Earlier this year I started using both free and subscription-based blacklists from Squidblacklists.org. The blacklists were incredibly simple to implement into RouterOS and once configured, the lists can be scheduled to update at regular intervals via the RouterOS system scheduler. Squidblacklist.org provides a list of available blacklists, but make sure to review the blacklist compatibility chart first before implementing the list into your RouterOS configuration. In this example, it is important to note that this blacklist is only accessible via a Squidblacklist.org subscription account and that both YOUR_SBL_USERNAME and YOUR_SBL_PASSWORD values will need to be changed to reflect your Squidblacklist.org account credentials. In addition, you will need to change the “dst-path” value to an existing path for the script to work. If you want to download the blacklist to the root of your MikroTik you can delete the “dst-path” property and its value entirely. Also, make sure that the “in-interface” property value is set to that of your network environments WAN interface. Should you choose the “All-In-One Web Proxy Setup” script (via copy/paste in the MikroTik terminal), you will need to enable the scheduled tasks, since they are disabled by default in the script.
All-In-One Web Proxy Setup
/ip proxy
#CREATE TRANSPARENT WEB PROXY
set enabled=yes cache-administrator=webmaster max-cache-size=unlimited
/ip firewall nat
#REDIRECTION TO TRANSPARENT WEB PROXY
add action=redirect chain=dstnat dst-port=80 protocol=tcp to-ports=8080 comment="Redirect to Transparent Web Proxy"
/ip firewall filter
#DROP WEB PROXY REQUESTS FROM WAN
add action=drop chain=input dst-port=8080 in-interfacet=ether1 protocol=tcp log=yes log-prefix="Drop_Web Proxy" comment="Drop Web Proxy requests from WAN."
/system script
#CREATE DOWNLOAD BLACKLISTS SCRIPT
add comment=Proxy name=Blacklist_SquidBlacklist_Download_tik-malicious.rsc policy=read,test source=":log warning \"START - Download blacklist (tik-malicious.rsc) updates.\";\r\
\n/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/tik-malicious.rsc user=YOUR_SBL_USERNAME password=YOUR_SBL_PASSWORD dst-path=/disk1/blacklists/tik-malicious.rsc\r\
\n:log warning \"END- Download blacklist (tik-malicious.rsc) updates.\";"
#CREATE IMPORT BLACKLISTS SCRIPT
add comment=Proxy name=Blacklist_SquidBlacklist_Import_tik-malicious.rsc policy=read,write source=":log warning \"START - Import blacklist (tik-malicious.rsc) update.\";\r\
\nimport /disk1/blacklists/tik-malicious.rsc\r\
\n:log warning \"END - Import blacklist (tik-malicious.rsc) update.\";"
/system scheduler
#CREATE DOWNLOAD BLACKLISTS SCHEDULER
add comment=Proxy interval=1d name=Blacklist_SquidBlacklist_Download_tik-malicious.rsc on-event="/system script run Blacklist_SquidBlacklist_Download_tik-malicious.rsc" policy=read,test start-date=jan/01/2017 start-time=03:00:00 disabled=yes
#CREATE IMPORT BLACKLISTS SCHEDULER
add comment=Proxy interval=1d name=Blacklist_SquidBlacklist_Import_tik-malicious.rsc on-event="/system script run Blacklist_SquidBlacklist_Import_tik-malicious.rsc" policy=read,write start-date=jan/01/2017 start-time=03:15:00 disabled=yes
Manual Setup
If you would like to setup everything manually via GUI/Winbox (System > Scheduler), you can use the following System Scheduler “On Event” commands to download and import the blacklist. Also, don’t forget to create the NAT redirect and enable/configure the Web Proxy required for the blacklist, I’ll include an additional code snippet for this at the bottom.
Script: Download Blacklist
:log warning "START - Download blacklist (tik-malicious.rsc) updates.";
/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/tik-malicious.rsc user=YOUR_SBL_USERNAME password=YOUR_SBL_PASSWORD dst-path=/disk1/blacklists/tik-malicious.rsc
:log warning "END- Download blacklist (tik-malicious.rsc) updates.";
Script: Import Blacklist
:log warning "START - Import blacklist (tik-malicious.rsc) update.";
import /disk1/blacklists/tik-malicious.rsc
:log warning "END - Import blacklist (tik-malicious.rsc) update.";
Scheduler: Execute Download Blacklist Script
/system script run Blacklist_SquidBlacklist_Download_tik-malicious.rsc
Scheduler: Execute Import Blacklist Script
/system script run Blacklist_SquidBlacklist_Import_tik-malicious.rsc
Firewall: Create Web Proxy, NAT Redirect, and Filter Drop (WAN) Rules
/ip proxy
#CREATE TRANSPARENT WEB PROXY
set enabled=yes cache-administrator=webmaster max-cache-size=unlimited
/ip firewall nat
#REDIRECTION TO TRANSPARENT WEB PROXY
add action=redirect chain=dstnat dst-port=80 protocol=tcp to-ports=8080 comment="Redirect to Transparent Web Proxy"
/ip firewall filter
#DROP WEB PROXY REQUESTS FROM WAN
add action=drop chain=input dst-port=8080 in-interface=ether1 protocol=tcp log=yes log-prefix="Drop_Web Proxy" comment="Drop Web Proxy requests from WAN."
Mbayliss@outlook.com
I an trying to run the scripts on a Mikrotik HAP Lite and it keeps locking up after downloading the blacklist file,
Hope you can help!
Mark
The processor on that particular unit may not be powerful enough, the import may be too much stress. Also, that unit does not have much memory. Is the MikroTik even creating the list at all and if so, is it populating at least some of the list?