Multiple default routes in main route table

RouterOS General
1

Hello,

I have multiple default routes in the same “main” routing table.

Currently routes:
(suppose 10.10.10.0/24, 10.10.20.0/24, 10.10.30.0/24 are public IPs)
Print

#      DST-ADDRESS         GATEWAY              DISTANCE
0  As+ 0.0.0.0/0                  10.10.10.1                      20
1  As+ 0.0.0.0/0                  10.10.20.1                      20
2  As+ 0.0.0.0/0                  10.10.30.1                      20

I want to know what actions or steps I should take to have the specific IPs using the specific gateway only.
For example: all IPs from 10.10.10.0/24 using only gateway 10.10.10.1, and all IPs from 10.10.20.0/24 using only gateway 10.10.20.1
Since Zerotier doesn’t let me chose routing table, so I want to use only main table.

Those three routes are automatically enabled with ECMP. Sometimes the connection from 10.10.10.0/24 will route to 10.10.20.1 since the ECMP is like load balancing.

I’ve tried to use mangle rules.

add action=route chain=prerouting disabled=yes passthrough=yes route-dst=[b]10.10.10.1[/b] src-address=[b]10.10.10.0/24[/b]
add action=route chain=prerouting disabled=yes passthrough=yes route-dst=[b]10.10.20.1[/b] src-address=[b]10.10.20.0/24[/b]

The default route 0 and 1 will become unreachable when checking gateway - ping selected after I enable the mangle rules.

I think I might be using the wrong method or missed something.
Hope I can get some advice regarding this setup, and thank you so much.

2

If its whole subnets, dont use mangling.
If its a few users, dont use mangling
Instead use routing rules ( and I wont use your example of lan subnets somehow being in the same structure as each WAN subnet ;-PPP )

Consists of 3 steps
{add tables}
/routing table add fib name=useWAN1
/routing table add fib name=useWAN2
/routing table add fib name=useWAN3

{add routes}
/ip route
add dst=0.0.0.0/0 gwy=ISP1 routing-table=main
add dst=0.0.0.0/0 gwy=ISP2 routing-table=main
add dst=0.0.0.0/0 gwy=ISP3 routing-table=main
add dst=0.0.0.0/0 gwy=ISP1 routing-table=useWAN1
add dst=0.0.0.0/0 gwy=ISP2 routing-table=useWAN2
add dst=0.0.0.0/0 gwy=ISP3 routing-table=useWAN3

{add routing rules}
/routing rule add action=lookup src-address=10.100.10.0/24 table=useWAN1
/routing rule add action=lookup src-address=10.100.20.0/24 table=useWAN2
/routing rule add action=lookup src-address=10.100.30.0/24 table=useWAN3

NOTE: You should realize that LAN to LAN traffic will not occur as traffic is being forced out the specific route!!
Therefore if you require lets say LAN1 to be reachable by LAN2 and LAN3 add a routing rule ORDER COUNTS, before the other rules.

/routing rule add action=lookup dst-address=10.100.10.0/24 table=main

+++++++++++++++++++++++++++++++++++++++++++++++++++++

What is missing are your requirements for failover or not. These can be quite detailed and can included everything from NO failover to something like:
1 goes to 2 then 3
2 goes to 1 then 3
3 goes to 1 then 2

If however, they are all from the same ISP then no point, if the ISP is down all three are not available.
Note the ROUTING RULE paramer of action is current set to: action=lookup.
This means if the table is not available, then go to the main table and find a working route!!
If you didnt want the LAN subnets being routed out any other WAN, then change action to : action=lookup-only-in-table

3

Thank you so much for those instructions.

I have tried with different routing tables and it works fine.

What I’m looking for is to route 10.0.10.0/24 using gateway 10.0.10.1 and 10.0.20.0/24 using gateway 10.0.20.1, all within the same routing table.
(suppose 10.10.10.0/24, 10.10.20.0/24, 10.10.30.0/24 are public IPs)

Maybe using connection marks or packet marks, but couldn’t find any tutorials.

4

Sorry no capiche,

I understand users or LAN subnets wanting to go out specific WANs, WAn1, Wan2, Wan3.
Wans1-3 may be from the same or different ISPs.
They may have different connection types, standard cable, wifi, PPPOE, or starlink for example.

So your explanation does nothing to provide any fidelity for understanding of what you actually have and what you actually need to do.
Its about user requirements not the config. The Config can be derived with a proper understanding of the user requirements.

5

I followed your example and it worked a treat for me. I have 2 WAN ports and got it working with only 2 default routes. I have 1 entry in main and one entry in the second routing table. Why do you have 6 entries?

6

That is not an example to use in any config, its generic.
For example on a config the first three main routes should be separated by distance etc..

If you have a real config with real questions, then post your config and we can discuss your particular requirments

  • how many wans,
  • primary failover or load balance
  • any VPN
  • any LAN servers
    etc…
7

Note my current setup is working well for me (thanks to you). I was just curious why you had 6 default routes instead of 3. However if you want to comment on my setup I’m open to any suggestions. I’m not an expert.

I have 3 WANs, my regular home intenet which uses static IP, LTE via a Mikrotik SXT and a wireguard interface that goes to NordVPN via the active WAN. I don’t have or want automatic failover, I switch to the SXT manually by disabling the default route when my main internet is out (I only plug in the SXT when necessary). That way the second default route takes over and starts pushing data to the SXT. For Nord, currently I just have anything that comes in from the LAN on vlan 9 going to Nord.

/routing rule
add action=lookup dst-address=192.168.9.0/24 table=main
add action=lookup dst-address=192.168.1.0/24 table=main
add action=lookup src-address=192.168.9.0/24 table=useNord

/ip route
add comment=“Disable to use 4G. Leave everything else the same. The 4G router must be in port 4 of the Netgear” disabled=no dst-address=0.0.0.0/0
gateway=x.x.x.x pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=192.168.4.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=
10
add disabled=no dst-address=0.0.0.0/0 gateway=Nord pref-src=“” routing-table=useNord scope=30 suppress-hw-offload=no target-scope=10

/ip firewall nat
add action=src-nat chain=srcnat comment=“Internet via eth2” out-interface=ether2 to-addresses=x.x.x.x
add action=masquerade chain=srcnat comment=“Mikrotik 4G (port 4 of Netgear Switch)” out-interface=VLAN4
add action=masquerade chain=srcnat comment=“Nord” out-interface=Nord to-addresses=x.x.x.x

/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=forward dst-address=192.168.3.0/24 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.3.0/24
add action=accept chain=input comment=“Allow SSH and Web from LAN” dst-address=192.168.1.100 dst-port=22,80 protocol=tcp src-address=192.168.1.0/24
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-mark=!ipsec connection-state=established,related hw-offload=
yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.100 next-server=192.168.1.148
add address=192.168.9.0/24 dns-server=8.8.8.8 gateway=192.168.9.1

/interface wireguard peers
add allowed-address=0.0.0.0/0,10.x.x.x/24 comment=Nord endpoint-address=x.x.x.x endpoint-port=xxxx interface=Nord public-key=
“xxxxxxxxxxxxxx”

/ip address
add address=x.x.x.x/30 interface=ether2 network=x.x.x.x
add address=192.168.1.100/24 interface=LAN_BRIDGE network=192.168.1.0
add address=192.168.4.10/24 interface=VLAN4 network=192.168.4.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=x.x.x.x interface=Nord network=x.x.x.x
add address=192.168.9.1/24 interface=VLAN9 network=192.168.9.0

/ip pool
add name=POOL_LAN ranges=192.168.1.100-192.168.1.150
add name=POOL9 ranges=192.168.9.100-192.168.9.200
/ip dhcp-server
add address-pool=POOL_LAN interface=LAN_BRIDGE lease-time=4h name=server1
add address-pool=POOL9 interface=VLAN9 name=DHCP9

/interface vlan
add interface=LAN_BRIDGE name=VLAN4 vlan-id=4
add interface=LAN_BRIDGE name=VLAN9 vlan-id=9

8

The reason for six rules ( actually only 3 default type routes using table main, the other three are routes that could pertain to mangling or routing rules.

In your case you only have two WANS, and really one WAN at a time. The VPN is not a WAN exactly but you force vlan9 out the tunnel vice the local working WAN.

What is nonsensical is the allowed IP entry of 10.x anything. The 0.0.0.0/0 covers all possible entries so the 10 whatever is redundant.
Also nonsensical is this input chain rule… your device is not receiving handshake its sending one out to Nord Server.
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp

+++++++++++++++++

Looking at routing rules. all good, you can shorten it up by apparently using this nifty rule that keeps local traffic flowing.

/routing rule
add action=lookup-only-in-table Min-Prefix=0 table=main
add action=lookup src-address=192.168.9.0/24 table=useNord

You dont need to disable the WAN1 main route at all. If the main route is not working, there will be no traffic, regardless.
When you plug in the SXT the router will find that route and start sending traffic.
The question is do you want the traffic to back out WAN1 when it comes back on line automatically???

In terms of sourcenat, the only one that I would change is probably the nord one. (remove the to address not required, simply state the out going interface as the wireguard one.
/ip firewall nat
add action=src-nat chain=srcnat comment=“Internet via eth2” out-interface=ether2 to-addresses=x.x.x.x
add action=masquerade chain=srcnat comment=“Mikrotik 4G (port 4 of Netgear Switch)” out-interface=VLAN4
add action=masquerade chain=srcnat comment=“Nord” out-interface=Nord

Couple of other things would do is set the DNS server on the .9 network to the DNS that NORD should have given you??
add address=192.168.9.0/24 dns-server**=???** gateway=192.168.9.1

Also ensure you have the standard IP DNS setting of:
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

Finally, to ensure optimal NORD experience for various websites consider including a mangle rule.
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=Nord passthrough=yes protocol=tcp tcp-flags=syn

and if that doesnt work the alternative.
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=Nord protocol=tcp tcp-flags=syn tcp-mss=1381-65535

9

Thanks for the reply. The FW rule for wireguard is there for other peers not shown in the config I posted. With regards the 2 WANs, I need to do it manually because sometimes my primary internet is working but slow. My main internet is wireless NBN in Australia so can become unusable in really bad weather. Everything else you’ve said makes a lot of sense and I will got through them all. The nord info is useful, I went through MTU issues when trying without success to get Nord to function with IP Sec.

10

If you ever run into mTU issues with Nord wireguard, then on the MT device,

Try this first
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=Wireguard-Name passthrough=yes protocol=tcp tcp-flags=syn

IF no joy an alternate is this:
add action=change-mss chain=forward new-mss=1380 out-interface=Wireguard-Name protocol=tcp tcp-flags=syn tcp-mss=1381-65535