Examples

Complete configuration examples for common deployment scenarios.

The simplest configuration: blocks IPv4 traffic using filter rules only.

crowdsec:
  api_url: "http://localhost:8080/"
  api_key: "your-key"

mikrotik:
  address: "192.168.0.1:8728"
  username: "crowdsec"
  password: "your-password"

firewall:
  ipv6:
    enabled: false
  raw:
    enabled: false

Maximum protection with all features enabled. Input rules are restricted to WAN traffic.

crowdsec:
  api_url: "http://localhost:8080/"
  api_key: "your-key"

mikrotik:
  address: "192.168.0.1:8729"
  username: "crowdsec"
  password: "your-password"
  tls: true

firewall:
  ipv4:
    enabled: true
  ipv6:
    enabled: true
  filter:
    enabled: true
    chains: ["input"]
  raw:
    enabled: true
    chains: ["prerouting"]
  deny_action: "drop"
  rule_placement: "top"
  block_input:
    interface_list: "WAN"
  block_output:
    enabled: true
    interface_list: "WAN"

metrics:
  enabled: true
  listen_port: 2112

logging:
  level: "info"

All features enabled with advanced firewall rule customization: reject action, connection-state filtering, log prefixes, input whitelist, and output passthrough.

crowdsec:
  api_url: "http://localhost:8080/"
  api_key: "your-key"

mikrotik:
  address: "192.168.0.1:8729"
  username: "crowdsec"
  password: "your-password"
  tls: true

firewall:
  ipv4:
    enabled: true
  ipv6:
    enabled: true
  filter:
    enabled: true
    chains: ["input"]
    connection_state: ["new"]
    log_prefix: "CS-FILTER"
  raw:
    enabled: true
    chains: ["prerouting"]
    log_prefix: "CS-RAW"
  deny_action: "reject"
  reject_with: "icmp-host-prohibited"
  rule_placement: "top"
  log: true
  log_prefix: "CS"
  block_input:
    interface_list: "WAN"
    whitelist: "crowdsec-whitelist"
  block_output:
    enabled: true
    interface_list: "WAN"
    log_prefix: "CS-OUT"
    passthrough_v4: "10.0.0.100"

metrics:
  enabled: true
  listen_port: 2112

logging:
  level: "info"

Syncs only locally-generated decisions (from your CrowdSec engine and manual cscli bans). No CAPI community blocklists.

crowdsec:
  api_url: "http://localhost:8080/"
  api_key: "your-key"
  origins: ["crowdsec", "cscli"]

mikrotik:
  address: "192.168.0.1:8728"
  username: "crowdsec"
  password: "your-password"

All configuration via environment variables — no config file needed.

services:
  cs-routeros-bouncer:
    image: ghcr.io/jmrplens/cs-routeros-bouncer:latest
    container_name: cs-routeros-bouncer
    restart: unless-stopped
    ports:
      - "2112:2112"
    environment:
      # CrowdSec
      CROWDSEC_URL: "http://crowdsec:8080/"
      CROWDSEC_BOUNCER_API_KEY: "your-bouncer-api-key"
      CROWDSEC_UPDATE_FREQUENCY: "10s"
      CROWDSEC_ORIGINS: "crowdsec,cscli"

      # MikroTik
      MIKROTIK_HOST: "192.168.0.1:8728"
      MIKROTIK_USER: "crowdsec"
      MIKROTIK_PASS: "your-password"

      # Firewall
      FIREWALL_IPV4_ENABLED: "true"
      FIREWALL_IPV6_ENABLED: "true"
      FIREWALL_DENY_ACTION: "drop"
      FIREWALL_RULE_PLACEMENT: "top"

      # Logging
      LOG_LEVEL: "info"
      LOG_FORMAT: "json"

      # Metrics
      METRICS_ENABLED: "true"
      METRICS_PORT: "2112"

Secure connection with rule logging enabled.

crowdsec:
  api_url: "https://crowdsec.example.com:8080/"
  api_key: "your-key"
  cert_path: "/etc/cs-routeros-bouncer/tls/cert.pem"
  key_path: "/etc/cs-routeros-bouncer/tls/key.pem"
  ca_cert_path: "/etc/cs-routeros-bouncer/tls/ca.pem"

mikrotik:
  address: "192.168.0.1:8729"
  username: "crowdsec"
  password: "your-password"
  tls: true

firewall:
  log: true
  log_prefix: "crowdsec-bouncer"
  deny_action: "drop"

logging:
  level: "info"
  format: "json"
  file: "/var/log/cs-routeros-bouncer.log"

metrics:
  enabled: true