I would like to share my recipe for running a CrowdSec
firewall bouncer on an EdgeOS router – it was tested on a ER-6P and it worked
quite well for the last 4 months on my company’s router.
I’m assuming the following:
- you have admin access to a Linux VM or PC with Ubuntu or Arch
- you have basic Linux CLI skills (can open terminal and run commands)
- you are familiar with SSH and EdgeOS configuration
- you are running a separate machine with CrowdSec’s LocalAPI
(running full CrowdSec installation on router should be possible,
but I didn’t test it)
- your router is available at
yourroutersaddress. Every time you see this word
in the instructions replace it with your real router’s address
(for ex. 192.168.1.1)
Things you should run on your PC are prefixed with
the ones to run on your router
router and the ones run on a LocalAPI Server -
Anyway, let’s get into business:
You have to install Go toolchain and Git on your Linux PC or VM:
pc $ sudo apt install git golang-go
pc $ sudo pacman -S go git
Then, clone CrowdSec bouncer repository to folder on your PC:
pc $ git clone https://github.com/crowdsecurity/cs-firewall-bouncer.git
Now you have to establish your router’s architecture.
For modern Cavium-based routers (ER-4, ER-6P, ER-12, …) it’s
For Mediatek-based ones (ER-X, ER-10X, …) it’s
In doubt, just SSH into your router and run
router $ uname -a
You’ll get someting similar to:
Linux yourroutersname 4.14.54-UBNT #1 SMP Tue May 11 13:23:28 UTC 2021 mips GNU/Linux
Your architecture is the last word before
GNU/Linux. In this case it’s
Build your CrowdSec bouncer’s binary
pc $ export GOOS=linux pc $ # export GOARCH=<your router's architecture> # for example pc $ export GOARCH=mips64 pc $ make
After a short while, the build process should finish and you’ll have a
bouncer binary in your current folder named
Connect to your LocalAPI server and create a bouncer token:
la $ cscli bouncers add yourroutersname
You’ll get a response similar to:
Api key for 'yourroutersname': aaaaaaaaaabbbbbbbbbbccccccccddff Please keep this key since you will not be able to retrieve it!
Save the API key, it will be needed on next step.
It’s time to SSH to your router and prepare your bouncers configuration.
We’ll install everything int the
/configfolder as it’s the only location
I know that survives firmware upgrades.
pc $ ssh yourroutersaddress router $ sudo -i router # mkdir -p /config/user-data/crowdsec/bouncers router # cat >/config/user-data/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml <<EOF mode: ipset pid_dir: /var/run/ update_frequency: 10s daemonize: true log_mode: file log_dir: /var/log/ log_level: info api_url: <your LocalApi's URL> api_key: <your LocalApi's bouncer key from step 6.> disable_ipv6: false deny_action: DROP deny_log: false EOF router # cat > /config/user-data/crowdsec-firewall-bouncer.service <<EOF [Unit] Description=The firewall bouncer for CrowdSec After=syslog.target network.target remote-fs.target nss-lookup.target crowdsec.service [Service] Type=notify ExecStartPre=-/sbin/ipset destroy crowdsec-blacklists ExecStartPre=-/sbin/ipset destroy crowdsec6-blacklists ExecStartPre=-/sbin/ipset create crowdsec-blacklists hash:net timeout 3600 ExecStartPre=-/sbin/ipset create crowdsec6-blacklists hash:net timeout 3600 ExecStart=/config/user-data/crowdsec-firewall-bouncer -c /config/user-data/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml ExecStartPost=/bin/sleep 0.1 [Install] WantedBy=multi-user.target EOF router # ln -s /config/user-data/crowdsec-firewall-bouncer.service /etc/systemd/system
Now we have to configure EdgeRouter’s firewall to use CrowdSec’s IPSets.
Adapt to your configuration if needed.
router # configure router # set firewall group address-group crowdsec-blacklists description "Blacklist managed by CrowdSec" router # set firewall name WAN_IN rule 35 action drop router # set firewall name WAN_IN rule 35 description "Drop Crowdsec list" router # set firewall name WAN_IN rule 35 protocol all router # set firewall name WAN_IN rule 35 source group address-group crowdsec-blacklists router # commit; save router # exit
The address-groups created by EdgeOS are not the right type (for example they don’t have timeout set),
that’s why they are recreated in bouncer’s systemD unit definiton.
Now wee need to copy our bouncer’s binary from our PC to EdgeRouter.
From the git checkout directory on your local pc from step 2. run:
pc $ scp crowdsec-firewall-bouncer yourroutersaddress:/config/user-data/crowdsec-firewall-bouncer
Now the final step: On your router run
router # systemctl restart crowdsec-firewall-bouncer
and your router should start blocking malicious traffic in few seconds.
You can watch logs by running
router # tail -f /var/log/crowdsec-firewall-bouncer.log
I tried to proof this tutorial, but I’m sure there are at least some errors and omissions. Feel free
to post your corrections into this thread, I’ll try to update this guide accordingly.