Hi folks.

I'm working in a active/pasive fault tolerant firewall with RouterOS and 2 brand new PowerRouter 732.

In my current network configuration I have 2 gigabit ethernet link from each PowerRouter to each of the 3 switches with 802.3ad and VLAN subinterfaces.

EtherX}
802.3ad bonding} VLANa, VLANb, VLANc...VLANn
EtherY}

So I'm using VRRP in the VLAN subinterfaces to support a sort of 'active/passive semi balanced firewall service' by setting some higher VRRP priorities in some VLANs in each router.

That is working, but I can't figure out how to do the firewall rules synchronization between them so I don't need to add any new firewall rule to both routers (actually having 2000+ active rules).

Any ideas?

Best regards.

Any luck with this? You have done the same thing that I am thinking of doing ...

Any other ways to attach this problem ?

There is no built in solution for this. Your best approach would be to write an application that uses the API to do this for you.

While this isn't technically "syncing", you could setup a "master" router which contains the base firewall rules. A script could run on this router to /ip firewall filter export file=FirewallFilter every so often or as it detected a change.
On all "slave" routers, you could use /tool fetch to grab the export from the "master", clear it's current filter rules, then /import FirewallFilter.rsc for example. This would only work in a master -> slave environment, and if the master router went down, all slaves "should have" received the firewall rules from master.

I'm working on a real syncing of any properties in RouterOS. It will use files to depict "master/slave" and to contain rules needed for syncing. Since it uses files, I've built-in the ability for "meta" files and other meta data so file sizes never exceed 4095 kb.

I'd be willing to post my code here, and have others review it (and of course revise it) if desired. I mention "revise it" because this should be a very general purpose syncing mechanism to sync any area of RouterOS config, and I'm only 1 person!

Anyway, I think this would be a valued tool for RouterOS.

While RouterOS is an excellent product, a lot of these enterprise type features are missing. Maybe Mikrotik could create an "enterprise" licence level that was say an extra US $50 - $100 and enabled:

- Sychronised High Availability (Active Passive with gratuitous ARP on failover)
- Enterprise IPSEC e.g. Virtual Tunnel Interface support, Road Warrior (dialup) tunnels, XAuth client/server

I am sure the revenue from the enterprise licence level would fund the development of these features.

While this isn't technically "syncing", you could setup a "master" router which contains the base firewall rules. A script could run on this router to /ip firewall filter export file=FirewallFilter every so often or as it detected a change.
On all "slave" routers, you could use /tool fetch to grab the export from the "master", clear it's current filter rules, then /import FirewallFilter.rsc for example. This would only work in a master -> slave environment, and if the master router went down, all slaves "should have" received the firewall rules from master.

I'm working on a real syncing of any properties in RouterOS. It will use files to depict "master/slave" and to contain rules needed for syncing. Since it uses files, I've built-in the ability for "meta" files and other meta data so file sizes never exceed 4095 kb.

I'd be willing to post my code here, and have others review it (and of course revise it) if desired. I mention "revise it" because this should be a very general purpose syncing mechanism to sync any area of RouterOS config, and I'm only 1 person!

Anyway, I think this would be a valued tool for RouterOS.

I agree with your assertion. This is technically possible. Has it been done? I don't know. My suggestion, and I'm probably going to get censured for this one, is to look into pfSense; this has all the features that are specified.