Feature request - Connection tracking sync w/other Mikrotik

Hi,

I’d like to request a feature.

On Linux, one can run ‘conntrackd’ to synchronize the internal state of the connection tracking table with another Linux box.
This means when a connection is opened and tracked, the state of that connection is copied to the other Linux box and entered into its conntrack table.
This allows you to do things like clustered firewalls, where you can asymmetrically route across these two firewalls, because the connection tracking state is in sync.

If Mikrotik offered such a feature, I would likely consider implementing it as my corporate firewall.

Ideally, also provide a feature to keep firewall rules (filter/nat/mangle) in sync, but not necessarily as I can do that with a script pushing configs.

Thanks,
Tim

Has there been any progress on this?

None yet.

This feature will good thing then the Master VRRP router fault.
All connections (nat translations, open tcp sessions) will be modev to backup vrrp router…

This feature would be very usefull when you are working with replicated structures, like site and site-backup.
Another application would be on autonomous system that have two out/inbound routers and serves multiple lans.

Any news on that?

Hi,

Are there any news on this?
Features like this would make my life so much easier and RouterOS much more useful for mission-critical infrastructure.

Is there any comment from mikrotik themselfs on this?

Regards

Has there been any progress on this?

When can we wait for this function? weird if it’s specialized sound equipment wan, the wan is not considered critical?

is there some update on conntrack-sync?

like on vyos:

https://docs.vyos.io/en/latest/appendix/examples/ha.html

Bump in 2021

It works somehow in RouterOS 7.1beta6, linked to the VRRP functionality.

Vrrp connection syncing won’t really do it for us. We need to sync netmaps of /24’s to create HA scenarios’

Could Mikrotik create a native connection tracking sync without needing to use vrrp?

I’m not sure whether the synchronization process takes into account any relationship of the connections being synchronized to the VRRP addresses. I can see the connection synchronisation process to run on a pair of CHR running 7.1, and I can see that connections to/from individual addresses of the CHRs are not synchronized. I don’t have enough time at this time of the year to create a setup where traffic would be forwarded by one of the CHRs bypassing the VRRP interface, but you should definitely try that first before requesting development which may have actually been already made.

It appears the current implementation is an active-backup scenario. We want to use active-active. I’ve tried setting up bi-directional conntrack syncing but it just errors that the bind has failed. This active-backup is evident from the logs:

vrrp1 starting CONNTRACK SLAVE
and on the other router
vrrp1 starting CONNTRACK MASTER

I will do a full test at the office on monday but seeing the logs I’m reasonably certain it’s only 1 way syncing.

Correct, it is one way, and it even seems to either not work or to be more selective than I can understand, I’ve made a simple test in the meantime and it failed.

I somehow didn’t think about the active-active scenario.

The connection tracking does not seem to work properly yet. The log reports that it’s setting up the master & slave connections, however when I cause a failover packets are dropped until I clear the firewall connections tracking.