IP Address List Distribution Based on RouterOS and Openwrt¶
0. Brief¶
IP address list distribution with CNIP.
Configurations are based on Mikrotik RouterOS 7.6 .
1. Requirement¶
A bypass routre with Openwrt required.
2. Get CN IP Address List¶
CN IP address list can be found from
It's possible to get CN IP list by running scripts below on linux:
curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'|\
grep ipv6 | grep CN | awk -F\| \
'{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' | \
sed -e 's/^/add address=/g' -e 's/$/ list=CNIP/g'|\
sed -e $'1i\\\n/ipv6 firewall address-list' \
-e $'1i\\\nremove [/ipv6 firewall address-list find list=CNIP]'|\
sed '$a /file remove CNIPv6.rsc'>CNIPv6.rsc
curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'|\
grep ipv4 | grep CN | awk -F\| \
'{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' |\
sed -e 's/^/add address=/g' -e 's/$/ list=CNIP/g' \
-e 's/$/ comment="CNIP"/g' |\
sed -e $'1i\\\n/ip firewall address-list' \
-e $'1i\\\nremove [/ip firewall address-list find list=CNIP]' |\
sed '$a \/' |sed '$a /file remove CNIPv4.rsc'>CNIPv4.rsc
Contains both IPv6 and IPv4 addresses.
The address list may look like this:
/ip firewall address-list
add list=CNIP address=x.x.x.x/xx
add list=CNIP address=x.x.x.x/xx
...
...
...
add list=CNIP address=x.x.x.x/xx
3. Distribution Configuration¶
(1). Import CN IP List¶
Open WinBox, and upload CNIPv4.rsc to RouterOS, than open Terminal, and run import CNIPv4.rsc.
(2). Add Route Table¶
In Terminal run command: /routing/tables/add name=OP fib
(3). Add Proxy Device List¶
Add Proxy List in Firewall:
We take IP address range 192.168.1.1--192.168.1.200 to proxy list.
(4). Mangle non-CN IP Connections¶
Mark Non-CN IP destnation address
add action=mark-routing chain=prerouting comment="ProxyRoute" \
src-address=proxy dst-address=!CNIP dst-address-type=!local \
new-routing-mark=OP passthrough=yes
Add another rule to accept openwrt's flow
Assume openwrt's local ip is
192.168.1.254
(5). Config Route Table¶
Config route table to openwrt:
/ip/route/add dst-address=0.0.0.0 gateway=192.168.1.254 \
check-getway=ping routing-table=OP distance=1 \
scope=30 target-scope=10
(6). Change PPPOE's distance¶
Change PPPOE's distance to 2:
4. Change Distribution if Bypass Router Down¶
(1). Purpose¶
- Shutdown distribution when openwrt down
- Turn distribution when openwrt up
(2). Config NetWatch¶
/tool/netwatch/add host=192.168.1.254 type=simple interval=60 \
up-script=OPUP.rsc down-script=OPDOWN.rsc
(3). Edit Up & Down Scripts¶
Up Script:
add dont-require-permissions=yes name=OPUP.rsc owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall mangle enable number=???\r\
\n/ip firewall mangle enable number=???\r\
\n/ip route enable number=0\r\
\n/ip/dns/cache/flush"
Down Script:
add dont-require-permissions=yes name=OPDOWN.rsc owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall mangle disable number=???\r\
\n/ip firewall mangle disable number=???\r\
\n/ip route disable number=0\r\
\n/ip/dns/cache/flush"
???is index number of mangle rules set in MangleRules
REF¶
[1]. https://www.shawnleetttt.cyou/posts/71e7c44b/
[2]. https://idndx.com/high-availability-when-split-routing-using-routeros-and-raspberrypi/