Basic Static Routes Configuration
Basic Static Routes Configuration
Section titled “Basic Static Routes Configuration”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: here’s the 30-second version.
# Add default route and static route to remote network/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1/ip route add dst-address=10.0.0.0/24 gateway=192.168.88.2Overview
Section titled “Overview”This guide demonstrates how to configure static routes on MikroTik RouterOS to direct traffic to specific networks through designated gateways.
Prerequisites
Section titled “Prerequisites”- A MikroTik router running RouterOS 7.x or later
- Access to the router via SSH, WinBox, or WebFig
Configuration Steps
Section titled “Configuration Steps”Step 1: Add a Static Route to a Remote Network
Section titled “Step 1: Add a Static Route to a Remote Network”Add a route to reach the 10.10.10.0/24 network via gateway 192.168.88.1:
/ip route add dst-address=10.10.10.0/24 gateway=192.168.88.1 comment="Route to Remote LAN"Step 2: Add a Blackhole Route
Section titled “Step 2: Add a Blackhole Route”Create a blackhole route to silently drop traffic to a specific network:
/ip route add dst-address=172.16.99.0/24 type=blackhole comment="Blackhole test network"Step 3: Add a Route with Distance
Section titled “Step 3: Add a Route with Distance”Add a backup route with higher distance (lower priority):
/ip route add dst-address=10.20.20.0/24 gateway=192.168.88.1 distance=10 comment="Backup route"Verification
Section titled “Verification”Check 1: Route Table
Section titled “Check 1: Route Table”/ip route printExpected Output:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 10.10.10.0/24 192.168.88.1 1 1 A S 10.20.20.0/24 192.168.88.1 10 2 A S 172.16.99.0/24 blackhole 1Check 2: Specific Route Details
Section titled “Check 2: Specific Route Details”/ip route print detail where dst-address=10.10.10.0/24Expected Output:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static 0 A S dst-address=10.10.10.0/24 gateway=192.168.88.1 gateway-status=192.168.88.1 reachable via ether2 distance=1 scope=30 target-scope=10 comment="Route to Remote LAN"Check 3: Verify Route is Active
Section titled “Check 3: Verify Route is Active”/ping 10.10.10.1 count=3Troubleshooting
Section titled “Troubleshooting”Problem: Route not active (no ‘A’ flag)
Section titled “Problem: Route not active (no ‘A’ flag)”Symptoms: Route shows without ‘A’ (active) flag, traffic not forwarded.
Causes & Solutions:
-
Gateway unreachable - Verify connectivity to gateway:
/ping 192.168.88.1 count=3If gateway is unreachable, check interface status and IP configuration.
-
Interface down - Check interface state:
/interface print where name=ether2Ensure interface shows
R(running) flag. -
No ARP entry - Verify gateway has ARP entry:
/ip arp print where address=192.168.88.1
Problem: Wrong route being used
Section titled “Problem: Wrong route being used”Symptoms: Traffic takes unexpected path.
Causes & Solutions:
-
Lower distance route exists - Check all routes to destination:
/ip route print where dst-address~"10.10"Route with lowest distance wins. Check for dynamic routes from DHCP or routing protocols.
-
More specific route exists - Longer prefix matches first:
/ip route printA /25 route will match before a /24 route.
Problem: Routing loop detected
Section titled “Problem: Routing loop detected”Symptoms: TTL exceeded errors, packets never reach destination.
Causes & Solutions:
-
Misconfigured gateways - Trace the path:
/tool traceroute 10.10.10.1If you see the same hops repeating, there’s a loop between routers.
-
Check both routers’ routing tables - Ensure each points to the correct next hop.
Problem: Blackhole route not dropping traffic
Section titled “Problem: Blackhole route not dropping traffic”Symptoms: Traffic still being forwarded.
Causes & Solutions:
- More specific route exists - Check for conflicting routes:
Blackhole must be most specific match to work./ip route print where dst-address~"172.16.99"
Related Topics
Section titled “Related Topics”Prerequisites
Section titled “Prerequisites”- IP Address Configuration - interfaces must have IP addresses for routing
Next Steps
Section titled “Next Steps”- Firewall Basics - secure traffic between routed networks
- NAT Masquerade - enable internet access for private networks
Related Routing Topics
Section titled “Related Routing Topics”- OSPF Configuration - dynamic routing alternative
- BGP Peering - BGP routing for ISPs and large networks
- Routing Tables - policy-based routing with multiple tables
- VRF - virtual routing instances
Services That Create Routes
Section titled “Services That Create Routes”- DHCP Client - can install default route automatically
- DHCP Relay - requires routing between relay and server