Community discussions

MikroTik App
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Routes to multiple addresses

Sun Apr 25, 2021 2:18 pm

Good day All

Short version
I'm looking at doing away with all my bridges and wanting to go full routing but I'm at a loss. When creating a Route, you can only specify a single address or a range (which is defined by subnet, which is not ideal for closely spaced IPs). Is there a way you can predefine certain addresses the route can be applied to?

Longer version
I have multiple VPN connections settling on multiple bridges (my way of isolating certain segments of the network) but I would like to do away with the bridges so that broadcasts can be sent to specific points instead of being broadcast all over. I would imagine this not only being beneficial to "general" traffic but might also have with the SNMP requests being sent every few minutes (LibreNMS).

Any ideas/pointers/general direction?

Thanks,
R
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Routes to multiple addresses

Sun Apr 25, 2021 4:28 pm

There is no way to use a list of prefixes as a dst-address of a single route.

The usual approach is to use a dynamic routing protocol such as OSPF or BGP.

Another approach might be to use mangle rules (which can match on dst-address-list) to assign routing-mark values, and have just a default route for each routing-mark value, but it is just moving the problem somewhere else - instead of N routes via the same gateway, you will have a single route but N items in the address-list. With dynamic routing protocols, you'll still have N routes but you won't have to configure them manually.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Routes to multiple addresses

Sun Apr 25, 2021 4:30 pm

Routes are selected by netmask so the granularity is by increasing powers of 2, however it is possible to use routing marks and lookups in alternate routing tables in specific scenarios.

Unless you are using EoIP or BCP to create layer2 (ethernet) VPN connections broadcasts are irrelevent, they will not be transmitted over layer3 (IP) VPN connections.
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Routes to multiple addresses

Sun Apr 25, 2021 9:46 pm

Hi sindy and tdw

So I can basically setup OSPF and the router will learn which IPs are on which interfaces and I can simply restrict access from one section to another with a firewall rule as I currently do (maybe using interface lists instead of bridges)?

tdw, I use OVPN connections, set for ethernet, and the connection gets attached to a bridge on both the local and remote side. Hence my assumption that they use broadcasting to get things done.

Thanks for the responses ;)


Sent from my iPhone using Tapatalk
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Routes to multiple addresses

Mon Apr 26, 2021 4:38 pm

No. As you have a layer 2 network using OpenVPN TAP then it is a single broadcast domain and the usual IP-over-ethernet mechanisms apply, e.g. ARP to discover the MAC address associated with a particular IP address.

You could do something hacky with bridge filters to block broadcast/multicast as required, but it is something else to maintain / get wrong. Unless you particularly need ethernet access, e.g. proprietary non-IP protocols or discovery tools which only work within a local network / broadcast domain, it would be better to reorganise using IP VPNs.

Plain IPsec can be challenging if you haven't deployed it before as you do not get interfaces for the tunnelled traffic - some people use IPsec encapsulated GRE tunnels, or you can use L2TP/IPsec which is reasonably straightforward to set up. There are also the less efficient SSTP and OpenVPN TUN protocols which both can suffer from TCP-in-TCP meltdown.

The PPP-like protocols can have routes attached to the PPP secrets for the connection so are inserted into the routing table when the VPN client connects, both the PPP-like protocols and IP tunnels can be used with OSPF.
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Routes to multiple addresses

Thu Apr 29, 2021 5:38 pm

Thanks tdw, so the answer is fairly straight forward. Change from TAP to TUN and go on an OSPF course, I'm game ;)

Who is online

Users browsing this forum: CJWW, orionren and 47 guests