LIST · COUNTRY
New Zealand (NZ)
IPv4 + IPv6 prefixes allocated to New Zealand per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.
Subscription URL
https://mikrotikfilters.com/api/lists/country-nz.rsc
Paste this URL into a RouterOS /tool fetch
on a daily schedule. The header toggle picks v6 vs v7
syntax — the extension flips between .rsc
and .v6.rsc in place; the .json
and .txt formats below are version-neutral.
02 · QUICKSTART
Paste-and-go.
Three RouterOS commands: fetch the list, import it, schedule a daily refresh. Run them in a terminal, Webfig, or Winbox. The header toggle picks which RouterOS syntax flavour the snippet below targets — same shell, different embedded URL. For production, verify integrity from a workstation first (snippet below); the deeper-dive Integrity section covers the CI-pinning shape.
Step 0 (recommended) · Verify integrity from a workstation
# Workstation-side verify (Linux / macOS / WSL). # RouterOS has no native sha256; check off-router before deploy. curl -sSO https://mikrotikfilters.com/api/lists/country-nz.rsc curl -sSO https://mikrotikfilters.com/api/lists/country-nz.rsc.sha256 sha256sum -c country-nz.rsc.sha256 # → country-nz.rsc: OK
# subscribe to mtkf-country-nz
/tool fetch mode=https \
url="https://mikrotikfilters.com/api/lists/country-nz.rsc" \
dst-path=mtkf-country-nz.rsc
/import file-name=mtkf-country-nz.rsc
# schedule daily refresh — set-and-forget
/system scheduler add name=mtkf-country-nz-refresh interval=1d \
on-event=":do { \
/tool fetch mode=https url=\"https://mikrotikfilters.com/api/lists/country-nz.rsc\" dst-path=mtkf-country-nz.rsc; \
/import mtkf-country-nz.rsc \
}" # subscribe to mtkf-country-nz
/tool fetch mode=https \
url="https://mikrotikfilters.com/api/lists/country-nz.v6.rsc" \
dst-path=mtkf-country-nz.rsc
/import file-name=mtkf-country-nz.rsc
# schedule daily refresh — set-and-forget
/system scheduler add name=mtkf-country-nz-refresh interval=1d \
on-event=":do { \
/tool fetch mode=https url=\"https://mikrotikfilters.com/api/lists/country-nz.v6.rsc\" dst-path=mtkf-country-nz.rsc; \
/import mtkf-country-nz.rsc \
}" # subscribe to mtkf-country-nz
# Replace <YOUR_API_KEY> with the cleartext key from
# /account → API keys (supporters get 200 pulls/day; free
# accounts get 10/day; without the header your pulls fall
# back to the anonymous 2/day-per-IP cap).
/tool fetch mode=https \
http-header-field="Authorization: Bearer <YOUR_API_KEY>" \
url="https://mikrotikfilters.com/api/lists/country-nz.rsc" \
dst-path=mtkf-country-nz.rsc
/import file-name=mtkf-country-nz.rsc
# schedule daily refresh — set-and-forget
/system scheduler add name=mtkf-country-nz-refresh interval=1d \
on-event=":do { \
/tool fetch mode=https \
http-header-field=\"Authorization: Bearer <YOUR_API_KEY>\" \
url=\"https://mikrotikfilters.com/api/lists/country-nz.rsc\" dst-path=mtkf-country-nz.rsc; \
/import mtkf-country-nz.rsc \
}" # subscribe to mtkf-country-nz
# Replace <YOUR_API_KEY> with the cleartext key from
# /account → API keys (supporters get 200 pulls/day; free
# accounts get 10/day; without the header your pulls fall
# back to the anonymous 2/day-per-IP cap).
/tool fetch mode=https \
http-header-field="Authorization: Bearer <YOUR_API_KEY>" \
url="https://mikrotikfilters.com/api/lists/country-nz.v6.rsc" \
dst-path=mtkf-country-nz.rsc
/import file-name=mtkf-country-nz.rsc
# schedule daily refresh — set-and-forget
/system scheduler add name=mtkf-country-nz-refresh interval=1d \
on-event=":do { \
/tool fetch mode=https \
http-header-field=\"Authorization: Bearer <YOUR_API_KEY>\" \
url=\"https://mikrotikfilters.com/api/lists/country-nz.v6.rsc\" dst-path=mtkf-country-nz.rsc; \
/import mtkf-country-nz.rsc \
}"
Replace <YOUR_API_KEY> with your
cleartext key from
/account → API keys. Pulls
without the Authorization: Bearer header
fall back to the anonymous 2-per-IP-per-day cap.
Rate-limit note — anonymous fetches are capped at 2 pulls per IP per day across all lists combined (PLAN §3.4) — enough to preview a list or two, not to subscribe a router. Sign in for 10/day per account, or become a supporter for 200/day + the bundle builder (one URL containing many lists).
Rate-limit note — signed-in (free-tier) accounts get 10 pulls per day per account across all lists combined (PLAN §3.4). 10+ scheduled lists will start tripping 429s on the daily refresh — cull to ≤10 or become a supporter for 200/day and the bundle builder (one URL containing many lists).
Rate-limit note — supporters get 200 pulls per day per account shared across every API key on the account (PLAN §3.4). Plenty of headroom for a few dozen scheduled lists. The bundle builder lets you collapse multiple lists into one URL if you'd rather conserve the budget anyway.
03 · FORMATS
Other formats.
Same content, five outputs: .rsc (v7-syntax,
the default) flips to .v6.rsc when the header
toggle is on v6, plus .json, .txt,
and an .rss feed of the newest entries — all
version-neutral. Each link opens in a new tab.
04 · INTEGRITY
Verify the body matches.
Every format has a sibling .sha256 URL that
serves a one-line coreutils manifest. Pin it in CI /
Ansible / a wrapper script to fail loudly if the upstream
body changes unexpectedly. RouterOS itself has no native
sha256sum, so verification belongs on the
workstation that pushes the body to the router —
not on the router itself.
sha256 manifest URL
https://mikrotikfilters.com/api/lists/country-nz.rsc.sha256
The header toggle flips this URL between
.rsc.sha256 (v7-syntax body) and
.v6.rsc.sha256 (v6-syntax body) — pair the
manifest with the body of the same flavour.
Manifests for every format
https://mikrotikfilters.com/api/lists/country-nz.rsc.sha256https://mikrotikfilters.com/api/lists/country-nz.v6.rsc.sha256https://mikrotikfilters.com/api/lists/country-nz.v7.rsc.sha256https://mikrotikfilters.com/api/lists/country-nz.json.sha256https://mikrotikfilters.com/api/lists/country-nz.txt.sha256
Verify on a workstation:
# On your workstation (Linux / macOS / WSL — RouterOS has no # native sha256sum; verify off-router, then deploy the verified # body to your router via your usual flow). curl -sSO https://mikrotikfilters.com/api/lists/country-nz.rsc curl -sSO https://mikrotikfilters.com/api/lists/country-nz.rsc.sha256 sha256sum -c country-nz.rsc.sha256 # → country-nz.rsc: OK # Pin in CI: exit non-zero if the upstream body changed without # you bumping the expected digest. sha256sum --status -c country-nz.rsc.sha256 \ && echo "verified, safe to /import" \ || echo "DIGEST MISMATCH — refuse to deploy"
Heads-up — the digest covers the rendered
body including the self-identifying header
(generated_at, entries, etc.). That
timestamp advances on every request, so two consecutive
pulls of the same list produce different digests by design.
Fetch the body and manifest as a pair (within seconds) for
the check to succeed — the manifest is a point-in-time
integrity pin, not a long-lived content hash.
05 · ENTRIES
What's in the list.
The first 100 approved entries, alphabetised by address. Filter by address, comment, or source — the filter scans the full list, not just the rendered page, and re-renders the table with every match (capped at 10k entries for very large lists). For a bulk export, use one of the format downloads above — the same data, paginated only by download size.
| Address | Fam. | Tag | Source | Added | Comment |
|---|
06 · SOURCES
Where the entries came from.
Each list aggregates one or more upstream sources. We mirror raw upstream input on every successful fetch so the list keeps working if a source goes offline.
- Loading source attribution…