Tor Browser is an alternative to VPN and Web Proxy that breaks blocking firewall rule. If any user installs and uses Tor Browser, he/she can hide the public IP address of router and can unblock blocked websites applied on a network. So, administrators should block Tor Nodes along with other blocking firewall rule. In my previous article, I discussed how to block VPN and Proxy access with MikroTik Router and in this article I will discuss how to block Tor Nodes with MikroTik Router.

How to Block Tor Nodes   

Tor Browser cannot be blocked by blocking TCP ports because Tor Nodes usually uses TCP port 443 which is a dedicated port for secure HTTP communication. So, to block Tor Browser, we have to find IP addresses of the active Tor Nodes and block those IP addresses with firewall rule.

Finding IP Addresses of Tor Nodes

To block Tor Browser, we have to find IP addresses of the active Tor Nodes. Fortunately, Tor Project provides IP addresses of the active Tor Nodes available from an IP address. So, to find Tor Nodes IP addresses, go to https://check.torproject.org/cgi-bin/TorBulkExitList.py and you will find TorBulkExitList page.

Provide public IP address of your router and click on Submit button. Your will now find the available Tor Node IP addresses those are contactable from your IP address.

Finding IP addresses of the active Tor Nodes, we will now create firewall rule to block these IP addresses so that user cannot communicate with these IP addresses from his Tor Browser.

MikroTik Firewall Rule to Block Tor Nodes

MikroTik Firewall is able to block a group of IP addresses. So, we will first create a firewall rule that will block a group of IP addresses and then we will add IP addresses of Tor Nodes in this group. The following steps will show how to block a group of destination IP addresses with MikroTik Firewall Rule.

• Go to IP > Firewall menu item and click on Filter Rules tab and then click on PLUS SIGN (+). New Firewall Rule window will appear.
• Choose forward from Chain dropdown menu.
• Click on Advanced tab and put a group name (such as Blacklisted IP Address) in Dst. Address List input box.
• Click on Action tab and choose drop from Action dropdown menu.
• Click Apply and OK button.

This rule will block those IP addresses which will have in Blacklisted IP Address group. Now we will add our found Tor Node IP addresses in this group.

Adding IP Addresses in Blacklisted IP Address Group

After creating blocking firewall rule for a group, it is time to add IP address in this group. The following steps will show how to add Tor Node IP address in Blacklisted IP Address group.

• Go to IP > Firewall menu item and click on Address Lists tab and then click on PLUS SIGN (+). New Firewall Address List window will appear.
• Choose your created group name (Blacklisted IP Address) from Name dropdown menu.
• Put a Tor Node IP address (such as 103.208.220.122) that you have found from Tor Bulk Exit List page in Address input field. If you found multiple IP addresses in same subnet, you can provide the whole subnet rather than a single IP address.
• Click Apply and OK button.

Similarly, put all the IP addresses that you have found from Tor Bulk Exit List page in Blacklisted IP address group and then you will find no Tor user will be able to use tor browser.

If you face any confusion to follow above steps properly, watch the following video about blocking Tor Browser with MikroTik Firewall. I hope it will reduce your any confusion.