Route scope and status confusion

keg415 · Tue Feb 11, 2025 12:39 am

I'm running RouterOS 7.17.2 and have dual WAN with recursive routing failover and DHCP set up:

[admin@Palace] > /ip/route/print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; 
c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp 
 0  As   ;;; WAN1_default
         dst-address=0.0.0.0/0 routing-table=main gateway=1.1.1.1 immediate-gw=158.51.83.129%ether1 check-gateway=ping distance=1 scope=10 
         target-scope=11 suppress-hw-offload=no 

 1   s   ;;; WAN2_default
         dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=9.9.9.9 immediate-gw=100.187.137.1%ether2 check-gateway=ping distance=2 
         scope=10 target-scope=11 suppress-hw-offload=no 

   DAc   dst-address=10.1.10.0/24 routing-table=main gateway=bridge immediate-gw=bridge distance=0 scope=10 target-scope=5 
         local-address=10.1.10.1%bridge 

   DAc   dst-address=100.187.137.0/24 routing-table=main gateway=ether2 immediate-gw=ether2 distance=0 scope=10 target-scope=5 
         local-address=100.187.137.43%ether2 

 2  As   ;;; LM1200
         dst-address=192.168.5.0/24 routing-table=main pref-src="" gateway=100.187.137.1 immediate-gw=100.187.137.1%ether2 distance=1 scope=10 
         target-scope=10 suppress-hw-offload=no 

   DAc   dst-address=158.51.83.128/25 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 target-scope=5 
         local-address=158.51.83.238%ether1 

 3  As   ;;; dhcp1
         dst-address=1.1.1.1/32 routing-table=main pref-src="" gateway=158.51.83.129 immediate-gw=158.51.83.129%ether1 distance=1 scope=10 
         target-scope=10 suppress-hw-offload=no 

 4  As   ;;; dhcp2
         dst-address=9.9.9.9/32 routing-table=main pref-src="" gateway=100.187.137.1 immediate-gw=100.187.137.1%ether2 distance=1 scope=10 
         target-scope=10 suppress-hw-offload=no

I'm trying to ping healthchecks.io in order to receive alerts when either WAN1 or WAN2 fail. Netwatch is configured to icmp ping 1.1.1.1 (WAN1) and 9.9.9.9 (WAN2) and with Test scripts that ping healthchecks.io if status is "up".

This isn't working. If I disconnect the WAN1 cable, pings to 1.1.1.1 still succeed because they fail over to WAN2, and I don't understand why -- the dhcp1 route has target-scope=10, so the WAN1_default and WAN2_default routes should be ignored because they have target-scope=11. From IP Routing -> Nexthop Lookup:

Routes with a scope greater than the maximum accepted value are not used for next-hop lookup. Each route specifies the maximum accepted scope value for its nexthop in the target-scope property.

Alternatively, I'm trying to use a scheduler script to check the status of the routes and send the healthchecks ping only if not "unreachable":

Gateway check can be extended by setting check-gateway parameter. Gateway reachability can be checked by sending ARP probes, or ICMP
messages or by checking active BFD sessions. The router periodically (every 10 seconds) checks the gateway by sending either an ICMP echo request (pi
ng) or an ARP request (arp). If no response from the gateway is received for 10 seconds, the request times out. After two timeouts gateway is considered
unreachable.

/routing/route documents an unreachable property:

unreachable (yes | no) A flag indicates whether the route next-hop is unreachable.

but it doesn't exist:

[admin@Palace] > :put [/ip/route/get [find comment="dhcp2"] unreachable ]        
input does not match any value of value-name

In fact, there are several discrepancies between the documented properties and those available in the terminal:

about            blackhole         dhcp            dynamic          immediate-gw      modem        routing-table           target-scope    
active           check-gateway     disabled        ecmp             inactive          ospf         scope                   vpn             
bgp              comment           distance        gateway          is-is             pref-src     static                  vrf-interface   
bgp-mpls-vpn     connect           dst-address     hw-offloaded     local-address     rip          suppress-hw-offload     value-name

Here is the status when the WAN1 cable is disconnected:

[admin@Palace] > /ip/rout/print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS       GATEWAY        DISTANCE
;;; dhcp1
0  Xs  1.1.1.1/32        158.51.83.129         1
;;; WAN1_default
1  IsH 0.0.0.0/0         1.1.1.1               1
;;; WAN2_default
2  As  0.0.0.0/0         9.9.9.9               2
  DAc  10.1.10.0/24      bridge                0
  DAc  100.187.137.0/24  ether2                0
;;; LM1200
3  As  192.168.5.0/24    100.187.137.1         1
;;; dhcp2
4  As  9.9.9.9/32        100.187.137.1         1

[admin@Palace] > :put [/ip/route/get [find comment="dhcp1"] active ]     

[admin@Palace] > :put [/ip/route/get [find comment="dhcp1"] disabled ]      
true
[admin@Palace] > :put [/ip/route/get [find comment="dhcp1"] inactive ]]
true
[admin@Palace] > :put [/ip/route/get [find comment="WAN1_default"] inactive ]]     
true
[admin@Palace] > :put [/ip/route/get [find comment="WAN1_default"] active ]]

I'm confused. What is the difference between (not) active and inactive? Why does active return nothing? What properties should I test, disabled, inactive, both? Thanks!

keg415 · Tue Feb 11, 2025 11:06 pm

OK, part of my confusion is that I was looking at /routing/route instead of /ip/route. But the /routing/route active and unreachable properties aren't set:

[admin@Palace] /ip/route> :put [/routing/route/get [find comment="WAN2_default"] disabled ]            
true
[admin@Palace] /ip/route> :put [/routing/route/get [find comment="WAN2_default"] active ]        

[admin@Palace] /ip/route> :put [/routing/route/get [find comment="WAN2_default"] unreachable ]

[admin@Palace] /ip/route> :put [/routing/route/get [find comment="WAN2_default"] disabled ]
false
[admin@Palace] /ip/route> :put [/routing/route/get [find comment="WAN2_default"] active ]  

[admin@Palace] /ip/route> :put [/routing/route/get [find comment="WAN2_default"] unreachable ]

Here's the Scheduler script I'm using, which appears to work:

# Check WAN routes enabled and active

:local wan1PingURL "https://hc-ping.com/Md1lpdGyeLIN0J2KNdBjfw/primary-wan-monkeybrains"
:local wan2PingURL "https://hc-ping.com/Md1lpdGyeLIN0J2KNdBjfw/backup-wan2-t-mobile"

:local wanid [/ip/route/ find comment="WAN1_default"]
:if (![/ip/route/get $wanid disabled] && ![/ip/route/get $wanid inactive]) do={
        /tool fetch url=$wan1PingURL keep-result=no
}

:local wanid [/ip/route/ find comment="WAN2_default"]
:if (![/ip/route/get $wanid disabled] && ![/ip/route/get $wanid inactive]) do={
        /tool fetch url=$wan2PingURL keep-result=no
}

jaclaz · Tue Feb 11, 2025 11:49 pm

The route for 1.1.1.1/32 is Xs, like if it was manually disabled?
When you actually disconnect the cable It should not becomes X, only s.
Anyway in this case the "narrow" route to 1.1.1.1 doesn't exist (it is disabled) and the router tries to reach 1.1.1.1 via the route it finds that is Active and "contains" that address, i.e. the 0.0.0.0/0 going to WAN2.
In these cases you can use a blackhole route to 1.1.1.1/32 with a higher distance than the one for WAN1 and the same distance (or lower) as the one for WAN2.
This way when/if the narrow route disappears it is replaced by another identical route leading to nowhere preventing that any other wider router will be used to reach 1.1.1.1.
Otherwise the blackhole route will be not Active beacause of the higher distance.

keg415 · Wed Feb 12, 2025 4:36 am

The route for 1.1.1.1/32 is Xs, like if it was manually disabled?
When you actually disconnect the cable It should not becomes X, only s.

I double-checked, status becomes Xs with WAN1 cable disconnected:

Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS       GATEWAY        DISTANCE
;;; dhcp1
0  Xs  1.1.1.1/32        158.51.83.129         1
;;; WAN2_default
1  As  0.0.0.0/0         9.9.9.9               2
;;; WAN1_default
2  IsH 0.0.0.0/0         1.1.1.1               1
  DAc  10.1.10.0/24      bridge                0
  DAc  100.187.137.0/24  ether2                0
;;; LM1200
3  As  192.168.5.0/24    100.187.137.1         1
;;; dhcp2
4  As  9.9.9.9/32        100.187.137.1         1

Anyway in this case the "narrow" route to 1.1.1.1 doesn't exist (it is disabled) and the router tries to reach 1.1.1.1 via the route it finds that is Active and "contains" that address, i.e. the 0.0.0.0/0 going to WAN2.

Except that 0.0.0.0/0 going to WAN2 has target-scope=11, which is > the "narrow" route to 1.1.1.1 target-scope=10, and Routes with a scope greater than the maximum accepted value are not used for next-hop lookup. Each route specifies the maximum accepted scope value for its nexthop in the target-scope property.

I followed these videos on recursive routing:
Full MikroTik MTCRE - Recursive Routing (Easy Automatic failover)
Recursive Routing + Failover - Mikrotik RouterOS v7

In these cases you can use a blackhole route to 1.1.1.1/32 with a higher distance than the one for WAN1 and the same distance (or lower) as the one for WAN2.
This way when/if the narrow route disappears it is replaced by another identical route leading to nowhere preventing that any other wider router will be used to reach 1.1.1.1.
Otherwise the blackhole route will be not Active beacause of the higher distance.

Yes, I can see how that would work. Thanks.

Route scope and status confusion

Route scope and status confusion

Re: Route scope and status confusion

Re: Route scope and status confusion

Re: Route scope and status confusion