Recursive routing question

nsarant · July 15, 2024, 8:20am

Hi,

I am trying to understand something related to recursive routing and since I cannot find the answer, here it is.

When I use recursive routing, so let’s say:
0.0.0.0/0 → 8.8.8.8 , with ping enabled and correct scope
8.8.8.8 → ISP Gateway with correct scope

Do I actually send my packets to 8.8.8.8 or it is purely used to find next hop? As in, if there is a router there on 8.8.8.8, does it see my internet traffic or just my pings from “check gateway”?

jaclaz · July 15, 2024, 8:34am

Only the pings.
Check this:
http://forum.mikrotik.com/t/trying-to-understand-this-config-mikrotik-automatic-isp-fail-over-without-scripts-or-route-marking/177349/1

nsarant · July 15, 2024, 7:20pm

Thank you!

The post quite analytical, @anav ftw. I just cannot grasp why it works, as in I cannot visualize the packet flow along with the routing decision order so I can understand what the heck represent scope and target-scope.

I am so used to scope in scripting and programming but I can’t get it in RouterOS.

BUT, as long as I know that the routing doesn’t go to 8.8.8.8, it’s enough for me.

So TL;DR there is no real reason to not use recursive routing every single time you have 2-4 WANs and want failover. The only downside I can see is that it locks a specific DNS(or whatever target you choose to ping) to a specific ISP gateway, so I’d need to be careful about Mikrotik’s own DNS and the DNS I serve if I am DHCP Server, in order to work when ISP is down.

sindy · July 15, 2024, 8:02pm

The “recursive routing” is just an incorrect shortcut for “recursive next-hop search”; the search processs has nothing to do with the actual packet flow. And the whole way how the recursive next-hop search is used separately from dynamic routing protocols and combined with check-gateway to allow monitoring of uplink transparency is a “creative misuse” of features that were originally intended for different purposes.

So when you specify an address a.a.a.a that is outside of any “connected subnet” (i.e. one in which the router has one of its own IP addresses) as a gateway of a route, such an address clearly cannot be used as an actual gateway because it cannot be directly mapped to any local interface; instead, the gateway of another available route towards a.a.a.a is used if such route exists; if the gateway of that route is also outside of any “connected subnet”, the process recursively repeats until a route with a “locally reachable” gateway is actually found. But this process does not involve sending of any packets.

The scope and target-scope values are used to prevent loops in this recursive next-hop search process - each route can only look for routes towards its own gateway among those whose scope is same or lower than its own target-scope. So you can read the term “scope” as “search scope” if it makes you more comfortable with it.

check-gateway=ping, on the other hand, pings the gateway address of the route on which it is used (a.a.a.a in the example above), no matter whether that gateway address is reachable locally or not. So effectively, it uses the recursively found next hop (= locally reachable gateway) of the route to send the pings, and if the path beyond that locally reachable gateway is faulty, it gets no responses and marks the route as ineligible.

jaclaz · July 15, 2024, 8:12pm

There is a further issue (minor, still …) you are “burning” a DNS server for each recursive instance.
Although most examples you can find are using 8.8.8.8, many people will use it as a hardcoded DNS server, so in real setups one should use for recursive less common but still highly reliable ones.
There are similar, but different ways, here Is another one, I believe easier to understand:
http://forum.mikrotik.com/t/simpler-failover-for-two-gateways-i-found-working/169108/1

llamajaja · July 16, 2024, 12:59pm

Okay then please explain how traffic from the user on the LAN when selecting www address, gets routed?? I am curious.

The router doesnt have
dst-address=0.0.0.0/0 gateway=ISP1 routing table=main to falll back on.

sindy · July 16, 2024, 1:22pm

And how is that related? Maybe I have used a confusing wording, what I had in mind was that searching for the actual (locally reachable) gateway does not involve sending any packets. The final outcome is that the route to 0.0.0.0/0 configured with gateway=a.a.a.a actually sends the packets via the locally reachable gateway found using the recursive search, provided that said route is active, i.e. not superseded by another one or inactivated due to failure of the check-gateway ping.

So if at least one “recursive” route is active, it is used for traffic, and no fallback is required. If no route is active on Mikrotik and the www traffic nevertheless flows, the client must be using some alternative uplink.

llamajaja · July 16, 2024, 2:04pm

Thank you, yes the wording was misleading ( at least to my simple brain ) , you have clarified it.