Recursive routing to MikroTik through DHCP designated gateways

    The most frequently asked question to me about using recursive routing is: “What if the main provider assigns us an ip-address via dhcp, while the default gateway often changes?”.

    image

    Warning! materials and schemes in this article are simplified to primitivism in order to give a general idea of ​​the method of solving the problem. Without deepening in particular.

    What is recursive routing for? To monitor the availability of the Internet behind the provider's gateway . After all, it often happens that the provider’s router responds to the echo requests perfectly, but the link to the global network of the provider has disappeared for some reason.

    Recursive routing allows you to assess the availability of Internet access through a selected provider and decide on the routing of traffic.

    However, the fact is that the use of recursive routing implies the presence of a direct explicit indication of the gateway's IP address nailedamong the parameters of the created route. Specifying the name of the broadcast interface as a gateway is incorrect and in many cases simply does not work, because requires proxy-arp on the part of the provider. And yet, instead of a proxy-arp provider, your neighbor can switch on the ISP switch and try to intercept your traffic in this way by arranging a classic MITM!

    The magic of recursive routing is hidden behind the “scope” and “target-scope” parameters . For a route to work as recursive, its “target-scope” must be greater than or equal to the value of the “scope” of the static route to which it refers recursively, and the gateway specified in the route was out of direct reach through one of the interfaces.

    Consider the simplest scheme Active / Backup. Our router performs NAT and is connected to two providers via the Ether1-isp1 and Ether2-isp2 interfaces. The main provider (ISP-1) distributes IP addresses to its clients via DHCP and nothing else. The second provider provides us with a static IP address, but significantly lower speed.
    Switching to a spare (ISP-2) should occur when access to the Internet through the main provider becomes impossible.

    image

    The highlight of the provider for such a scheme is a periodic random change not only of the client’s IP address, but also of default-gateway.

    Before version 6.39, I had to see very sophisticated crutches in various combinations of sheduler , netwatch and similar mechanisms.

    Starting from version 6.39, RouterOS developers went to meet such users and created the ability to call a special script when a dhcp client is triggered on a device.

    The solution itself consists of two parts:

    1. you need to get via the dhcp protocol from the provider the IP address and the gateway address for use in recursive routes
    2. If possible, you should exclude the address of the gateway received from the provider from automatic use.

    So let's start from the end.

    Let's create a backup route through "ISP-2" with a value of "distance" more than the future main one. In this example, I used "distance = 2":

    Backup via ISP-2
    /ip route add dst-address=0.0.0.0/0 gateway=192.0.2.1 distance=2

    Further, in order to receive the default route from the ISP-1 provider, but do not use it directly, there is a special value “distance = 255”. A route with such a distance value will go to the system routing table, but it will never become active .

    Code
    /ip dhcp-client add comment="ISP-1 dhcp" default-route-distance=255 dhcp-options=hostname,clientid interface=Ether1-isp1

    We need such a route only to read the parameters sent by the provider and embed them into the settings of recursive routes through a script.

    From the obtained parameters, we are more interested in the $ gateway-address variable. As the name suggests, it contains the default gateway address in the provider's network. We will use it to bring recursive routes up to date.
    The recursive routes themselves must be correctly identified from the script. To do this, at the stage of their creation, we will specify a unique “comment”, which will be used to search for them within the table. The code for creating a recursive pair of routes:

    Creating a pair of routes
    /ip route add dst-address=8.8.4.4 gateway=127.0.0.1 scope=30 target-scope=30 comment="isp1route" disabled=yes
    /ip route add dst-address=0.0.0.0/0 gateway=8.8.4.4 check-gateway=ping


    The first line should (and will!) Point to the real gateway in the provider's network only after the provider issues the dhcp parameters and they will be processed using the dhcp-client script:

    Simplified script
    /ip route set [find comment="isp1route"] gateway=($"gateway-address") disabled=no

    More advanced option
    :if ($bound=1) do={ /ip route set [find comment="isp1route"] gateway=($"gateway-address")disabled=no; :log warning ("New ISP1 gateway: ".($"gateway-address")) }

    Now, when an IP address is received from the ISP-1 provider for use as a default gateway, it will be included in the routing pair instead of 127.0.0.1.
    The second line, where the route to 0.0.0.0/0 is indicated, actually performs all the magic. The 8.8.4.4 node specified there as the gateway will be checked for response with the “check-gateway = ping” option via the ISP-1 network. In case the node 8.8.4.4 does not respond twice to the pings within 20 seconds, the router will consider the connection to the Internet through this route (ISP-1) unavailable. New connections in this case will be routed through the ISP-2 backup provider.

    If everything is done correctly, then the words “resursive via ...” will be visible in the winbox / ip-> routes window near the route to 8.8.4.4. This means the route was built exactly as recursive.

    In the end, solely for example - the screen of the winbox window:

    image

    Also popular now: