diff --git a/mxrouter/mxrouterctl b/mxrouter/mxrouterctl
index a0eb331..ecc6a44 100755
--- a/mxrouter/mxrouterctl
+++ b/mxrouter/mxrouterctl
@@ -358,6 +358,18 @@ sub disable_ipv4_rp_filter {
 	$disable_ipv4_rp_filter{$if}=1;
 }
 
+sub reload_ip_blacklist {
+	sys('ipset','flush','ip-blacklist');
+	if (-e '/etc/local/mxrouter/ip-blacklist') {
+		open my $in,'<','/etc/local/mxrouter/ip-blacklist' or die "/etc/local/mxrouter/ip-blacklist: $!\n";
+		while (<$in>) {
+			s/#.*//;
+			/^\s*(\d+\.\d+\.\d+\.\d+)\s*$/ or next;
+			system('ipset','add','ip-blacklist',$1);
+		}
+	}
+}
+
 sub start {
 
 	-d "/var/run/mxrouter/$NETNS" or sys ('mkdir','-p',"/var/run/mxrouter/$NETNS");
@@ -519,6 +531,8 @@ sub start {
 	start_process_if($process_radvd);
 
 	unless ($opt_noop) {
+		sys('ipset','create','-exist','ip-blacklist','hash:ip','counters');
+		reload_ip_blacklist();
 		open my $pipe,'|-','iptables-restore' or die "$!\n";
 		print $pipe rules_in_restore_format();
 		close $pipe or die "$!\n";