Route

Route

The routing table in RouterOS serves as the central repository for all route entries that determine how packets are forwarded through the network. Routes can originate from multiple sources including directly connected networks, statically configured entries, and dynamic routing protocols such as OSPF, BGP, and RIP. The routing table evaluates each incoming packet against the destination IP address and selects the most specific matching route based on longest prefix match principles, with administrative distance and metric values resolving ties between equal-prefix routes.

RouterOS maintains a unified routing architecture where all routes regardless of source compete for installation in the forwarding table. This design enables seamless integration of multiple routing protocols while providing administrators with granular control over path selection through administrative distance adjustments, routing marks, and policy-based routing rules. The implementation supports both IPv4 and IPv6 routing with separate routing tables or unified tables depending on configuration, enabling complex deployment scenarios including multi-instance routing, VRF-lite implementations, and traffic engineering architectures.

The /routing route sub-menu provides programmatic access to route entries and their properties, enabling automation, monitoring, and dynamic route manipulation through scripts and the RouterOS API. This capability is essential for large-scale deployments, dynamic environments where network topology changes frequently, and integration with external systems that need to influence routing decisions.

Routing Table Fundamentals

Route Selection Process

RouterOS employs a sophisticated route selection algorithm that determines which route gets installed in the forwarding table when multiple routes match the same destination prefix. The selection process follows a well-defined priority that ensures deterministic behavior across all routing scenarios. When a packet arrives, the router performs a longest prefix match lookup, identifying all routes whose prefix encompasses the destination address. Among these matches, the route with the longest prefix (most specific match) takes precedence, ensuring that more specific routes override less specific defaults.

When multiple routes have identical prefix lengths, the administrative distance value breaks the tie, with lower distances preferred. This mechanism allows administrators to influence routing decisions by adjusting the perceived trustworthiness of different routing sources. Connected routes have an administrative distance of 0 and always win over any other source for directly attached networks. Static routes default to distance 1, while dynamic protocol distances vary, with OSPF at 110, IS-IS at 115, RIP at 120. External BGP (eBGP) uses a distance of 20 by default, while Internal BGP (iBGP) uses a distance of 200 by default.

Equal-cost multi-path routing allows multiple routes with identical distance and metric values to coexist in the routing table, enabling load balancing across multiple nexthops. RouterOS supports both per-packet and per-connection load balancing for ECMP routes, with per-connection being the default for most scenarios. The number of ECMP routes supported depends on the RouterOS version and hardware platform, typically allowing 2 to 16 equal-cost paths.

Route Table Views

The routing table can be viewed through multiple perspectives depending on the specific information needed. The primary view shows all active routes in the main routing table, while additional views filter by protocol source, routing table, or route attributes. Understanding these different views is essential for effective routing troubleshooting and monitoring.

Sub-menu: /ip route

# View complete routing table
/ip route print

# View routing table with detailed information
/ip route print detail

# View routes by destination prefix
/ip route print where dst-address=10.0.0.0/8

# View routes from specific protocol
/ip route print where protocol=ospf
/ip route print where protocol=bgp
/ip route print where protocol=static

# View routes with interface-specific information
/ip route print where interface=ether1

# View routes in specific routing table
/ip route print where routing-table=main

# View routes marked with specific routing mark
/ip route print where routing-mark=custom-table

# View only directly connected routes
/ip route print where protocol=connected

# View routes with gateway information
/ip route print gateway

Route Properties

Destination and Gateway Configuration

Each route entry requires a destination prefix that defines the network or host for which the route provides reachability. The destination address uses CIDR notation combining an IP address with a prefix length, such as 192.168.0.0/24 for a specific subnet or 0.0.0.0/0 for a default route. The gateway property specifies the next-hop IP address where traffic matching this route should be forwarded. Gateway configuration supports both IP addresses and interface-bound specifications for scenarios where the nexthop is on a directly connected network.

Sub-menu: /ip route

Property	Type	Description	Default
dst-address	IP address	Destination prefix with mask	Required
gateway	IP address	Primary nexthop gateway address
gateway%	interface	Nexthop with interface bound
gateway	IP%interface	Combined gateway and interface
distance	integer: 1..255	Administrative distance	1
scope	integer: 10..255	Nexthop resolution scope	30
target-scope	integer: 10..255	Scope for routes this route points to	10
routing-table	string	Main or custom table name	main
routing-mark	string	Route marking for policy routing
check-gateway	ping | arp	Gateway reachability check	none
type	unicast | blackhole | prohibit | unreachable	Route type	unicast
pref-src	IP address	Preferred source address
interface	string	Outgoing interface	Auto
vrf-interface	string	VRF interface name

# Add default route with gateway IP
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1

# Add route with specific interface
/ip route add dst-address=10.0.0.0/24 gateway=192.168.1.2%ether1

# Add route with higher distance (backup route)
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1 distance=10

# Add route to custom routing table
/ip route add dst-address=172.16.0.0/12 gateway=192.168.1.1 routing-table=custom

# Add route with pref-src for source address selection
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src=192.168.1.100

# Add route with gateway ping checking
/ip route add dst-address=8.8.8.8/32 gateway=192.168.1.1 check-gateway=ping

# Add route with specific scope
/ip route add dst-address=10.0.0.0/24 gateway=192.168.1.2 scope=20 target-scope=15

# View route with all properties
/ip route print detail where dst-address=10.0.0.0/24

Route Types

RouterOS supports multiple route types beyond standard unicast routes used for normal packet forwarding. Each route type serves a specific purpose in network design and traffic management, enabling sophisticated routing policies and traffic control mechanisms.

Blackhole routes silently discard traffic matching the destination prefix without generating any ICMP error messages. This behavior makes blackhole routes ideal for traffic filtering where you want to discard unwanted traffic without alerting the sender or creating ICMP traffic that might overwhelm network resources. Blackhole routes are commonly used for null routing of private address space that should not transit the router, blocking known malicious prefixes, and implementing access control at the routing level.

Prohibit routes generate ICMP administrative prohibited messages when traffic matches the destination prefix, informing the source that the traffic is being filtered by administrative policy. This route type is useful when you want to explicitly notify senders that their traffic is not permitted, which can aid in debugging and compliance with security policies that require rejection rather than silent drop.

Unreachable routes generate ICMP destination unreachable messages, typically code 1 (host unreachable) or code 13 (communication administratively prohibited). These routes inform sources that the destination is not reachable through the current router, which differs from prohibit routes in that unreachable routes suggest a reachability issue rather than a policy restriction.

# Create blackhole route (silently discard)
/ip route add dst-address=192.168.100.0/24 type=blackhole

# Create blackhole with distance for route fallback
/ip route add dst-address=10.0.0.0/8 type=blackhole distance=50

# Create prohibit route (ICMP administratively prohibited)
/ip route add dst-address=172.16.0.0/12 type=prohibit

# Create prohibit route with specific nexthop
/ip route add dst-address=192.168.50.0/24 type=prohibit gateway=10.0.0.1

# Create unreachable route (ICMP unreachable)
/ip route add dst-address=192.168.200.0/24 type=unreachable

# View all special routes
/ip route print where type!=unicast

# View route type details
/ip route print detail where type=blackhole

Route Scope and Target Scope

Understanding Scope Values

Scope and target-scope are advanced routing properties that control how routes participate in nexthop resolution and route propagation. These values are integers between 10 and 255 that create a hierarchical filtering mechanism for route selection during recursive lookup operations. Understanding scope is essential for configuring complex routing scenarios involving multiple routing tables, traffic engineering, and policy-based routing.

Scope determines the visibility of a route’s nexthop during recursive resolution. When a route’s gateway is an IP address rather than a directly connected interface, the router performs a recursive lookup to determine the actual outgoing interface. The scope value of candidate routes must be greater than or equal to the scope value of the route performing the lookup. This mechanism allows administrators to control which routes can be used to resolve recursive nexthops, effectively creating a routing resolution hierarchy.

Target-scope specifies the scope value that this route advertises to other routes that might use it for recursive resolution. When a route with target-scope is considered as a candidate nexthop, its target-scope value is compared against the scope requirements of routes attempting to resolve through it. Lower target-scope values make routes more preferred for recursive resolution.

# Configure route with custom scope values
/ip route add dst-address=10.0.0.0/16 gateway=172.16.0.1 scope=25 target-scope=15

# View routes with non-default scope
/ip route print where scope!=30

# Configure route for use in recursive resolution
/ip route add dst-address=192.168.0.0/16 gateway=10.0.0.1 scope=20 target-scope=10

# View routes by scope value
/ip route print where scope<30

# Set route as backup for recursive resolution
/ip route add dst-address=172.16.0.0/12 gateway=192.168.1.1 scope=40 target-scope=30

Policy Routing and Multiple Tables

Custom Routing Tables

RouterOS supports multiple routing tables beyond the default main table, enabling sophisticated policy routing scenarios where different traffic flows use different routing decisions. Custom routing tables are essential for implementing traffic segregation, multi-provider connectivity, VPN routing, and complex network architectures that require separation of routing domains.

Sub-menu: /routing table

# Create custom routing table
/routing table add name=isp1-table fib

# Create routing table for VPN traffic
/routing table add name=vpn-table fib

# Create routing table for management traffic
/routing table add name=mgmt-table fib

# View all routing tables
/routing table print

# Add route to custom routing table
/ip route add dst-address=0.0.0.0/0 gateway=203.0.113.1 routing-table=isp1-table

# Add route to VPN routing table
/ip route add dst-address=10.0.0.0/8 gateway=172.16.0.1 routing-table=vpn-table

# View routes in specific routing table
/ip route print where routing-table=isp1-table

# Remove route from custom table
/ip route remove numbers=0 where routing-table=isp1-table

Routing Rules

Policy routing rules direct traffic to specific routing tables based on matching criteria including source address, destination address, interface, firewall marks, and other packet attributes. Rules are evaluated in order, with the first matching rule determining which routing table is consulted for the packet.

Sub-menu: /ip route rule

Property	Type	Description	Default
action	lookup | lookup-only-in-table | unreachable | prohibit	Rule action	lookup
src-address	IP address	Source address prefix
dst-address	IP address	Destination address prefix
interface	string	Incoming interface
routing-mark	string	Existing routing mark
table	string	Routing table to consult
priority	integer	Rule priority	0

# Create rule to lookup custom table for specific source
/ip route rule add action=lookup table=isp1-table src-address=192.168.100.0/24

# Create rule for specific destination
/ip route rule add action=lookup table=vpn-table dst-address=10.0.0.0/8

# Create rule based on incoming interface
/ip route rule add action=lookup table=mgmt-table interface=ether1

# Create rule with multiple criteria
/ip route rule add action=lookup table=backup-table src-address=192.168.50.0/24 dst-address=0.0.0.0/0

# Create unreachable rule for specific traffic
/ip route rule add action=unreachable src-address=192.168.200.0/24

# Create prohibit rule for administrative blocking
/ip route rule add action=prohibit dst-address=172.16.0.0/12

# View all routing rules
/ip route rule print

# View rules with priority ordering
/ip route rule print detail

# Remove routing rule
/ip route rule remove numbers=0

Routing Marks

Routing marks tag packets with identifiers that can be used by routing rules and filters to make routing decisions. Combined with firewall mangle rules, routing marks enable complex traffic classification and policy routing based on any packet attribute that firewall rules can match.

# Mark packets with firewall mangle
/interface bridge filter add action=mark-packet chain=forward new-packet-mark=voip-traffic passthrough=no

# Create routing rule for marked packets
/ip route rule add action=lookup table=voip-table routing-mark=voip-traffic

# Mark packets based on DSCP
/ip firewall mangle add action=mark-packet chain=prerouting new-packet-mark=video-traffic dscp=46

# View routing marks in use
/ip route rule print where routing-mark!= ""

# Create routing table for marked traffic
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=video-table
/ip route rule add action=lookup table=video-table routing-mark=video-traffic

Equal-Cost Multi-Path

ECMP Configuration

Equal-Cost Multi-Path routing enables load balancing across multiple nexthops when multiple paths to the same destination have identical cost. RouterOS supports various ECMP modes and configurations that determine how traffic is distributed across available paths. ECMP is commonly used for ISP redundancy, link aggregation, and traffic distribution across multiple upstream providers.

# Add ECMP route with multiple gateways
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1,10.0.0.1,172.16.0.1

# Add ECMP route with interface-bound gateways
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1%ether1,10.0.0.1%ether2

# Add ECMP with different gateway distances (all must match for ECMP)
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1,10.0.0.1 distance=1

# View ECMP routes
/ip route print where active=yes ecmp=yes

# Check ECMP nexthop distribution
/ip route print detail where dst-address=0.0.0.0/0

# Configure per-packet load balancing for ECMP
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1,10.0.0.1 check-gateway=arp

# Monitor ECMP traffic distribution
/tool traffic-monitor

ECMP Hashing Configuration

RouterOS provides control over the hashing algorithm used for ECMP path selection, enabling optimization for different traffic patterns and requirements.

Sub-menu: /routing/ecmp

# View ECMP configuration
/routing/ecmp print

# Configure ECMP mode
/routing/ecmp set mode=ip-only

# Available modes:
# ip-src-only - Source IP only
# ip-dst-only - Destination IP only
# ip-src-dst - Source and destination IP
# ip-only - Combine source and destination
# l4-src-dst - Layer 4 source and destination ports

Route Maintenance

Route Monitoring

Regular monitoring of the routing table ensures awareness of network state and rapid detection of routing issues. RouterOS provides multiple commands for viewing route status, monitoring changes, and identifying potential problems.

# View complete routing table
/ip route print

# View routes with statistics
/ip route print stats

# View route age and expiration
/ip route print detail

# Monitor route changes in real-time
/ip route monitor

# View routes by gateway
/ip route print where gateway=192.168.1.1

# View routes by interface
/ip route print where interface=ether1

# Check gateway reachability
/ping 192.168.1.1 count=5

# Trace route to destination
/tool traceroute 10.0.0.1

# Monitor routing table continuously
/tool torch

Route Statistics

The routing table maintains statistics about route usage, bytes transferred, and packet counts that are invaluable for network troubleshooting and capacity planning.

# View route statistics
/ip route print stats

# View specific route statistics
/ip route print detail stats where dst-address=10.0.0.0/24

# Reset route statistics
/ip route reset-statistics

# Monitor active route count
/system resource print | grep routes

# Check routing table capacity
/system resource print | grep "routing tables"

Route Flushing

Route flushing removes inactive or expired routes from the routing table, which can be useful during network changes or troubleshooting scenarios where stale routes need to be cleared.

# Flush inactive routes
/ip route flush

# Flush routes from specific protocol
/ip route flush protocol=ospf

# Flush routes matching prefix
/ip route flush dst-address=10.0.0.0/8

# Flush all routes from routing table
/ip route flush routing-table=custom

# Verify route removal
/ip route print count-only

Route Filtering

Input and Output Filters

Route filters control which routes are accepted into or advertised from the routing table, enabling policy-based routing control at the route level. Filters can match route attributes and apply actions including accept, discard, or attribute modification.

Sub-menu: /routing filter

# Create filter chain for route input
/routing filter chain=route-in

# Accept routes from specific prefix
/routing filter add chain=route-in action=accept prefix=10.0.0.0/8

# Discard routes matching private address space
/routing filter add chain=route-in action=discard prefix=192.168.0.0/12

# Set administrative distance for matched routes
/routing filter add chain=route-in action=accept set-distance=50 prefix=172.16.0.0/12

# Apply filter to routing protocol
/routing ospf instance set default in-filter-chain=route-in

# View filter rules
/routing filter print

# View filter rules in detail
/routing filter rule print detail

Route Attribute Modification

Route filters can modify route attributes before routes enter or exit the routing table, enabling sophisticated routing policy implementation.

# Set routing table for matched routes
/routing filter add chain=policy-routing action=accept set-routing-table=custom-table prefix=192.168.100.0/24

# Set routing mark
/routing filter add chain=mark-traffic action=accept set-routing-mark=policy-mark prefix=10.0.0.0/8

# Modify distance
/routing filter add chain=distance-adjust action=accept set-distance=100 prefix=172.16.0.0/12

# Set gateway
/routing filter add chain=gateway-adjust action=accept set-gateway=192.168.1.1

# Apply filter to BGP peer
/routing bgp peer set my-peer in-filter=route-in

Route Scripts and Automation

Dynamic Route Management

RouterOS script integration enables automated route management based on network conditions, timing events, or external triggers. Scripts can add, modify, or remove routes dynamically, implementing sophisticated routing policies.

# Create script for backup route activation
/system script add name=activate-backup source={
    :local currentDistance [/ip route get [find dst-address=0.0.0.0/0 gateway=192.168.1.1] distance];
    :if ($currentDistance = 1) do={
        /ip route set [find dst-address=0.0.0.0/0 gateway=192.168.1.1] distance=10;
        /ip route set [find dst-address=0.0.0.0/0 gateway=10.0.0.1] distance=1;
        :log info "Primary gateway failed, activated backup route";
    }
}

# Create script for route monitoring
/system script add name=monitor-routes source={
    :foreach route in=[/ip route find] do={
        :local dst [/ip route get $route dst-address];
        :local gw [/ip route get $route gateway];
        :local status [/ip route get $route active];
        :log info "Route $dst via $gw is $status";
    }
}

# Schedule route monitoring
/system scheduler add name=check-routes interval=5m on-event=monitor-routes

# Create script for route failover
/system script add name=failover source={
    :local pingResult [/ping 192.168.1.1 count=3];
    :if ($pingResult = 0) do={
        :log warning "Primary gateway unreachable, switching to backup";
        /ip route set [find dst-address=0.0.0.0/0 gateway=192.168.1.1] disabled=yes;
        /ip route set [find dst-address=0.0.0.0/0 gateway=10.0.0.1] disabled=no;
    }
}

Netwatch for Route Monitoring

Netwatch provides host-level monitoring that can trigger route changes when monitored destinations become unreachable.

# Add netwatch for primary gateway
/tool netwatch add host=192.168.1.1 interval=30s timeout=1000ms \
    up-script="" \
    down-script="/ip route set [find dst-address=0.0.0.0/0 gateway=192.168.1.1] disabled=yes"

# Add netwatch for backup gateway monitoring
/tool netwatch add host=10.0.0.1 interval=30s timeout=1000ms \
    up-script="/ip route set [find dst-address=0.0.0.0/0 gateway=192.168.1.1] disabled=no"

# View netwatch status
/tool netwatch print

# View netwatch history
/tool netwatch print history

Route Debugging and Troubleshooting

Diagnostic Commands

Effective troubleshooting requires understanding the available diagnostic tools and their appropriate use for different routing issues.

# Test reachability to gateway
/ping 192.168.1.1 count=5

# Trace path to destination
/tool traceroute 10.0.0.1

# Monitor routing protocol packets
/tool sniffer packet filter protocol=ospf
/tool sniffer packet filter protocol=bgp

# View routing table with detail
/ip route print detail

# Check specific route information
/ip route get [find dst-address=10.0.0.0/24]

# View route flags
/ip route print where flags=active
/ip route print where flags=disabled
/ip route print where flags=static

# Monitor route changes
/ip route monitor

# View routing table export
/ip route export

Common Issues and Solutions

Route not found in routing table: Verify that the route was added correctly with /ip route print. Check for typos in the destination address or gateway. If using a recursive gateway, verify that the intermediate route exists.

Traffic not using expected route: Confirm that more specific routes are not overriding the route. Check routing rules that might redirect traffic. Verify that firewall rules are not marking traffic differently. Use /ip route print detail to verify the route is active.

Gateway unreachable: Verify physical connectivity with /ping. Check ARP resolution with /ip arp print. Verify that the gateway address is on a directly connected network or reachable through another route.

ECMP routes not balancing: Check that all ECMP nexthops are active. Verify that the ECMP mode is appropriate for your traffic. Monitor traffic distribution with /tool traffic-monitor.

Route flap issues: Enable BFD for rapid failure detection. Check for physical layer issues causing intermittent connectivity. Review logs for error messages with /log print.

Route Best Practices

Route Planning and Documentation

Maintain comprehensive documentation of routing architecture including route purpose, source, and expected behavior. Document any route dependencies and the reasoning behind administrative distance values. Create naming conventions for routes that indicate their purpose and priority level.

Route Security

Implement route filtering to prevent route poisoning from unauthorized sources. Use routing protocol authentication to prevent route injection. Regularly audit the routing table for unexpected routes. Monitor for route hijacking attempts and implement RPKI validation where applicable.

Route Optimization

Use route summarization at network boundaries to reduce routing table size and improve convergence time. Implement ECMP for bandwidth aggregation and redundancy. Configure appropriate administrative distances to create clear hierarchy between routing sources. Use route filters to implement policy-based routing without excessive route count.

Monitoring and Alerting

Configure monitoring for critical routes and gateway reachability. Set up alerts for route count changes, route flap events, and unexpected route modifications. Implement regular routing table audits to identify anomalies. Use Netwatch or scripts for automated failover when primary routes become unavailable.

Related Documentation

• OSPF - Open Shortest Path First configuration
• BGP - Border Gateway Protocol configuration
• BFD - Bidirectional Forwarding Detection for rapid failure detection
• RIP - Routing Information Protocol
• Routing Overview - General IP routing configuration
• VRF - Virtual Routing and Forwarding isolation
• Firewall and QoS - Route-aware firewall policies