Quick Start
-
Register the bouncer with CrowdSec
On the machine running CrowdSec:
Terminal window sudo cscli bouncers add cs-routeros-bouncer -
Create a RouterOS API user
Connect to your MikroTik router (via SSH, Winbox, or WebFig) and create a dedicated user:
/user group add name=crowdsec policy=read,write,api,sensitive,!ftp,!local,!ssh,!reboot,!policy,!test,!password,!sniff,!romon,!rest-api/user add name=crowdsec group=crowdsec password=YOUR_SECURE_PASSWORDFor more details, see Router Setup.
-
Deploy the bouncer
services:cs-routeros-bouncer:image: ghcr.io/jmrplens/cs-routeros-bouncer:latestcontainer_name: cs-routeros-bouncerrestart: unless-stoppedports:- "2112:2112" # Prometheus metrics (optional)environment:CROWDSEC_URL: "http://crowdsec:8080/"CROWDSEC_BOUNCER_API_KEY: "your-bouncer-api-key"MIKROTIK_HOST: "192.168.0.1:8728"MIKROTIK_USER: "crowdsec"MIKROTIK_PASS: "your-password"Terminal window docker compose up -dTerminal window # Download (replace with your architecture: amd64, arm64, armv7)wget https://github.com/jmrplens/cs-routeros-bouncer/releases/latest/download/cs-routeros-bouncer_linux_amd64.tar.gztar xzf cs-routeros-bouncer_linux_amd64.tar.gz# Automated installsudo ./cs-routeros-bouncer setup# Edit configurationsudo nano /etc/cs-routeros-bouncer/cs-routeros-bouncer.yaml# Restart after editing configsudo systemctl restart cs-routeros-bouncer -
Verify it’s working
Terminal window # Check the health endpointcurl http://localhost:2112/health# {"status":"ok","routeros_connected":true,"version":"vX.Y.Z"}# Check logssudo journalctl -u cs-routeros-bouncer -fOn the router, you should see new firewall rules and address list entries:
/ip/firewall/filter/print where comment~"crowdsec"/ip/firewall/address-list/print where list=crowdsec-banned
Next steps
Section titled “Next steps” Full Installation Guide All deployment options explained in detail.
Configuration Reference Customize every aspect of the bouncer.
Monitoring Setup Set up Prometheus metrics and Grafana dashboard.