Skip to main content

Mikrotik

The CrowdSec Mikrotik integration allows you to block malicious IPs in your Mikrotik router. This guide will walk you through the steps to integrate CrowdSec blocklists with your Mikrotik router.

Prerequisites

Before you begin, please ensure your Mikrotik device supports ingesting blocklists. If you are unsure, please refer to the Mikrotik documentation or contact Mikrotik support.

Steps

We will presume you followed the Getting Started guide and have created an account on the CrowdSec Console.

Once you are authenticated, you can proceed to the Blocklist tab located on the top menu bar, from there you can select the Integrations sub menu.

Once the page has loaded, you can click the "Connect" button under the Mikrotik logo.

Mikrotik Integration CardMikrotik Integration Card

Doing so will prompt you to name this integration, you can name it anything you like, for example "My Integration ". Note the name should be unique per integration that is tied to your account.

Mikrotik Integration Creation ScreenMikrotik Integration Creation Screen

Once the integration is generated you will be presented with a credentials screen that will provide you with the necessary information to configure your Mikrotik Router Firewall. This information will ONLY be displayed once, so please ensure you copy it down.

Mikrotik Integration Credentials ScreenMikrotik Integration Credentials Screen

Mikrotik Configuration

To configure the Mikrotik router, we will :

  1. Create a script that will fetch the blocklist from the CrowdSec API and import it into the Mikrotik firewall.
  2. Create a scheduler that will run the script every 10 minutes.

First you need to create a script.

Then you need to add the following script:

:local name "[crowdsec]"
:local url "https://admin.api.crowdsec.net/v1/integrations/<integration_id>/content"
:local fileName "blocklist.rsc"
:log info "$name fetch blocklist from $url"
/tool fetch url="$url" mode=https dst-path=$fileName http-auth-scheme=basic user="<username>" password="<password>" idle-timeout="30s" http-header-field="Accept-Encoding:gzip"
:if ([:len [/file find name=$fileName]] > 0) do={
    :log info "removing old ipv4 blocklist"
     /ip/firewall/address-list/remove [ find where list="crowdsec-integration" ];
    :log info "removing old ipv6 blocklist"
     /ipv6/firewall/address-list/remove [ find where list="crowdsec-integration" ];
    :log info "$name import;start"
    /import file-name=$fileName
    :log info "$name import:done"
} else={
    :log error "$name failed to fetch the blocklist"
}

You need to replace <integration_id>, <username> and <password> with the values provided in the console.

Do not change list="crowdsec-integration" in the script, as it is used by the data you fetch from the CrowdSec API.

When you click on "OK", the script will be created. You can now run the script and check the logs to see if it is working.

The script is now running and the blocklist is being imported into the Mikrotik firewall. To automate this process, you can create a scheduler that will run the script every 10 minutes.

Please be careful with the frequency of the scheduler and the blocklists size your subscribe to your integration, as it may cause performance issues on your Mikrotik device.

Pagination Script for Smaller Devices

For smaller MikroTik devices that cannot handle large blocklists at once, you can use this pagination script that fetches and imports the blocklist in smaller chunks:

# ========= CONFIG (v6) =========
:local name "[crowdsec]"
:local baseUrl "https://admin.api.crowdsec.net/v1/integrations/<integration_id>/content"
:local pageSize 15000

# Basic Auth (v6 uses http-auth-scheme + user/password)
:local user "<username>"
:local pass "<password>"

:local list4 "crowdsec-integration"
:local list6 "crowdsec-integration"

# Fetch timeout
:local fetchTimeout "30s"
# ===============================

:log info "$name start (v6, pagination, per-page import)"
:log info "$name clearing address-lists"
/ip firewall address-list remove  [ find where list=$list4 ]
/ipv6 firewall address-list remove [ find where list=$list6 ]

:local page 1
:local totalLines 0

:do {
    :local tmpname ("crowdsec_page_" . $page . ".rsc")

    # Fetch one page to a file (no big RAM usage)
    /tool fetch \
        url=($baseUrl . "?page=" . $page . "&page_size=" . $pageSize) \
        mode=https dst-path=$tmpname keep-result=yes \
        http-auth-scheme=basic user=$user password=$pass \
        idle-timeout=$fetchTimeout http-header-field="Accept-Encoding:gzip"

    :if ([:len [/file find where name=$tmpname]] = 0) do={
        :log error "$name fetch failed for page $page"
        :break
    }

    # Count non-empty lines to decide final page
    :local data [/file get $tmpname contents]
    :local itemsThisPage 0
    :while ([:len $data] > 0) do={
        :local nl [:find $data "\n"]
        :local line ""
        :if ($nl = nil) do={ :set line $data; :set data "" } else={
            :set line [:pick $data 0 $nl]
            :set data [:pick $data ($nl + 1) [:len $data]]
        }
        # Trim CR
        :if (([:len $line] > 0) && ([:pick $line ([:len $line]-1) [:len $line]] = "\r")) do={
            :set line [:pick $line 0 ([:len $line]-1)]
        }
        :if ([:len $line] > 0) do={ :set itemsThisPage ($itemsThisPage + 1) }
    }

    :log info "$name page $page: lines=$itemsThisPage"

    # Import this page immediately, then delete the temp file
    /import file-name=$tmpname
    /file remove $tmpname

    :set totalLines ($totalLines + $itemsThisPage)

    # Stop when this page is short
    :if ($itemsThisPage < $pageSize) do={
        :log info "$name final page reached (lines $itemsThisPage < $pageSize). Total imported: $totalLines"
        :break
    }

    :set page ($page + 1)
} while=true

:log info "$name done"

You need to replace <integration_id>, <username> and <password> with the values provided in the console.

adjust pageSize to be as close as your MikroTik can handle to lower the amount of pages it has to go through

Do not change list="crowdsec-integration" in the script, as it is used by the data you fetch from the CrowdSec API.

Benefits of the Pagination Script

  • Memory Efficient: Fetches and imports data in smaller chunks, reducing memory usage
  • Better for Small Devices: Ideal for MikroTik devices with limited RAM
  • Configurable Page Size: Adjust the pageSize variable based on your device's capabilities
  • Progress Logging: Provides detailed logs about import progress
  • Automatic Cleanup: Removes temporary files after each page import

When to Use Pagination

Use the pagination script when:

  • Your MikroTik device has limited RAM
  • You're experiencing memory issues with the standard script
  • You're importing large blocklists (50,000+ entries)
  • Your device frequently runs out of memory during imports

Format example

The CrowdSec blocklist will be in mikrotik format, with formatted data per line. Here is an example of how the blocklist will look:


/ip firewall address-list add list=crowdsec-integration address=1.2.3.4 comment="crowdsec/mikrotik" timeout=48h;
/ip6 firewall address-list add list=crowdsec-integration address=2001:0db8:85a3::/128 comment="crowdsec/mikrotik" timeout=48h;

Contribute to this documentation

Since CrowdSec is a community-driven project, we welcome contributions to this documentation. If you have any instructions or tips that you would like to share with the community, please feel free to open a pull request on our GitHub repository

Next Steps

Now that you have integrated CrowdSec integration with your Mikrotik router, you can proceed to the Blocklist Catalog to find what blocklists you can subscribe too.