Firewall Sync between RB1000

dominikh · October 22, 2009, 1:40pm

Hey there!

I’m having a config with 2 Routerboards 1000 for redundancy. They check their availibility with the VRRP protocol. So there is one little problem: when we add new firewall rules to the master routerboard, we would need to sync it to the other one. It’s not necessary to do this “real time”, because usually the master routerboard is running without any interruptions. It would be good enough to sync it at night.
Of course there are some simple possibilities to do this - but I don’t like to export the rules at night, import it to the other one minutes later and execute the rules… Above all I think that there would be duplicates?
Has anyone of you ever needed to implement something like this?

best regards

ericw · October 22, 2009, 6:58pm

Hi dominikh,

I have a vrrp-solution, too. Every hour I export my firewall filter to a file. After the export, I move the file with sftp to the backup system. On the backup-system I have a simple INPUT Firewall.

At the time when the backup system became master I use script functionality on vrrp-interface “on-master”. I clear my INPUT firewall filter with “/ip firewall filter remove [find]” and import the firewall from moved file. On the backup system I keep the last 48 files. So, that’s it.

Regards
Eric

dominikh · October 23, 2009, 7:19am

Hi ericw!

That sounds pretty nice. I’ve to test this out.
Thanks so far.

Kind Regards,
Dominik