Installation
cs-routeros-bouncer ships as a multi-arch container image, prebuilt Linux binaries with a systemd installer, and buildable Go source. Use Docker Compose if you already run CrowdSec in containers; use the systemd installer (cs-routeros-bouncer setup) on a bare-metal Linux host; build from source only if you need an unreleased platform or want to hack on the code.
Ideal if you already run CrowdSec in Docker.
Basic setup
Section titled “Basic setup”services: cs-routeros-bouncer: image: ghcr.io/jmrplens/cs-routeros-bouncer:latest container_name: cs-routeros-bouncer restart: unless-stopped ports: - "2112:2112" # Prometheus metrics (optional) environment: CROWDSEC_URL: "http://crowdsec:8080/" CROWDSEC_BOUNCER_API_KEY: "your-bouncer-api-key" MIKROTIK_HOST: "192.168.0.1:8728" MIKROTIK_USER: "crowdsec" MIKROTIK_PASS: "your-password"With config file
Section titled “With config file”The Docker image can run from environment variables alone. If you prefer a YAML file, mount it at /etc/cs-routeros-bouncer/config.yaml; the bouncer loads that file automatically when it exists:
services: cs-routeros-bouncer: image: ghcr.io/jmrplens/cs-routeros-bouncer:latest container_name: cs-routeros-bouncer restart: unless-stopped ports: - "2112:2112" volumes: - ./config.yaml:/etc/cs-routeros-bouncer/config.yamlStart the service:
docker compose up -dAutomatic setup (recommended)
Section titled “Automatic setup (recommended)”-
Download the latest release
Terminal window # Replace architecture as needed: amd64, arm64, armv7wget https://github.com/jmrplens/cs-routeros-bouncer/releases/latest/download/cs-routeros-bouncer_linux_amd64.tar.gztar xzf cs-routeros-bouncer_linux_amd64.tar.gz -
Run automated install
Terminal window sudo ./cs-routeros-bouncer setup -
Configure
Terminal window sudo nano /etc/cs-routeros-bouncer/cs-routeros-bouncer.yamlsudo systemctl restart cs-routeros-bouncer
The automated setup copies the binary, creates the config directory, writes a hardened systemd unit, enables the service, and starts it.
The setup subcommand accepts optional flags:
| Flag | Default | Description |
|---|---|---|
-bin | /usr/local/bin/cs-routeros-bouncer | Installation path for the binary |
-config-dir | /etc/cs-routeros-bouncer | Directory for configuration files |
The generated config is /etc/cs-routeros-bouncer/cs-routeros-bouncer.yaml unless -config-dir changes the directory.
Manual setup
Section titled “Manual setup”Manual installation steps (click to expand)
# Downloadwget https://github.com/jmrplens/cs-routeros-bouncer/releases/latest/download/cs-routeros-bouncer_linux_amd64.tar.gztar xzf cs-routeros-bouncer_linux_amd64.tar.gz
# Install binarysudo install -m 755 cs-routeros-bouncer /usr/local/bin/
# Create config directory and copy configsudo mkdir -p /etc/cs-routeros-bouncersudo cp cs-routeros-bouncer.yaml /etc/cs-routeros-bouncer/cs-routeros-bouncer.yaml
# Edit configurationsudo nano /etc/cs-routeros-bouncer/cs-routeros-bouncer.yaml
# Create systemd servicesudo tee /etc/systemd/system/cs-routeros-bouncer.service > /dev/null << 'EOF'[Unit]Description=CrowdSec RouterOS BouncerAfter=network-online.target crowdsec.serviceWants=network-online.target
[Service]Type=simpleExecStart=/usr/local/bin/cs-routeros-bouncer -c /etc/cs-routeros-bouncer/cs-routeros-bouncer.yamlRestart=on-failureRestartSec=10TimeoutStopSec=90LimitNOFILE=65536
# HardeningNoNewPrivileges=yesProtectSystem=strictProtectHome=yesReadWritePaths=/var/logPrivateTmp=yes
[Install]WantedBy=multi-user.targetEOF
sudo systemctl daemon-reloadsudo systemctl enable --now cs-routeros-bouncerUninstall
Section titled “Uninstall”# Keep config filessudo cs-routeros-bouncer uninstall
# Also remove configsudo cs-routeros-bouncer uninstall -purgeuninstall also accepts -bin and -config-dir if setup used custom paths. Pass the same -config-dir with -purge to remove that custom configuration directory.
See the CLI Reference for all setup and uninstall flags.
Prerequisites
Section titled “Prerequisites”- Go 1.26.4+ — Download
- Make — typically pre-installed on Linux
Build and install
Section titled “Build and install”-
Clone and build
Terminal window git clone https://github.com/jmrplens/cs-routeros-bouncer.gitcd cs-routeros-bouncermake buildThe binary is created at
bin/cs-routeros-bouncer. -
Install
Terminal window # Option 1: Automated installsudo bin/cs-routeros-bouncer setup# Option 2: Manual installsudo install -m 755 bin/cs-routeros-bouncer /usr/local/bin/
Verify installation
Section titled “Verify installation”After installing with any method, verify the bouncer is running correctly:
-
Check service status
Terminal window # Binary installationsudo systemctl status cs-routeros-bouncer# Docker Composedocker compose ps cs-routeros-bouncer -
Check health endpoint
Terminal window curl http://localhost:2112/health# {"status":"ok","routeros_connected":true,"version":"vX.Y.Z"} -
Check logs
Terminal window # Binary installationsudo journalctl -u cs-routeros-bouncer -f# Docker Composedocker compose logs -f cs-routeros-bouncer -
Verify router-side rules
/ip/firewall/filter/print where comment~"crowdsec"/ip/firewall/raw/print where comment~"crowdsec"/ip/firewall/address-list/print where list=crowdsec-banned