Community discussions

MikroTik App
 
alex_rhys-hurn
Member
Member
Topic Author
Posts: 348
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Poor mans config sync: vrrp

Fri Feb 21, 2014 1:42 pm

Hello!

I would like to ask the advice and tips of all you gurus out there.

We have two ccr routers in VRRP setup. The config is fairly static except for firewall rules which we work on quite a bit.

My thoughts, and I am asking you guys if I am mad / wasting my time to try this, is to built a script on the master that dumps the filter config to a file, say twice a day, and then the slave pulls that file and imports it?

Does this sound like something worth trying or are there demons ahead?

Your thoughts much apreciated.

Alex
 
User avatar
rickfrey
Trainer
Trainer
Posts: 609
Joined: Sun Feb 14, 2010 11:41 pm
Location: Van, Texas
Contact:

Re: Poor mans config sync: vrrp

Fri Feb 21, 2014 5:34 pm

No, its not crazy :D This is something I have experimented with as well. There are multiple ways to do this now, but yes it can be done. The biggest problem is making sure that you are not duplicating rules/ actions as you import the script. Here is an example, its for Layer 7 matchers, but it shows how to find particular script entries and make sure that you are not duplicating those rules. http://www.mikrotik.com/download/l7-protos.rsc. Try useing ftp/tftp to move the files. Then use scheduler to process the file.
 
TonyJr
Member Candidate
Member Candidate
Posts: 207
Joined: Sat Nov 12, 2011 1:30 am
Location: UK
Contact:

Re: Poor mans config sync: vrrp

Mon Feb 24, 2014 2:19 am

Hello!

I would like to ask the advice and tips of all you gurus out there.

We have two ccr routers in VRRP setup. The config is fairly static except for firewall rules which we work on quite a bit.

My thoughts, and I am asking you guys if I am mad / wasting my time to try this, is to built a script on the master that dumps the filter config to a file, say twice a day, and then the slave pulls that file and imports it?

Does this sound like something worth trying or are there demons ahead?

Your thoughts much apreciated.

Alex
There would be a point, when running the script, that the firewall had no entries, if you flush -> import in a script.

The script would become very messy and resource intesive to check for existing rules (and on what basis?).

I think it is another feature that mikrotik could implement in the future though. I believe a lot of wisps would benefit from this.

Mikrotik seem to be very good at these kind of things i.e. idea to implementation. Maybe send them a message on the support email address.
 
alex_rhys-hurn
Member
Member
Topic Author
Posts: 348
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Poor mans config sync: vrrp

Mon Feb 24, 2014 7:55 am

Hi there,

Thanks everyone for the thoughts.

Regarding the point where the filter table would be empty when tables flushed, I see your concern, and it is valid. In theory this would only happen on the passive/inactive vrrp partner which has no / little traffic passing through.

I can picture some nasty situations where the active device fails partially / badly and this starts to happen on the new active host.

I will have a think through.

Alex
 
Buster2
newbie
Posts: 46
Joined: Sun Jan 06, 2013 9:04 pm
Contact:

Re: Poor mans config sync: vrrp

Sun Mar 23, 2014 4:14 pm

Hi,
Regarding the point where the filter table would be empty when tables flushed, I see your concern, and it is valid.
beside MikroTik we run a linux debian based loadbalancer with multipath routing and there we use "iptables -F" to flush rules for routing marks and set new ones as needed. We experienced no problems so far.

Regards,
Buster
 
satish143
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Poor mans config sync: vrrp

Mon Mar 28, 2016 11:09 pm

I am also looking for firewall sync script, which sync between two VRRP device.

Anybody has any example script?
 
mpreissner
Member
Member
Posts: 357
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Poor mans config sync: vrrp

Wed Mar 30, 2016 1:26 pm

A better option would be some type of unified management platform whereby routers in a VRRP configuration could be managed as a single unit, obviating the need to manually sync all the settings from the master to the slave. Or an automated process whereby a slave unit auto-synchronizes to the master when VRRP is configured.
 
nathan1
Member Candidate
Member Candidate
Posts: 160
Joined: Sat Jan 16, 2016 7:05 pm

Re: Poor mans config sync: vrrp

Mon Apr 11, 2016 5:00 am

I'd suggest you guys give this a try: https://github.com/svlsResearch/ha-mikrotik
Full and automatic configuration sync, you manage one unit and the other one stands by as a slave.
It has been in production for about 4 months at 6 different sites.

Who is online

Users browsing this forum: Josephny, rogerioqueiroz, TeWe and 83 guests