Examples
Complete configuration examples for common deployment scenarios.
The simplest configuration: blocks IPv4 traffic using filter rules only.
crowdsec: api_url: "http://localhost:8080/" api_key: "your-key"
mikrotik: address: "192.168.0.1:8728" username: "crowdsec" password: "your-password"
firewall: ipv6: enabled: false raw: enabled: falseMaximum protection with all features enabled. Input rules are restricted to WAN traffic.
crowdsec: api_url: "http://localhost:8080/" api_key: "your-key"
mikrotik: address: "192.168.0.1:8729" username: "crowdsec" password: "your-password" tls: true
firewall: ipv4: enabled: true ipv6: enabled: true filter: enabled: true chains: ["input"] raw: enabled: true chains: ["prerouting"] deny_action: "drop" rule_placement: "top" block_input: interface_list: "WAN" block_output: enabled: true interface_list: "WAN"
metrics: enabled: true listen_port: 2112 track_processed: true
logging: level: "info"All features enabled with advanced firewall rule customization: reject action, connection-state filtering, log prefixes, input whitelist, and output passthrough.
crowdsec: api_url: "http://localhost:8080/" api_key: "your-key"
mikrotik: address: "192.168.0.1:8729" username: "crowdsec" password: "your-password" tls: true
firewall: ipv4: enabled: true ipv6: enabled: true filter: enabled: true chains: ["input"] connection_state: "new" log_prefix: "CS-FILTER" raw: enabled: true chains: ["prerouting"] log_prefix: "CS-RAW" deny_action: "reject" reject_with: "icmp-host-prohibited" rule_placement: "top" log: true log_prefix: "CS" block_input: interface_list: "WAN" whitelist: "crowdsec-whitelist" block_output: enabled: true interface_list: "WAN" log_prefix: "CS-OUT" passthrough_v4: "10.0.0.100"
metrics: enabled: true listen_port: 2112
logging: level: "info"Balanced settings for larger local lists or partial CAPI usage on capable RouterOS hardware.
crowdsec: api_url: "http://localhost:8080/" api_key: "your-key" origins: ["crowdsec", "cscli"] reconciliation_interval: "30m"
mikrotik: address: "192.168.0.1:8729" username: "crowdsec" password: "your-password" tls: true command_timeout: "60s" pool_size: 6
metrics: enabled: true routeros_poll_interval: "30s" track_processed: trueUse pool_size: 1 or 2 on small routers. See Performance Tuning for sizing guidance.
Accept CAPI decisions but keep scenario filtering narrow while measuring router impact.
crowdsec: api_url: "http://localhost:8080/" api_key: "your-key" origins: ["crowdsec", "cscli", "CAPI"] scenarios_containing: ["ssh", "http"] scenarios_not_containing: ["test"]
mikrotik: address: "192.168.0.1:8729" username: "crowdsec" password: "your-password" tls: true command_timeout: "60s" pool_size: 6
metrics: enabled: true track_processed: trueStart with local-only mode on small routers, then enable CAPI after checking reconciliation time and CPU. See CAPI Blocklists.
Place bouncer-managed filter rules after an existing router rule while keeping raw rules near the top:
firewall: filter: enabled: true chains: ["input"] raw: enabled: true chains: ["prerouting"] rule_placement: strategy: "top" filter: strategy: "after_comment" comment: "defconf: drop invalid" comment_match: "exact" fallback: "top" raw: strategy: "position" position: 2Use before_comment when the bouncer block must stay ahead of a known drop rule:
firewall: rule_placement: strategy: "before_comment" comment: "PortScanners: Filter Drop Input" comment_match: "exact" fallback: "bottom"The same global strategy can be configured with environment variables. Table-specific filter and raw overrides, plus IPv4/IPv6-specific placement, require YAML.
FIREWALL_RULE_PLACEMENT="after_comment"FIREWALL_RULE_PLACEMENT_COMMENT="drop invalid"FIREWALL_RULE_PLACEMENT_COMMENT_MATCH="contains"FIREWALL_RULE_PLACEMENT_FALLBACK="top"Split placement by address family when IPv4 and IPv6 rules need different locations. Protocol overrides inherit from the global placement first, then apply protocol-local filter or raw overrides.
firewall: rule_placement: strategy: "top" ipv4: rule_placement: strategy: "before_comment" comment: "IPv4 production anchor" fallback: "bottom" ipv6: rule_placement: strategy: "bottom" raw: strategy: "position" position: 4Syncs only locally-generated decisions (from your CrowdSec engine and manual cscli bans). No CAPI community blocklists.
crowdsec: api_url: "http://localhost:8080/" api_key: "your-key" origins: ["crowdsec", "cscli"]
mikrotik: address: "192.168.0.1:8728" username: "crowdsec" password: "your-password"All configuration via environment variables — no config file needed.
services: cs-routeros-bouncer: image: ghcr.io/jmrplens/cs-routeros-bouncer:latest container_name: cs-routeros-bouncer restart: unless-stopped ports: - "2112:2112" environment: # CrowdSec CROWDSEC_URL: "http://crowdsec:8080/" CROWDSEC_BOUNCER_API_KEY: "your-bouncer-api-key" CROWDSEC_UPDATE_FREQUENCY: "10s" CROWDSEC_ORIGINS: "crowdsec cscli"
# MikroTik MIKROTIK_HOST: "192.168.0.1:8728" MIKROTIK_USER: "crowdsec" MIKROTIK_PASS: "your-password"
# Firewall FIREWALL_IPV4_ENABLED: "true" FIREWALL_IPV6_ENABLED: "true" FIREWALL_DENY_ACTION: "drop" FIREWALL_RULE_PLACEMENT: "top" # Advanced global placement example: # FIREWALL_RULE_PLACEMENT: "after_comment" # FIREWALL_RULE_PLACEMENT_COMMENT: "drop invalid" # FIREWALL_RULE_PLACEMENT_COMMENT_MATCH: "contains" # FIREWALL_RULE_PLACEMENT_FALLBACK: "top"
# Logging LOG_LEVEL: "info" LOG_FORMAT: "json"
# Metrics METRICS_ENABLED: "true" METRICS_PORT: "2112"Secure connection with rule logging enabled.
crowdsec: api_url: "https://crowdsec.example.com:8080/" api_key: "your-key" cert_path: "/etc/cs-routeros-bouncer/tls/cert.pem" key_path: "/etc/cs-routeros-bouncer/tls/key.pem" ca_cert_path: "/etc/cs-routeros-bouncer/tls/ca.pem"
mikrotik: address: "192.168.0.1:8729" username: "crowdsec" password: "your-password" tls: true
firewall: log: true log_prefix: "crowdsec-bouncer" deny_action: "drop"
logging: level: "info" format: "json" file: "/var/log/cs-routeros-bouncer.log"
metrics: enabled: true