Skip to content
cs-routeros-bouncer logocs-routeros-bouncer logo

RouterOS Bouncer

cs-routeros-bouncer syncs CrowdSec decisions into MikroTik firewall rules with reconciliation, metrics, and safe cleanup.
CrowdSec detects
LAPI receives malicious IP decisions
Bouncer syncs
Applies new bans and expires old ones
RouterOS blocks
Updates firewall rules through the API
You monitor
Checks health, metrics, and dashboards

Why cs-routeros-bouncer? 1.4.5

Section titled “Why cs-routeros-bouncer? ”

Unlike bouncers that manage MikroTik via periodic address-list scripts, cs-routeros-bouncer talks to the RouterOS API directly and applies each CrowdSec decision as an individual real-time call.

0 Manual Router Commands

Auto-creates and auto-removes firewall filter/raw rules on start/stop — no manual router setup needed.

Real-time IP Management (~1–3 ms/op)

Adds IPs on ban, removes on unban. No bulk re-upload, no duplicates. ~1–3 ms per operation.

Self-Healing State

On start or restart, syncs CrowdSec decisions with MikroTik state — adds missing, removes stale entries automatically.

Full Observability

Prometheus metrics, structured logging, health endpoint, and a ready-to-use Grafana dashboard.

  • CrowdSec 1.5+ with LAPI accessible from the bouncer host
  • MikroTik RouterOS 7.x with API enabled (port 8728 or 8729 for TLS)
  • A dedicated RouterOS API user with appropriate permissions
What is cs-routeros-bouncer?

cs-routeros-bouncer is a free, open-source CrowdSec bouncer for MikroTik RouterOS. It syncs CrowdSec ban/unban decisions into RouterOS firewall rules (filter and raw, IPv4 and IPv6) through the RouterOS API, with startup and periodic reconciliation, Prometheus metrics, and safe rule cleanup.

Which CrowdSec and RouterOS versions does it support?

It requires CrowdSec 1.5+ with the Local API (LAPI) reachable from the bouncer host, and MikroTik RouterOS 7.x with the API service enabled (port 8728, or 8729 for TLS), using a dedicated RouterOS API user with the appropriate permissions.

Is cs-routeros-bouncer free and open source?

Yes. cs-routeros-bouncer is MIT-licensed, written in Go, distributed as a single static binary, with the full source on GitHub and no paid tier.

Does cs-routeros-bouncer support IPv6?

Yes. Each RouterOS rule type it manages (filter input, raw prerouting, and optional filter output) has an IPv6 equivalent, and IPv4/IPv6 rule placement can be configured together or overridden independently per protocol.

How is cs-routeros-bouncer different from address-list or script-based CrowdSec bouncers for MikroTik?

cs-routeros-bouncer talks to the RouterOS API directly and applies each ban or unban as an individual real-time call (about 1-3 ms), instead of periodically regenerating address lists via scheduled scripts. It also runs startup and periodic reconciliation against MikroTik’s actual state, so drift is repaired automatically.