Grouping IPs the Smart Way in Your MikroTik Firewall
Let’s face it — if you’ve ever tried managing a firewall with individual IP rules, you know it gets messy fast. One rule for your laptop, another for your phone, a separate one for your work VPN, and maybe one more for your buddy’s IP that you forgot to label properly. Before you know it, your rule set looks like a crime scene.
Address Lists fix that.
They let you group IPs into logical categories and reference them in your rules. Once you start using them, you’ll wonder how you ever lived without them.
📌 What Is an Address List?
In MikroTik, an address list is simply a named group of IP addresses or subnets. You can reference them in:
- Firewall filter rules
- NAT rules
- Mangle rules
- And even scripts
Instead of writing 5 different rules for 5 IPs — you can write one rule and maintain the list separately. This keeps your rules clean, readable, and easy to update.
🎯 Why Use Address Lists?
Here’s what you get when you build your rules around address lists:
| ✅ Benefit | 💡 Why it matters |
|---|---|
| Clarity | You’ll immediately know what the rule is protecting |
| Simplicity | Fewer firewall rules overall |
| Scalability | Easily add/remove IPs without editing rule logic |
| Automation | Use scripts or dynamic rules to update lists |
| Security | Group risky IPs together for blocking or limiting |
🏗️ The Essential Lists You Should Create
Here’s a professional starter kit of address lists you can (and should) build:
| Address List | Purpose |
|---|---|
LAN_SUBNETS | All your internal subnets (192.168.x.x, etc.) |
TRUSTED_IPS | Remote IPs allowed access to Winbox, SSH, etc. |
BLOCKED_IPS | Attackers, port scanners, brute-force attempts |
VPN_SUBNETS | Subnets used by connected VPN clients |
DMZ_SERVICES | IPs of exposed public services (if any) |
You’ll use these lists throughout your firewall — from access control to detection.
🧪 How to Add IPs to Address Lists
Here are real-world examples of building useful address lists.
Add your main LAN subnet:
/ip firewall address-list add list=LAN_SUBNETS address=192.168.88.0/24 comment="Main LAN"
Add your work IP for remote access:
/ip firewall address-list add list=TRUSTED_IPS address=203.0.113.5 comment="Work VPN Admin"
Add a known attacker to blocklist:
/ip firewall address-list add list=BLOCKED_IPS address=185.23.88.44 comment="SSH Brute Force"
🛠️ How to Use Lists in Firewall Rules
Let’s say you want to allow only your LAN to access the router. You could write:
/ip firewall filter add chain=input src-address=192.168.88.0/24 action=accept
But that’s hardcoded. What if you have more than one subnet?
Instead, write:
/ip firewall filter add chain=input src-address-list=LAN_SUBNETS action=accept comment="Allow LAN access"
Now if you add another subnet to LAN_SUBNETS, the rule automatically applies — no editing needed.
⏱️ Bonus: Temporary Blocks with Timeout
You can even add entries to a list that expire automatically — great for banning bots or brute-force IPs for a limited time:
/ip firewall address-list add list=BLOCKED_IPS address=192.0.2.66 timeout=1d comment="Temp ban"
The IP will be automatically removed from the list after one day.
🔁 Dynamic Updates & Detection
Once you’ve built address lists, you can:
- Dynamically add IPs to lists based on behavior (via firewall rules or scripting)
- Use Netwatch or scripts to pull blocklists from external sources
- Trigger alerts when new IPs are added
It’s flexible, it’s powerful — and it scales with your network.
📋 Example — A Well-Structured List Setup
/ip firewall address-list
add list=LAN_SUBNETS address=192.168.88.0/24 comment="Main LAN"
add list=LAN_SUBNETS address=192.168.50.0/24 comment="Server Subnet"
add list=TRUSTED_IPS address=203.0.113.5 comment="Work VPN Admin"
add list=TRUSTED_IPS address=192.0.2.77 comment="My Laptop"
add list=BLOCKED_IPS address=185.22.11.19 comment="Repeated Scanner"
🧠 Advanced Use Cases
- Firewall detection logic: If someone hits a protected port → auto-add to
BLOCKED_IPS - Geographic filtering: Create lists for country-specific IP ranges
- Scheduled lockdowns: Block/allow lists based on time (via script or scheduler)
- External threat feeds: Import addresses from abuse.ch, spamhaus, etc.
✅ Recap
✔ You now understand what address lists are
✔ You know how to build and use them effectively
✔ You’re ready to write cleaner, more flexible rules
✔ You’ve added tools for blocking, detecting, and managing access like a pro