Route
The routing table in RouterOS serves as the central repository for all route entries that determine how packets are forwarded through the network. Routes can originate from multiple sources including directly connected networks, statically configured entries, and dynamic routing protocols such as OSPF, BGP, and RIP. The routing table evaluates each incoming packet against the destination IP address and selects the most specific matching route based on longest prefix match principles, with administrative distance and metric values resolving ties between equal-prefix routes.
RouterOS maintains a unified routing architecture where all routes regardless of source compete for installation in the forwarding table. This design enables seamless integration of multiple routing protocols while providing administrators with granular control over path selection through administrative distance adjustments, routing marks, and policy-based routing rules. The implementation supports both IPv4 and IPv6 routing with separate routing tables or unified tables depending on configuration, enabling complex deployment scenarios including multi-instance routing, VRF-lite implementations, and traffic engineering architectures.
The /routing route sub-menu provides programmatic access to route entries and their properties, enabling automation, monitoring, and dynamic route manipulation through scripts and the RouterOS API. This capability is essential for large-scale deployments, dynamic environments where network topology changes frequently, and integration with external systems that need to influence routing decisions.
Routing Table Fundamentals
Section titled “Routing Table Fundamentals”Route Selection Process
Section titled “Route Selection Process”RouterOS employs a sophisticated route selection algorithm that determines which route gets installed in the forwarding table when multiple routes match the same destination prefix. The selection process follows a well-defined priority that ensures deterministic behavior across all routing scenarios. When a packet arrives, the router performs a longest prefix match lookup, identifying all routes whose prefix encompasses the destination address. Among these matches, the route with the longest prefix (most specific match) takes precedence, ensuring that more specific routes override less specific defaults.
When multiple routes have identical prefix lengths, the administrative distance value breaks the tie, with lower distances preferred. This mechanism allows administrators to influence routing decisions by adjusting the perceived trustworthiness of different routing sources. Connected routes have an administrative distance of 0 and always win over any other source for directly attached networks. Static routes default to distance 1, while dynamic protocol distances vary, with OSPF at 110, IS-IS at 115, RIP at 120. External BGP (eBGP) uses a distance of 20 by default, while Internal BGP (iBGP) uses a distance of 200 by default.
Equal-cost multi-path routing allows multiple routes with identical distance and metric values to coexist in the routing table, enabling load balancing across multiple nexthops. RouterOS supports both per-packet and per-connection load balancing for ECMP routes, with per-connection being the default for most scenarios. The number of ECMP routes supported depends on the RouterOS version and hardware platform, typically allowing 2 to 16 equal-cost paths.
Route Table Views
Section titled “Route Table Views”The routing table can be viewed through multiple perspectives depending on the specific information needed. The primary view shows all active routes in the main routing table, while additional views filter by protocol source, routing table, or route attributes. Understanding these different views is essential for effective routing troubleshooting and monitoring.
Sub-menu: /ip route
# View complete routing table/ip route print
# View routing table with detailed information/ip route print detail
# View routes by destination prefix/ip route print where dst-address=10.0.0.0/8
# View routes from specific protocol/ip route print where protocol=ospf/ip route print where protocol=bgp/ip route print where protocol=static
# View routes with interface-specific information/ip route print where interface=ether1
# View routes in specific routing table/ip route print where routing-table=main
# View routes marked with specific routing mark/ip route print where routing-mark=custom-table
# View only directly connected routes/ip route print where protocol=connected
# View routes with gateway information/ip route print gatewayRoute Properties
Section titled “Route Properties”Destination and Gateway Configuration
Section titled “Destination and Gateway Configuration”Each route entry requires a destination prefix that defines the network or host for which the route provides reachability. The destination address uses CIDR notation combining an IP address with a prefix length, such as 192.168.0.0/24 for a specific subnet or 0.0.0.0/0 for a default route. The gateway property specifies the next-hop IP address where traffic matching this route should be forwarded. Gateway configuration supports both IP addresses and interface-bound specifications for scenarios where the nexthop is on a directly connected network.
Sub-menu: /ip route
| Property | Type | Description | Default |
|---|---|---|---|
| dst-address | IP address | Destination prefix with mask | Required |
| gateway | IP address | Primary nexthop gateway address | |
| gateway% | interface | Nexthop with interface bound | |
| gateway | IP%interface | Combined gateway and interface | |
| distance | integer: 1..255 | Administrative distance | 1 |
| scope | integer: 10..255 | Nexthop resolution scope | 30 |
| target-scope | integer: 10..255 | Scope for routes this route points to | 10 |
| routing-table | string | Main or custom table name | main |
| routing-mark | string | Route marking for policy routing | |
| check-gateway | ping | arp | Gateway reachability check | none |
| pref-src | IP address | Preferred source address | |
| interface | string | Outgoing interface | Auto |
| vrf-interface | string | VRF interface name |
# Add default route with gateway IP/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1
# Add route with specific interface/ip route add dst-address=10.0.0.0/24 gateway=192.168.1.2%ether1
# Add route with higher distance (backup route)/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1 distance=10
# Add route to custom routing table/ip route add dst-address=172.16.0.0/12 gateway=192.168.1.1 routing-table=custom
# Add route with pref-src for source address selection/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src=192.168.1.100
# Add route with gateway ping checking/ip route add dst-address=8.8.8.8/32 gateway=192.168.1.1 check-gateway=ping
# Add route with specific scope/ip route add dst-address=10.0.0.0/24 gateway=192.168.1.2 scope=20 target-scope=15
# View route with all properties/ip route print detail where dst-address=10.0.0.0/24Route Types
Section titled “Route Types”RouterOS supports multiple route types beyond standard unicast routes used for normal packet forwarding. Each route type serves a specific purpose in network design and traffic management, enabling sophisticated routing policies and traffic control mechanisms. In RouterOS 7, special static routes are created with the bare blackhole, prohibit, or unreachable keywords in /ip route add rather than a type= property.
Blackhole routes silently discard traffic matching the destination prefix without generating any ICMP error messages. This behavior makes blackhole routes ideal for traffic filtering where you want to discard unwanted traffic without alerting the sender or creating ICMP traffic that might overwhelm network resources. Blackhole routes are commonly used for null routing of private address space that should not transit the router, blocking known malicious prefixes, and implementing access control at the routing level.
Prohibit routes generate ICMP administrative prohibited messages when traffic matches the destination prefix, informing the source that the traffic is being filtered by administrative policy. This route type is useful when you want to explicitly notify senders that their traffic is not permitted, which can aid in debugging and compliance with security policies that require rejection rather than silent drop.
Unreachable routes generate ICMP destination unreachable messages, typically code 1 (host unreachable) or code 13 (communication administratively prohibited). These routes inform sources that the destination is not reachable through the current router, which differs from prohibit routes in that unreachable routes suggest a reachability issue rather than a policy restriction.
# Create blackhole route (silently discard)/ip route add dst-address=192.168.100.0/24 blackhole
# Create blackhole with distance for route fallback/ip route add dst-address=10.0.0.0/8 blackhole distance=50
# Create prohibit route (ICMP administratively prohibited)/ip route add dst-address=172.16.0.0/12 prohibit
# Create prohibit route with higher distance/ip route add dst-address=192.168.50.0/24 prohibit distance=20
# Create unreachable route (ICMP unreachable)/ip route add dst-address=192.168.200.0/24 unreachable
# View a special route in detail/ip route print detail where dst-address=192.168.100.0/24Route Scope and Target Scope
Section titled “Route Scope and Target Scope”Understanding Scope Values
Section titled “Understanding Scope Values”Scope and target-scope are advanced routing properties that control how routes participate in nexthop resolution and route propagation. These values are integers between 10 and 255 that create a hierarchical filtering mechanism for route selection during recursive lookup operations. Understanding scope is essential for configuring complex routing scenarios involving multiple routing tables, traffic engineering, and policy-based routing.
Scope determines the visibility of a route’s nexthop during recursive resolution. When a route’s gateway is an IP address rather than a directly connected interface, the router performs a recursive lookup to determine the actual outgoing interface. The scope value of candidate routes must be greater than or equal to the scope value of the route performing the lookup. This mechanism allows administrators to control which routes can be used to resolve recursive nexthops, effectively creating a routing resolution hierarchy.
Target-scope specifies the scope value that this route advertises to other routes that might use it for recursive resolution. When a route with target-scope is considered as a candidate nexthop, its target-scope value is compared against the scope requirements of routes attempting to resolve through it. Lower target-scope values make routes more preferred for recursive resolution.
# Configure route with custom scope values/ip route add dst-address=10.0.0.0/16 gateway=172.16.0.1 scope=25 target-scope=15
# View routes with non-default scope/ip route print where scope!=30
# Configure route for use in recursive resolution/ip route add dst-address=192.168.0.0/16 gateway=10.0.0.1 scope=20 target-scope=10
# View routes by scope value/ip route print where scope<30
# Set route as backup for recursive resolution/ip route add dst-address=172.16.0.0/12 gateway=192.168.1.1 scope=40 target-scope=30Policy Routing and Multiple Tables
Section titled “Policy Routing and Multiple Tables”Custom Routing Tables
Section titled “Custom Routing Tables”RouterOS supports multiple routing tables beyond the default main table, enabling sophisticated policy routing scenarios where different traffic flows use different routing decisions. Custom routing tables are essential for implementing traffic segregation, multi-provider connectivity, VPN routing, and complex network architectures that require separation of routing domains.
Sub-menu: /routing table
# Create custom routing table/routing table add name=isp1-table fib
# Create routing table for VPN traffic/routing table add name=vpn-table fib
# Create routing table for management traffic/routing table add name=mgmt-table fib
# View all routing tables/routing table print
# Add route to custom routing table/ip route add dst-address=0.0.0.0/0 gateway=203.0.113.1 routing-table=isp1-table
# Add route to VPN routing table/ip route add dst-address=10.0.0.0/8 gateway=172.16.0.1 routing-table=vpn-table
# View routes in specific routing table/ip route print where routing-table=isp1-table
# Remove route from custom table/ip route remove numbers=0 where routing-table=isp1-tableRouting Rules
Section titled “Routing Rules”Policy routing rules direct traffic to specific routing tables based on matching criteria including source address, destination address, interface, firewall marks, and other packet attributes. Rules are evaluated in order, with the first matching rule determining which routing table is consulted for the packet.
Sub-menu: /routing rule
| Property | Type | Description | Default |
|---|---|---|---|
| action | lookup | lookup-only-in-table | unreachable | prohibit | Rule action | lookup |
| src-address | IP address | Source address prefix | |
| dst-address | IP address | Destination address prefix | |
| interface | string | Incoming interface | |
| routing-mark | string | Existing routing mark | |
| table | string | Routing table to consult | |
| priority | integer | Rule priority | 0 |
# Create rule to lookup custom table for specific source/routing rule add action=lookup table=isp1-table src-address=192.168.100.0/24
# Create rule for specific destination/routing rule add action=lookup table=vpn-table dst-address=10.0.0.0/8
# Create rule based on incoming interface/routing rule add action=lookup table=mgmt-table interface=ether1
# Create rule with multiple criteria/routing rule add action=lookup table=backup-table src-address=192.168.50.0/24 dst-address=0.0.0.0/0
# Create unreachable rule for specific traffic/routing rule add action=unreachable src-address=192.168.200.0/24
# Create prohibit rule for administrative blocking/routing rule add action=prohibit dst-address=172.16.0.0/12
# View all routing rules/routing rule print
# View rules with priority ordering/routing rule print detail
# Remove routing rule/routing rule remove numbers=0Routing Marks
Section titled “Routing Marks”Routing marks tag packets with identifiers that can be used by routing rules and filters to make routing decisions. Combined with firewall mangle rules, routing marks enable complex traffic classification and policy routing based on any packet attribute that firewall rules can match.
# Mark packets with firewall mangle/interface bridge filter add action=mark-packet chain=forward new-packet-mark=voip-traffic passthrough=no
# Create routing rule for marked packets/routing rule add action=lookup table=voip-table routing-mark=voip-traffic
# Mark packets based on DSCP/ip firewall mangle add action=mark-packet chain=prerouting new-packet-mark=video-traffic dscp=46
# View routing marks in use/routing rule print where routing-mark!= ""
# Create routing table for marked traffic/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=video-table/routing rule add action=lookup table=video-table routing-mark=video-trafficEqual-Cost Multi-Path
Section titled “Equal-Cost Multi-Path”ECMP Configuration
Section titled “ECMP Configuration”Equal-Cost Multi-Path routing enables load balancing across multiple nexthops when multiple paths to the same destination have identical cost. In RouterOS v7, ECMP is formed by installing multiple routes to the same destination with the same distance. ECMP is commonly used for ISP redundancy, link aggregation, and traffic distribution across multiple upstream providers.
# Add ECMP by installing multiple equal-cost routes/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1 distance=1/ip route add dst-address=0.0.0.0/0 gateway=172.16.0.1 distance=1
# Add interface-bound ECMP gateways/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1%ether1 distance=1/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1%ether2 distance=1
# View ECMP routes/ip route print where dst-address=0.0.0.0/0
# Check ECMP nexthop distribution/ip route print detail where dst-address=0.0.0.0/0
# Add gateway health checks to each ECMP path/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1 distance=1 check-gateway=ping
# Monitor ECMP traffic distribution/tool traffic-monitorECMP Hashing
Section titled “ECMP Hashing”RouterOS uses a hash of source and destination IP addresses (L3) to distribute traffic across ECMP paths. The hashing algorithm is not user-configurable in RouterOS 7 — there is no ecmp-hash-policy property under /ip/settings.
Route Maintenance
Section titled “Route Maintenance”Route Monitoring
Section titled “Route Monitoring”Regular monitoring of the routing table ensures awareness of network state and rapid detection of routing issues. RouterOS provides multiple commands for viewing route status, monitoring changes, and identifying potential problems.
# View complete routing table/ip route print
# View routes with statistics/ip route print stats
# View route age and expiration/ip route print detail
# View active routes/ip route print where active
# View routes by gateway/ip route print where gateway=192.168.1.1
# View routes by interface/ip route print where interface=ether1
# Check gateway reachability/ping 192.168.1.1 count=5
# Trace route to destination/tool traceroute 10.0.0.1
# Monitor routing table continuously/tool torchRoute Statistics
Section titled “Route Statistics”The routing table maintains statistics about route usage, bytes transferred, and packet counts that are invaluable for network troubleshooting and capacity planning.
# View route statistics/ip route print stats
# View specific route statistics/ip route print detail stats where dst-address=10.0.0.0/24
# Reset route statistics/ip route reset-statistics
# Monitor active route count/system resource print | grep routes
# Check routing table capacity/system resource print | grep "routing tables"Removing Routes
Section titled “Removing Routes”RouterOS 7 does not have a flush command for routes. Remove routes individually or by filter using remove with find:
# Remove a specific static route/ip route remove [find dst-address=10.0.0.0/8]
# Remove all static routes in a custom routing table/ip route remove [find routing-table=custom]
# Verify route removal/ip route print count-onlyDynamic routes (from OSPF, BGP, etc.) cannot be removed directly — they are withdrawn when the originating protocol removes them or the interface goes down.
Route Filtering
Section titled “Route Filtering”Input and Output Filters
Section titled “Input and Output Filters”The /routing/route menu is read-only and does not provide a standalone top-level filter workflow. Commands such as /routing filter print and /routing filter add chain=... are not valid in RouterOS 7. Build the rules under /routing filter rule, then attach the resulting chain to the routing protocol that imports or advertises the routes.
Sub-menu: /routing filter rule, plus protocol-specific attachment points such as /routing ospf instance or /routing bgp connection
# Create an import chain for OSPF-learned routes under /routing filter rule/routing filter rule add chain=ospf-in rule="if (dst in 10.0.0.0/8) {accept}"/routing filter rule add chain=ospf-in rule="reject"
# Attach the chain to the protocol instance/routing ospf instance set default in-filter-chain=ospf-in
# View filter rules/routing filter rule print where chain=ospf-in
# View filter rules in detail/routing filter rule print detail where chain=ospf-inRoute Attribute Modification
Section titled “Route Attribute Modification”Route filters can modify route attributes before routes enter or leave the routing table, but those changes are still applied through /routing filter rule chains attached to a protocol-specific menu rather than from /routing/route itself.
# Set OSPF external attributes during redistribution/routing filter rule add chain=ospf-out rule="if (protocol static && dst in 172.16.0.0/12) { set ospf-ext-type type2; set ospf-ext-metric 50; accept }"/routing filter rule add chain=ospf-out rule="reject"
# Attach the export chain to the OSPF instance/routing ospf instance set default redistribute=static out-filter-chain=ospf-out
# Apply filters to a BGP connection/routing bgp connection set peer-name input.filter=bgp-in output.filter-chain=bgp-outRoute Scripts and Automation
Section titled “Route Scripts and Automation”Dynamic Route Management
Section titled “Dynamic Route Management”RouterOS script integration enables automated route management based on network conditions, timing events, or external triggers. Scripts can add, modify, or remove routes dynamically, implementing sophisticated routing policies.
# Create script for backup route activation/system script add name=activate-backup source={ :local currentDistance [/ip route get [find dst-address=0.0.0.0/0 gateway=192.168.1.1] distance]; :if ($currentDistance = 1) do={ /ip route set [find dst-address=0.0.0.0/0 gateway=192.168.1.1] distance=10; /ip route set [find dst-address=0.0.0.0/0 gateway=10.0.0.1] distance=1; :log info "Primary gateway failed, activated backup route"; }}
# Create script for route monitoring/system script add name=monitor-routes source={ :foreach route in=[/ip route find] do={ :local dst [/ip route get $route dst-address]; :local gw [/ip route get $route gateway]; :local status [/ip route get $route active]; :log info "Route $dst via $gw is $status"; }}
# Schedule route monitoring/system scheduler add name=check-routes interval=5m on-event=monitor-routes
# Create script for route failover/system script add name=failover source={ :local pingResult [/ping 192.168.1.1 count=3]; :if ($pingResult = 0) do={ :log warning "Primary gateway unreachable, switching to backup"; /ip route set [find dst-address=0.0.0.0/0 gateway=192.168.1.1] disabled=yes; /ip route set [find dst-address=0.0.0.0/0 gateway=10.0.0.1] disabled=no; }}Netwatch for Route Monitoring
Section titled “Netwatch for Route Monitoring”Netwatch provides host-level monitoring that can trigger route changes when monitored destinations become unreachable.
# Add netwatch for primary gateway/tool netwatch add host=192.168.1.1 interval=30s timeout=1000ms \ up-script="" \ down-script="/ip route set [find dst-address=0.0.0.0/0 gateway=192.168.1.1] disabled=yes"
# Add netwatch for backup gateway monitoring/tool netwatch add host=10.0.0.1 interval=30s timeout=1000ms \ up-script="/ip route set [find dst-address=0.0.0.0/0 gateway=192.168.1.1] disabled=no"
# View netwatch status/tool netwatch print
# View netwatch history/tool netwatch print historyRoute Debugging and Troubleshooting
Section titled “Route Debugging and Troubleshooting”Diagnostic Commands
Section titled “Diagnostic Commands”Effective troubleshooting requires understanding the available diagnostic tools and their appropriate use for different routing issues.
# Test reachability to gateway/ping 192.168.1.1 count=5
# Trace path to destination/tool traceroute 10.0.0.1
# Monitor routing protocol packets/tool sniffer packet filter protocol=ospf/tool sniffer packet filter protocol=bgp
# View routing table with detail/ip route print detail
# Check specific route information/ip route get [find dst-address=10.0.0.0/24]
# View route flags/ip route print where flags=active/ip route print where flags=disabled/ip route print where flags=static
# View active routes/ip route print where active
# View routing table export/ip route exportCommon Issues and Solutions
Section titled “Common Issues and Solutions”Route not found in routing table: Verify that the route was added correctly with /ip route print. Check for typos in the destination address or gateway. If using a recursive gateway, verify that the intermediate route exists.
Traffic not using expected route: Confirm that more specific routes are not overriding the route. Check routing rules that might redirect traffic. Verify that firewall rules are not marking traffic differently. Use /ip route print detail to verify the route is active.
Gateway unreachable: Verify physical connectivity with /ping. Check ARP resolution with /ip arp print. Verify that the gateway address is on a directly connected network or reachable through another route.
ECMP routes not balancing: Check that all ECMP nexthops are active. Verify that the ECMP mode is appropriate for your traffic. Monitor traffic distribution with /tool traffic-monitor.
Route flap issues: Enable BFD for rapid failure detection. Check for physical layer issues causing intermittent connectivity. Review logs for error messages with /log print.
Route Best Practices
Section titled “Route Best Practices”Route Planning and Documentation
Section titled “Route Planning and Documentation”Maintain comprehensive documentation of routing architecture including route purpose, source, and expected behavior. Document any route dependencies and the reasoning behind administrative distance values. Create naming conventions for routes that indicate their purpose and priority level.
Route Security
Section titled “Route Security”Implement route filtering to prevent route poisoning from unauthorized sources. Use routing protocol authentication to prevent route injection. Regularly audit the routing table for unexpected routes. Monitor for route hijacking attempts and implement RPKI validation where applicable.
Route Optimization
Section titled “Route Optimization”Use route summarization at network boundaries to reduce routing table size and improve convergence time. Implement ECMP for bandwidth aggregation and redundancy. Configure appropriate administrative distances to create clear hierarchy between routing sources. Use route filters to implement policy-based routing without excessive route count.
Monitoring and Alerting
Section titled “Monitoring and Alerting”Configure monitoring for critical routes and gateway reachability. Set up alerts for route count changes, route flap events, and unexpected route modifications. Implement regular routing table audits to identify anomalies. Use Netwatch or scripts for automated failover when primary routes become unavailable.
Related Documentation
Section titled “Related Documentation”- OSPF - Open Shortest Path First configuration
- BGP - Border Gateway Protocol configuration
- BFD - Bidirectional Forwarding Detection for rapid failure detection
- RIP - Routing Information Protocol
- Routing Overview - General IP routing configuration
- VRF - Virtual Routing and Forwarding isolation
- Firewall and QoS - Route-aware firewall policies