MikroTik Configuration

Settings for the RouterOS API connection.

Connection

mikrotik.address Required

Env: MIKROTIK_HOST · Default: 192.168.0.1:8728

RouterOS API address in host:port format.

• Port 8728 — plaintext API
• Port 8729 — TLS-encrypted API

mikrotik:
  address: "192.168.0.1:8728"

mikrotik.username Required

Env: MIKROTIK_USER · Default: crowdsec

The RouterOS API username. Use a dedicated user with minimal permissions. See Router Setup for creating the user.

mikrotik.password Required

Env: MIKROTIK_PASS · Default: —

The RouterOS API password.

Environment variables

For sensitive values like passwords, use environment variables instead of the config file:

export MIKROTIK_PASS="your-secure-password"

TLS

mikrotik.tls Optional

Env: MIKROTIK_TLS · Default: false

Enable TLS for the RouterOS API connection. Requires the api-ssl service on the router (port 8729).

mikrotik:
  address: "192.168.0.1:8729"
  tls: true

mikrotik.tls_insecure Optional

Env: MIKROTIK_TLS_INSECURE · Default: false

Skip TLS certificate verification. Required for self-signed certificates.

Caution

If your router uses a self-signed certificate, you need to set tls_insecure: true. For production, consider using a CA-signed certificate.

Timeouts

mikrotik.connection_timeout Optional

Env: MIKROTIK_CONN_TIMEOUT · Default: 10s

Maximum time to wait for the initial API connection. Uses Go duration format.

mikrotik.command_timeout Optional

Env: MIKROTIK_CMD_TIMEOUT · Default: 30s

Maximum time to wait for a single API command to complete. Increase if you have a slow router or large address lists.

Tip

If you see timeout errors during reconciliation with large IP lists (20,000+), increase command_timeout to 60s or more. Note that with the script-based bulk add, individual API commands are small (100 IPs per script), so the default 30s is sufficient for most setups.

Connection Pool

mikrotik.pool_size Optional

Env: MIKROTIK_POOL_SIZE · Default: 4

Number of parallel RouterOS API connections used for bulk operations (adding, removing, and reconciling address-list entries). A higher value increases throughput during startup reconciliation and mass ban/unban events.

• Valid range: 1–20
• Auto-capping: On startup the bouncer queries the router’s API service max-sessions limit and automatically reduces the effective pool size so it never exceeds max-sessions − 2 (reserving connections for the main client and external tools such as WinBox).

mikrotik:
  pool_size: 8  # Higher parallelism for faster bulk operations

Checking the router limit

The RouterOS API service has a max-sessions setting that limits simultaneous connections. The factory default is 20.

# Check current limit
/ip/service/print where name=api

# Increase it (maximum supported value is 1000)
/ip/service/set api max-sessions=1000

Performance tuning

For small to medium deployments (≤ 5,000 IPs) the default pool_size: 4 is optimal. For very large CAPI lists (20,000+ IPs) increasing to 6–8 can noticeably reduce reconciliation time. Always verify the router’s max-sessions first:

/ip/service/set api max-sessions=1000

Note

Each pool connection is a full RouterOS API session. On resource-constrained routers (e.g., hAP lite) keep pool_size low (1–2) to avoid memory pressure.