Skip to main content

DoS Blocking on MikroTik Switch

Docusaurus supports technical documentation formatting with code examples, tables, and explanations. Below is an example of formatting for hardware IP blocking on MikroTik.

Configuration Example

/interface ethernet switch rule
add comment=dos-77.51.221.219 dst-address=77.51.221.219/255.255.255.255 mac-protocol=ip new-dst-ports="" ports=qsfpplus1-1,qsfpplus2-1,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 switch=switch1
add comment=dos-81.8.93.66 dst-address=81.8.93.66/255.255.255.255 mac-protocol=ip new-dst-ports="" ports=qsfpplus1-1,qsfpplus2-1,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 switch=switch1
add comment=dos-172.236.228.38 dst-address=172.236.228.38/255.255.255.255 mac-protocol=ip new-dst-ports="" ports=qsfpplus1-1,qsfpplus2-1,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 switch=switch1
/interface ethernet switch rule
add comment=dos-77.51.221.219 dst-address=77.51.221.219/255.255.255.255 mac-protocol=ip new-dst-ports="" ports=ether49 switch=switch2
add comment=dos-81.8.93.66 dst-address=81.8.93.66/255.255.255.255 mac-protocol=ip new-dst-ports="" ports=ether49 switch=switch2
add comment=dos-172.236.228.38 dst-address=172.236.228.38/255.255.255.255 mac-protocol=ip new-dst-ports="" ports=ether49 switch=switch2

Parameter Description

ParameterValue/Example
commentdos-77.51.221.219
dst-address77.51.221.219/255.255.255.255
mac-protocolip
new-dst-ports"" (empty)
portsqsfpplus1-1,qsfpplus2-1,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4
switchswitch1

How it works

This configuration creates hardware-level rules that:

  1. Block specific IP addresses at the switch level
  2. Drop traffic before it reaches the CPU
  3. Protect against DoS attacks efficiently
  4. Reduce CPU load on the router

Benefits

  • Hardware-level protection: Rules are processed by the switch chip
  • High performance: No impact on CPU performance
  • Immediate effect: Traffic is dropped at the port level
  • Scalable: Can handle many rules efficiently