Skip to content
cs-routeros-bouncer cs-routeros-bouncer

Troubleshooting

Connection issues

Section titled “Connection issues”

Cannot connect to MikroTik

Section titled “Cannot connect to MikroTik”

  1. Verify the API service is enabled

    /ip/service/print where name=api

  2. Check the port matches your configuration (default: 8728, TLS: 8729)

  3. Verify firewall rules allow access from the bouncer’s IP

  4. If using Docker, ensure the container can reach the router network

Authentication failed

Section titled “Authentication failed”

  1. Verify credentials in your configuration file

  2. Check the user exists and has the correct group

    /user/print where name=crowdsec

  3. Verify the user’s group has required policies: api, read, write

  4. Check allowed address restrictions on the user account

TLS certificate errors

Section titled “TLS certificate errors”

  1. For self-signed certificates, set the CA path:

    crowdsec:
      ca_cert_path: "/path/to/ca.pem"

  2. Verify the certificate is valid and not expired

  3. Check the hostname matches the certificate’s CN or SAN

CrowdSec LAPI issues

Section titled “CrowdSec LAPI issues”

Cannot connect to LAPI

Section titled “Cannot connect to LAPI”

  1. Verify the LAPI URL

    Terminal window
    curl http://localhost:8080/v1/decisions

  2. Check the bouncer API key

    Terminal window
    cscli bouncers list

  3. If CrowdSec runs in Docker, ensure network connectivity between containers

No decisions received

Section titled “No decisions received”

Possible causes:

  1. No active decisions — check with cscli decisions list
  2. Origin filtering too restrictive — check crowdsec.origins config
  3. Scenario filtering excludes all — check crowdsec.scenarios_containing / crowdsec.scenarios_not_containing
  4. CrowdSec engine not detecting threats — check CrowdSec logs

Firewall rule issues

Section titled “Firewall rule issues”

Rules not created

Section titled “Rules not created”

  1. Check filter and raw are enabled

    firewall:
      filter:
        enabled: true
      raw:
        enabled: true

  2. Look for errors in logs

    Terminal window
    journalctl -u cs-routeros-bouncer -f

  3. Verify the user has write policy for firewall operations

Rules in wrong position

Section titled “Rules in wrong position”

  1. Verify rule_placement: "top" in configuration

  2. Check for dynamic rules at position 0 (the bouncer skips these and places after)

  3. Inspect positions manually

    /ip/firewall/filter print
    /ip/firewall/raw print

Performance issues

Section titled “Performance issues”

High CPU during reconciliation

Section titled “High CPU during reconciliation”

Performance benchmarks:

List sizeTimeCPU peak
~1,500 IPs (local)~9 s~14%
~25,000 IPs (full CAPI)~2 min 50 s~23%

To reduce impact:

  1. Filter synced decisions with origins: 
    crowdsec:
      origins: ["crowdsec", "cscli"]
  2. Schedule bouncer restarts during low-traffic periods
  3. CPU impact is temporary — only during reconciliation

Logging and debugging

Section titled “Logging and debugging”
logging:
  level: "debug"

Or via environment variable:

Terminal window
LOG_LEVEL=debug cs-routeros-bouncer run -c config.yml

Docker-specific issues

Section titled “Docker-specific issues”

Container cannot reach router

Section titled “Container cannot reach router”

  1. Use host networking in Docker Compose:

    services:
      cs-routeros-bouncer:
        network_mode: host

  2. Or ensure the Docker network can route to the router’s IP

  3. Check DNS resolution if using hostnames

Permission denied for config file

Section titled “Permission denied for config file”

  1. Check file permissions: chmod 644 config.yml

  2. If using Docker secrets, ensure the secret is properly mounted

  3. Or use environment variables instead of a config file

Built with Starlight · Powered by CrowdSec

GitHub Issues MIT License