We’ve rolled out several exciting updates to the Admiral Platform designed to streamline your workflows,…
Default route over a tunnel – help!
Recently we helped a new Admiral customer onboard a MikroTik that is configured to send all traffic through a tunnel to their data center so that they can provide remote services. They desired to send all traffic over the tunnel – EXCEPT ADMIRAL. Admiral will be used for remote management and monitoring (RMM), and the desire is to have Admiral traffic NOT traversing the tunnel, like this:
In this case, the field MikroTik gets DHCP in RFC1918 space from the upstream provider (satellite or cellular carrier) – something like 192.168.1.x/24, and the carrier circuit itself is also under private IP with either NAT or CGNAT – so both the carrier gateway and MikroTik aren’t remotely accessible over the Internet unless we introduce something like Admiral.
How did we solve this?
The fix was simple – the exisitng configuration sends all traffic over a VPN due to a dynamically created default route to the Data Center (DC), but we want to exempt doing that for Admiral. In the USA, all Admiral services live in the 209.195.0.0/18 space, so adding a route to that prefix will create a more specific route in the routing table which allows Admiral traffic to stay out of the default routed tunnel.
/ip route add comment=Admiral_dhcp_gw dst-address=209.195.0.0/18 gateway=192.168.1.1
Admiral Global IP blocks
USA & ES (latin america) – 209.195.0.0/18
Africa – 102.215.239.67/28
EU – 188.40.21.168/29
JP – 18.177.38.63/32
But wait, there’s more
The WAN of the field MikroTik isn’t statically assigned – it gets addressing over DHCP so in order for this solution to work on ANY network instead of specifically when the gateway is 192.168.1.1, our customer asked our support team to provide a DHCP script that would update the route automatically, depending on the auto-assigned IP of the DHCP gateway. And here it is!
:local count [/ip route print count-only where comment=Admiral_dhcp_gw]
:if ($bound = 1) do={
:if ($count = 0) do={
/ip route add dst-address=209.195.0.0/18 gateway=$"gateway-address" comment=Admiral_dhcp_gw
} else={
:local test [/ip route find where comment=Admiral_dhcp_gw]
:if ([/ip route get $test gateway] != $"gateway-address") do={
/ip route set $test gateway=$"gateway-address"
}
}
}Explain that to me
- In the first line, we will check to see if there’s any existing routes that have a comment of “Admiral_dhcp_gw” so that we can know if this is the first time we need to add a route or if we need to update an existing route.
- IF DHCP is successful ($bound is a built-in variable) then
- IF there is no route to Admiral (this is the first time) then
- Add a route to Admiral servers using the gateway provided by DHCP and add a comment of “Admiral_dhcp_gw”
- ELSE (means there’s already a previously added route to Admiral servers that we should update)
- Create a TEST variable so that we can see if the current DHCP gateway is the same as our existing route
- Do the check to see if we need to update the route and if we need to, then
- Update the existing route’s gateway
Why does that matter?
Without this script, you’d have to make sure that every deployment of cellular or satellite network configuration uses 192.168.1.1 as the Internet gateway for the LAN where the MikroTik will be connected, or update the MikroTik configuration. With this script, as long as you plug the MikroTik into any port providing DHCP service, Admiral traffic will be exempted from being routed over the tunnel that has been configured to “add-default-route=yes”. Because of this, if the managed services tunnel that goes to the customer Data Center has trouble for any reason, Admiral will still work as long as the MikroTik has Internet access. Cool, right?
Bonus!
Using the Additional Remote Access feature of Admiral, you can also get remote access to the cellular or satellite GUI as though you are on site and locally connected! Here’s a video and blog on how you can add this incredible functionality:
Keep routing the world with MikroTik, and keep managing your MikroTiks with Admiral!
Related Posts
