Emerging Member
Posts: 57
Registered: ‎05-10-2014
Kudos: 1
Solutions: 1

block country IP via cli

I am getting pounded by Russian IP's.  I got a list of all of the Russian IP's and I put them on a script.


set firewall group address-group BlockIP <ip>


The problem is that after 5 or six lines the router doesnt seem to process the script fast enough.  At the end I have left the commit statement running for over 1 hour and it never finishes.


I have tried putting a commit after every 5 lines, but still the router just freaks out.  


How can I apply the acl to the router.  There are over 5k lines.


I am running edgerouter lite running the latest code.

New Member
Posts: 26
Registered: ‎01-17-2017
Kudos: 4

Re: block country IP via cli


May be solution is aggregate many lines (ip hope its nets blocks, not ip/32) into BIGGER blocks. It seems too many static routes is too much for ER-lite


Emerging Member
Posts: 142
Registered: ‎10-14-2018
Kudos: 37
Solutions: 13

Re: block country IP via cli

Established Member
Posts: 907
Registered: ‎07-25-2015
Kudos: 131
Solutions: 43

Re: block country IP via cli

@fanghui wrote:

Try ipset:

@mrjoli021, this is possibly you're solution


Ipset is much quicker to run.





If the feedback solved your problem or question. Please mark it as solved. If it is worth some Kudo’s don’t forget to give some :-)