for even newbies like me.

https://www.micu.eu/mikrotik-adblock-script-lite/

Both Unifi and Time have been running dual stack for several years now. Even mobile telco also supports IPv6 but need to enable support in APN. Operators don't have much choice since APNIC has next to zero unallocated IPv4 addresses to give out having reached exhaustion back in 2011.

Great finding, lest complicated than my previous adblock. The list is almost the same. Btw its advisable to increase its cache to large size (let say about 16mb, cant rember default size)