Architecting a Collaborative Defense: Integrating CrowdSec with Mikrotik

-

In this post, we’ll move beyond static firewall rules and integrate CrowdSec with Mikrotik RouterOS v7. We are shifting from a traditional "set-and-forget" firewall to an Intelligence-Driven Defense that reacts to global threats in real-time.

The Goal

To offload the heavy lifting of log analysis to a dedicated Debian 12 LXC and use the Mikrotik API to dynamically block malicious IPs at the edge. This setup ensures your router stays fast while benefiting from a global community of threat intelligence.

Why CrowdSec?

  • Behavioral Analysis: It doesn't just look at IPs; it looks at patterns (e.g., SSH brute force).
  • Community Powered: If an IP is banned in Europe or the US, it’s automatically added to your Mikrotik’s blacklist.
  • Resource Efficient: The LXC does the "thinking," the Mikrotik does the "dropping."
Architect's Note: This setup is perfect for homelabs running on low-resource hardware. We avoid the CPU overhead of running heavy IDS/IPS rules directly on the router.

1. Provisioning the Debian LXC

Standard Debian 12 (Bookworm) template on Proxmox. 512MB RAM is plenty.

# Add CrowdSec Repo
curl -s https://install.crowdsec.net | os=debian dist=bookworm bash

# Install Engine and Mikrotik Bouncer
apt update && apt install crowdsec crowdsec-mikrotik-bouncer -y

2. Mikrotik Side Setup

We need to allow the LXC to talk to the router. Use a restricted user for security.

# Enable API
/ip service set api port=8728 disabled=no

# Create restricted group and user
/user group add name=crowdsec-api policy=api,read,write,test
/user add name=crowdsec-agent group=crowdsec-api password="YourSecurePassword"

3. Configuring the Bouncer

Edit the bouncer config to bridge the two systems: /etc/crowdsec/bouncers/crowdsec-mikrotik-bouncer.yaml

hosts:
  - address: "192.168.88.1:8728" # Mikrotik IP
    user: "crowdsec-agent"
    password: "YourSecurePassword"
    address_list: "CrowdSec_Blacklist"
    update_interval: 10s

Restart to apply: systemctl restart crowdsec-mikrotik-bouncer

4. The Firewall Rule

The "Enforcer" rule. This drops packets at the L3 level using the dynamic list.

/ip firewall filter
add chain=input action=drop src-address-list=CrowdSec_Blacklist comment="DROP: CrowdSec Global Threats"
add chain=forward action=drop src-address-list=CrowdSec_Blacklist comment="DROP: CrowdSec Forwarding"

Verification

Check the Mikrotik's IP > Firewall > Address Lists. You should see the CrowdSec_Blacklist populating with IPs. On the LXC, run cscli decisions list to see active bans.

Found this helpful? Check out my other deep-dives into Proxmox and Networking on Pinoy Tech Share.

Comments

Post a Comment

Popular posts from this blog

Suricata on Mikrotik(IDS+IPS) = Part 4 - Configuration of the IPS Part

-
Image
  Configuration Disclaimer:  this one again is only for  ubuntu 18.04  and login as  root  user to be sure Make sure you have a good understanding of the suricata rules before doing this This might cause some disconnection from the site or services you are visiting and even the internet if not properly configured. In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /ip firewall filter add action=drop chain=input comment="Block bad actors" src-address-list=Blocked /ip firewall filter add action=drop chain=forward comment="Drop any traffic going to bad actors" dst-address-list=Blocked create a user group with all policies checked except telnet create a user allowing your local addresses with the group you created earlier Lets Start ... 1.      Install PHP         apt install php -y 2.   Navigate...
Read more

DHCP for Dummies: How Your Devices Get Online Without You Lifting a Finger

-
Image
DHCP for Dummies: How Your Devices Get Online Without You Lifting a Finger Introduction Ever wondered how your phone, laptop, or smart TV connects to the internet without you having to do anything? One minute you’re tapping "Connect to Wi-Fi," and the next, boom—you’re online. That magic? It’s all thanks to DHCP. DHCP (Dynamic Host Configuration Protocol) is what hands out IP addresses to your devices, kind of like a hotel receptionist giving guests room keys. It’s automatic, invisible, and keeps everything running smoothly—until something breaks. In this guide, you’ll learn: ✔️ What DHCP is (in plain English). ✔️ How it works behind the scenes. ✔️ Why it’s better than manually assigning IP addresses. ✔️ How to fix common DHCP problems without calling IT. By the end, you’ll have a solid grip on DHCP—even if tech stuff usually makes your head hurt. Let’s go! --- What is DHCP? (The No-Nonsense Explanation) Okay, imagine you walk into a hotel. You don’t pick a room or set up a k...
Read more

AdGuard Home DNS for Newbies - Part 3

-
Image
🧩 Part 3: Connecting Your Network to AdGuard Home Configure Your Router or Devices to Use AdGuard Home Why This Step Matters Now that AdGuard Home is installed and running, it’s time to make your network actually  use  it. Right now, your devices are probably still asking Google’s (8.8.8.8), Cloudflare’s (1.1.1.1), or your ISP’s DNS servers for website lookups — which means no ad-blocking, no caching, and no privacy benefits yet. Connecting your network to AdGuard Home means rerouting those DNS lookups through your own local resolver — one you control. This unlocks: Ad-blocking and tracking protection  for every device on your network. Faster lookups  thanks to local caching. Full visibility  into what domains your devices are contacting. And don’t worry — you can test all of this safely, one step at a time. Method 1: Set DNS via Your Router (Whole-Network Filtering) This is the recommended setup because it’s  set-and-forget . Every device that joins your ...
Read more