Hi,

I’m new to Mikrotik router/firewall devices - but I’m loving what I’ve seen so far.
I have a question, though, which doesn’t appear to be answered in the manuals and I can’t find a solution in the forums…
I can see how to implement two devices with VRRP so that they work as an HA pair and I love the flexibility for the firewall rules, but…

How can I get one device to update the connection state table of the other device so that when a fail-over occurs from one to the other that I don’t lose in-progress sessions?

I see in in this post (http://forum.mikrotik.com/t/v4-0-feature-request-s/18662/127) from over 10 years ago that fewi was expanding on a request by iwikus.

Am I missing the explanation of how to make this work, or does it still remain on the feature requests list?

Richard.

Not sure MT products are there yet software wise… but really good question you want true HA… (mirrored in real time)

Hi anav,

IMHO, this would be a real USP for the firewall functionality of the MikroTik products.
I’m currently looking at a VoIP implementation, which is not a network application that copes well if established sessions are lost.

I guess Mikrotiks are not currently the answer for this scenario.

Fingers crossed for some up-voting and an imminent functionallity upgrade - and I’ll be happy to come back to put them through their paces in a voice environment.

Yeah I am not sure how to handle sessions in mid sentence, and how to ensure minimal losses of ongoing connections which Is what I think you want to achieve?
Caveat…dont make decisions on what I say. I would describe myself as a bottom feeder on the totem pole of MT knowledge. I read too much and understand very little and need to find Germans that have a sense of humour.

I might be thinking too simplistically, but if a connection is established through one node - it matches the conditions to accept a stateful connection, thus permitting the following to function:

/ip firewall filter
add chain=forward comment=“FastTrack Established/Related” action=fasttrack-connection connection-state=established,related
add chain=forward comment “Allow Established/Related” action=accept connection-state=established,related

then it will update the connection state table.

To make an HA pair function hamoniously then there needs to be a way for them to exchange updates to their state tables. I guess that this could be done by simply exchanging the full state table every xx milliseconds or by sending state-change deltas triggered by a state change (or state changes bundled every xx milliseconds).

I have no desire to reinvent the wheel - I have not looked at whether there is an rfc or ieee standard for doing this - but if this is not already well defined then count me in for helping out.

The good news is that it is part of RouterOS 7 scope:
_[me@myTik] > interface/vrrp/export

jan/12/2022 19:30:52 by RouterOS 7.2rc1

software id =

/interface vrrp
add interface=eoip1 name=vrrp1 preemption-mode=no priority=200 sync-connection-tracking=yes_

The bad news is that as of now (7.2.rc1), it still doesn't seem to actually synchronize the tracked connections (at least between the two of my lab CHRs), although the relevant data flow can be seen.