Skip to content

Quick Start

To install cs-routeros-bouncer, register the bouncer with CrowdSec (cscli bouncers add), create a dedicated RouterOS API user, and deploy the bouncer via Docker Compose or as a binary with systemd. Setup takes about 5 minutes; at the end, CrowdSec ban decisions appear automatically as MikroTik firewall rules.

  • CrowdSec 1.5+ with the Local API (LAPI) reachable from the bouncer host
  • MikroTik RouterOS 7.x with the API service enabled (port 8728, or 8729 for TLS)
  • A Linux host (or Docker) to run the bouncer
  1. Register the bouncer with CrowdSec

    Bouncers authenticate to the CrowdSec LAPI with an API key (see the CrowdSec bouncers documentation). On the machine running CrowdSec:

    Terminal window
    sudo cscli bouncers add cs-routeros-bouncer
  2. Create a RouterOS API user

    Connect to your MikroTik router (via SSH, Winbox, or WebFig) and create a dedicated user:

    /user group add name=crowdsec policy=read,write,api,sensitive,!ftp,!local,!ssh,!reboot,!policy,!test,!password,!sniff,!romon,!rest-api
    /user add name=crowdsec group=crowdsec password=YOUR_SECURE_PASSWORD

    For more details, see Router Setup.

  3. Deploy the bouncer

    Choose one deployment method.

    Docker Compose

    services:
    cs-routeros-bouncer:
    image: ghcr.io/jmrplens/cs-routeros-bouncer:latest
    container_name: cs-routeros-bouncer
    restart: unless-stopped
    ports:
    - "2112:2112" # Prometheus metrics (optional)
    environment:
    CROWDSEC_URL: "http://crowdsec:8080/"
    CROWDSEC_BOUNCER_API_KEY: "your-bouncer-api-key"
    MIKROTIK_HOST: "192.168.0.1:8728"
    MIKROTIK_USER: "crowdsec"
    MIKROTIK_PASS: "your-password"
    Terminal window
    docker compose up -d

    Binary + systemd

    Terminal window
    # Download (replace with your architecture: amd64, arm64, armv7)
    wget https://github.com/jmrplens/cs-routeros-bouncer/releases/latest/download/cs-routeros-bouncer_linux_amd64.tar.gz
    tar xzf cs-routeros-bouncer_linux_amd64.tar.gz
    # Automated install
    sudo ./cs-routeros-bouncer setup
    # Edit configuration
    sudo nano /etc/cs-routeros-bouncer/cs-routeros-bouncer.yaml
    # Restart after editing config
    sudo systemctl restart cs-routeros-bouncer
  4. Verify it’s working

    Terminal window
    # Check the health endpoint
    curl http://localhost:2112/health
    # {"status":"ok","routeros_connected":true,"version":"vX.Y.Z"}
    # Check logs
    sudo journalctl -u cs-routeros-bouncer -f

    On the router, you should see new firewall rules and address list entries:

    /ip/firewall/filter/print where comment~"crowdsec"
    /ip/firewall/address-list/print where list=crowdsec-banned