Hi,
This is for Internet fail over. What's the best way in RouterOS to configure a route via a specific interface, so that if that interface is down it won't route via the default route (or any other less specific route)? I think I can do it by adding a route to Null for the same /32 but with worse distance, assuming longest prefix match still applies. But that's a bit ugly, so I wondered if there's a neater way.
Thank, Tony S
Re: Route via a Specific Interface Only
Wild assed guess, where primary ISP is the one you dont want to go to the backup route and 192.168.1.0/24 is your subnet that you wish to apply to the scenario.
Ip route primary ISP distance=5
Ip route secondary ISP distance=10
Ip route primary ISP distance 8 Routing Mark=StopmeNOW
Ip route rule Source address=192.168.1.0/24 action=lookup only in table table=StopmeNOW
Ip route primary ISP distance=5
Ip route secondary ISP distance=10
Ip route primary ISP distance 8 Routing Mark=StopmeNOW
Ip route rule Source address=192.168.1.0/24 action=lookup only in table table=StopmeNOW
Re: Route via a Specific Interface Only
Alternatively you can put the route to separate routing table, and add a matching route rule that will allow lookup for that destination only in that table.Hi,
This is for Internet fail over. What's the best way in RouterOS to configure a route via a specific interface, so that if that interface is down it won't route via the default route (or any other less specific route)? I think I can do it by adding a route to Null for the same /32 but with worse distance, assuming longest prefix match still applies. But that's a bit ugly, so I wondered if there's a neater way.
Thank, Tony S
But your initial idea of having a duplicating route with type unreachable is simpler.
Re: Route via a Specific Interface Only
Cheers, I was thinking of something like this, where 172.17.47.2 my primary Internet router and 172.17.47.6 the secondary ...
If I want to test two remote hosts, and only failover if both are down, then I would repeat the first three lines but with my second remote host. So the preferred default route stays in service unless both remote hosts are unreachable.
Code: Select all
/ip route
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=172.17.47.2 scope=10
add distance=2 dst-address=8.8.8.8/32 type=blackhole
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8
add distance=2 dst-address=0.0.0.0/0 gateway=172.17.47.6
Re: Route via a Specific Interface Only
That should work.
Re: Route via a Specific Interface Only
Hmm never used blackhole, interesting.
I guess I find it hard to fathom not providing internet since one has a backup ISP.
I guess I find it hard to fathom not providing internet since one has a backup ISP.
Re: Route via a Specific Interface Only
I presume "blackhole" just bins the packet silently, like a route to Null on other vendor's kit, whereas "unreachable" or "prohibit" return ICMP errors.Hmm never used blackhole, interesting.
I guess I find it hard to fathom not providing internet since one has a backup ISP.
Either way the goal is to make sure that my remote host, in this case 8.8.8.8 is not reachable over the backup Internet.
Although for clarity when I do this for real I might use different remote host, something like my main ISP's DNS or NTP server may be a better test. And again for clarity I don't use 8.8.8.8 for DNS.
Re: Route via a Specific Interface Only
I just saw elsewhere that an interface can be specified along with the gateway definition, I presume this is just not supported by Winbox. Maybe this does away with the need for the second blackhole route. Will have to test when I get a chance, but if it works it will look something like ..
Or maybe the "nailed up" interface needs to be applied to the subsequent route ...
Just need to agree some downtime to test properly.
Code: Select all
/ip route
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=172.17.47.2%ether5 scope=10
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8
add distance=2 dst-address=0.0.0.0/0 gateway=172.17.47.6Code: Select all
/ip route
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=172.17.47.2 scope=10
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8%ether5
add distance=2 dst-address=0.0.0.0/0 gateway=172.17.47.6Re: Route via a Specific Interface Only
The second is the right one.
That's interesting to know if %interface can actually be used to "bind" ping check to this interface only.
That's interesting to know if %interface can actually be used to "bind" ping check to this interface only.
Re: Route via a Specific Interface Only
It doesn't work on the recursive route, as soon as you stick the %ether5 it goes unreachable. To be clear, this route shows as unreachable, but becomes reachable as soon as I remove the "%ether5"
Code: Select all
ip route add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8%ether5Re: Route via a Specific Interface Only
It seems, that you are right.
Re: Route via a Specific Interface Only
I finally got around to testing. It turns on that not for the first time I was over complicating things. I don't actually need the black hole route unless I want to see a particular remote gateway as down for any particular reason. So my basic configuration is ...
If the LTE router is completely down, the two Remote Gateway routes show as unreachable, so do the two recursive default routes. However from an inside host on the LAN I can still ping 1.1.1.1 or 8.8.8.8. This shows that it is using the default route for those destinations, but this is not messing up the recursive routes.
I might still add the black hole route for at least one of the remote gateways, that way losing contact with that destination would be an alert that the Internet has failed over.
Code: Select all
/ip route
add check-gateway=ping comment="*** Default Route - recursive ***" distance=2 gateway=8.8.8.8
add check-gateway=ping comment="*** Default Route - recursive ***" distance=2 gateway=1.1.1.1
add check-gateway=ping comment="*** Default Route - Static ADSL ***" distance=3 gateway=<Address of ADSL router>
add check-gateway=ping comment="*** Remote Gateway ***" distance=1 dst-address=1.1.1.1/32 gateway=<Address of LTE router> scope=10
add check-gateway=ping comment="*** Remote Gateway ***" distance=1 dst-address=8.8.8.8/32 gateway=<Address of LTE router> scope=10
I might still add the black hole route for at least one of the remote gateways, that way losing contact with that destination would be an alert that the Internet has failed over.