Skip to content
cs-routeros-bouncer cs-routeros-bouncer

Quick Start

  1. Register the bouncer with CrowdSec

    On the machine running CrowdSec:

    Terminal window
    sudo cscli bouncers add cs-routeros-bouncer

  2. Create a RouterOS API user

    Connect to your MikroTik router (via SSH, Winbox, or WebFig) and create a dedicated user:

    /user group add name=crowdsec policy=read,write,api,sensitive,!ftp,!local,!ssh,!reboot,!policy,!test,!password,!sniff,!romon,!rest-api
    /user add name=crowdsec group=crowdsec password=YOUR_SECURE_PASSWORD

    For more details, see Router Setup.

  3. Deploy the bouncer

    Choose one deployment method.

    Docker Compose

    services:
      cs-routeros-bouncer:
        image: ghcr.io/jmrplens/cs-routeros-bouncer:latest
        container_name: cs-routeros-bouncer
        restart: unless-stopped
        ports:
          - "2112:2112" # Prometheus metrics (optional)
        environment:
          CROWDSEC_URL: "http://crowdsec:8080/"
          CROWDSEC_BOUNCER_API_KEY: "your-bouncer-api-key"
          MIKROTIK_HOST: "192.168.0.1:8728"
          MIKROTIK_USER: "crowdsec"
          MIKROTIK_PASS: "your-password"
    Terminal window
    docker compose up -d

    Binary + systemd

    Terminal window
    # Download (replace with your architecture: amd64, arm64, armv7)
    wget https://github.com/jmrplens/cs-routeros-bouncer/releases/latest/download/cs-routeros-bouncer_linux_amd64.tar.gz
    tar xzf cs-routeros-bouncer_linux_amd64.tar.gz
    

    # Automated install
    sudo ./cs-routeros-bouncer setup
    

    # Edit configuration
    sudo nano /etc/cs-routeros-bouncer/cs-routeros-bouncer.yaml
    

    # Restart after editing config
    sudo systemctl restart cs-routeros-bouncer

  4. Verify it’s working

    Terminal window
    # Check the health endpoint
    curl http://localhost:2112/health
    # {"status":"ok","routeros_connected":true,"version":"vX.Y.Z"}
    

    # Check logs
    sudo journalctl -u cs-routeros-bouncer -f

    On the router, you should see new firewall rules and address list entries:

    /ip/firewall/filter/print where comment~"crowdsec"
    /ip/firewall/address-list/print where list=crowdsec-banned

Next steps

Section titled “Next steps”
Full Installation Guide All deployment options explained in detail.
Configuration Reference Customize every aspect of the bouncer.
Monitoring Setup Set up Prometheus metrics and Grafana dashboard.

Built with Starlight · Powered by CrowdSec

GitHub Issues MIT License