Summary This guide demonstrates how to block network traffic to specific countries using MikroTik RouterOS. You will learn to source IP blocks from IPDeny, format them into CLI commands using a spreadsheet, and configure a firewall drop rule to restrict access to unwanted geographic regions.

How to Block Traffic to Specific Countries on MikroTik

Managing where your network traffic goes is a critical part of modern network security. Whether you are complying with corporate policies or simply trying to prevent users from accessing servers in high-risk regions, blocking traffic by country is a powerful control to have.

While MikroTik RouterOS doesn’t have a built-in “Block Country X” button, you can achieve this effectively using Address Lists and standard Firewall Filters. This tutorial walks you through the manual process of gathering IP ranges and applying them to your router.

Step 1: Sourcing the IP Blocks

To block a country, you first need a list of all the IP addresses assigned to that region. One of the most reliable and free sources for this data is IPDeny. They provide aggregated zone files updated frequently.

1. Navigate to IPDeny.com (or specifically their “IP Country Blocks” section).
2. Locate the country you wish to block in the list.
3. Download the zone file (usually a .txt file) for that specific country.

Note: IP allocations change over time. It is important to update these lists periodically to ensure you aren’t blocking new legitimate IPs or missing reassigned ones.

Step 2: Formatting the Data for RouterOS

The file you downloaded contains a raw list of IP subnets (e.g., 1.2.3.0/24), but your MikroTik router expects a specific command format to import them. We can use a spreadsheet program like Excel to automate this text formatting.

1. Open your spreadsheet software.
2. In Column B, paste the list of IP addresses you downloaded from IPDeny.
3. In Column A, we will write the prefix of the command. Enter the following text: ip firewall address-list add list=BlockedCountry address=
4. In a third column, use a formula to combine them. For example: =A1 & B1
5. Drag this formula down to cover all rows.

You now have a complete list of CLI commands ready for your router.

Step 3: Importing the Address List

With your commands prepared, it is time to load them into the router. This creates a named group of IPs (an Address List) that we can reference in our rules.

1. Copy the generated commands from your spreadsheet.
2. Open Winbox and access your MikroTik router.
3. Open a New Terminal window.
4. Paste the commands directly into the terminal.

If the list is massive, the paste might take a few seconds to process. Once finished, you can verify the import by going to IP > Firewall > Address Lists. You should see thousands of entries under the list name you chose (e.g., BlockedCountry).

Step 4: Creating the Drop Rule

Now that the router knows which IPs belong to the target country, you need to tell it what to do with traffic headed there. We will create a firewall filter rule to drop this traffic.

1. Go to IP > Firewall > Filter Rules.
2. Click the Add (+) button to create a new rule.

3. General Tab settings:
   • Chain: forward (This applies to traffic passing through the router, from your LAN to the Internet).
   • In. Interface: Select your LAN bridge or interface.

4. Advanced Tab settings:
   • Dst. Address List: Select the list you created (e.g., BlockedCountry).
5. Action Tab settings:
   • Action: drop.

Click OK to save. Move this rule high up in your firewall list to ensure it is processed before any “accept all” rules.

Tip: If you want to block traffic coming from that country as well, you can create a second rule with the Chain set to input (for traffic to the router) or forward (for traffic to your LAN) and set the Src. Address List to your country list.

Simplifying Management with NatCloud

Managing these lists manually on one router is feasible, but keeping them updated across dozens or hundreds of devices is a challenge.

NatCloud by MKController allows you to manage your MikroTik devices remotely, even behind CGNAT. While this tutorial focuses on manual configuration, using a centralized management platform helps you push scripts and configuration updates to multiple routers instantly, ensuring your security policies—like these geoblocks—are always up to date without the manual spreadsheet work.

---

About MKController

Hope the insights above helped you navigate your MikroTik and Internet universe a little better! 🚀
Whether you’re fine-tuning configs or just trying to bring some order to the network madness, MKController is here to make your life simpler.

With centralized cloud management, automated security updates, and a dashboard that anyone can master, we’ve got what it takes to upgrade your operation.

👉 Start your free 3-day trial now at mkcontroller.com — and see what effortless network control really looks like.