Quick Start
To install cs-routeros-bouncer, register the bouncer with CrowdSec (cscli bouncers add), create a dedicated RouterOS API user, and deploy the bouncer via Docker Compose or as a binary with systemd. Setup takes about 5 minutes; at the end, CrowdSec ban decisions appear automatically as MikroTik firewall rules.
What do I need before starting?
Section titled “What do I need before starting?”- CrowdSec 1.5+ with the Local API (LAPI) reachable from the bouncer host
- MikroTik RouterOS 7.x with the API service enabled (port 8728, or 8729 for TLS)
- A Linux host (or Docker) to run the bouncer
How do I install cs-routeros-bouncer?
Section titled “How do I install cs-routeros-bouncer?”-
Register the bouncer with CrowdSec
Bouncers authenticate to the CrowdSec LAPI with an API key (see the CrowdSec bouncers documentation). On the machine running CrowdSec:
Terminal window sudo cscli bouncers add cs-routeros-bouncer -
Create a RouterOS API user
Connect to your MikroTik router (via SSH, Winbox, or WebFig) and create a dedicated user:
/user group add name=crowdsec policy=read,write,api,sensitive,!ftp,!local,!ssh,!reboot,!policy,!test,!password,!sniff,!romon,!rest-api/user add name=crowdsec group=crowdsec password=YOUR_SECURE_PASSWORDFor more details, see Router Setup.
-
Deploy the bouncer
Choose one deployment method.
Docker Compose
services:cs-routeros-bouncer:image: ghcr.io/jmrplens/cs-routeros-bouncer:latestcontainer_name: cs-routeros-bouncerrestart: unless-stoppedports:- "2112:2112" # Prometheus metrics (optional)environment:CROWDSEC_URL: "http://crowdsec:8080/"CROWDSEC_BOUNCER_API_KEY: "your-bouncer-api-key"MIKROTIK_HOST: "192.168.0.1:8728"MIKROTIK_USER: "crowdsec"MIKROTIK_PASS: "your-password"Terminal window docker compose up -dBinary + systemd
Terminal window # Download (replace with your architecture: amd64, arm64, armv7)wget https://github.com/jmrplens/cs-routeros-bouncer/releases/latest/download/cs-routeros-bouncer_linux_amd64.tar.gztar xzf cs-routeros-bouncer_linux_amd64.tar.gz# Automated installsudo ./cs-routeros-bouncer setup# Edit configurationsudo nano /etc/cs-routeros-bouncer/cs-routeros-bouncer.yaml# Restart after editing configsudo systemctl restart cs-routeros-bouncer -
Verify it’s working
Terminal window # Check the health endpointcurl http://localhost:2112/health# {"status":"ok","routeros_connected":true,"version":"vX.Y.Z"}# Check logssudo journalctl -u cs-routeros-bouncer -fOn the router, you should see new firewall rules and address list entries:
/ip/firewall/filter/print where comment~"crowdsec"/ip/firewall/address-list/print where list=crowdsec-banned