Help on advanced VRRP setup

WirelessRudy · December 28, 2008, 8:06pm

Example in the manual is too simple and explanatory in the forum/wiki (?) is insufficient.

My setup:
A Loadbalancer connects to 5-7 WAN/ADSL lines, one LAN side with IP 10.50.50.1/24 connects to the VRRP router.

One rb1000, function as Master
One rb150, function as backup
Both running ROS3.17 with firmware 3.18

Both connected to three networks with three ´real´ interfaces. One ´public´side (ether1) to that loadbalancer and two separated ´local´ networks (´local1´ on ether2 and ´local2 on ether3)
All ´real´ interfaces connect to their network’s switch to connect to clients (´local1´ or ´local2´) or the LB (public´)
Thus three switches.

“public” network (used for VRRP setup).
a. Master IP ether1: 10.50.50.3/24
VRRP interface (attached to the ether1) with VIP 10.50.50.2/24 *1
b. Slave IP ether2: 10.50.50.4/24
VRRP interface (attached to the ether1) with VIP 10.50.50.2/24 *1
“local1” network.
a. Master IP ether2: 10.50.60.1/24
b. Slave IP ether2: 10.50.60.1/24 (disabled in backup mode)
"local2"Network.
a. Master IP ether3: 192.168.5.1/24 (dhcp server running)
b. Slave IP ether3: 192.168.5.1/24 (dhcp server running) (interface, and thus dhcp server, disabled in backup mode)

(To avoid IP conflict on both “Local” networks scripts in the ´real´ routers vrrp setting have to enable and disable the interfaces of the master versus backup router.)

I have now two problems:

Problem 1:
The script:

/disable ether2
/disable ether3

Works fine in the Slave router (rb150) when it has been master but switched back by the vrrp protocol to backup modus.
This same script does not work in the rb1000 when it becomes ´backup’ mode.

The script:

/enable ether2
/enable ether3

Works fine in both routers.

I changed scripts into:

: delay 2
/interface print
/enable ether2
/enable ether3

or I just put any other kind of script (and all these scripts work fine in terminal) in the script fields.
It just seems that the rb1000 is not performing the ´On backup´ scripts.

But I am not going to conclude it is the rb1000 having a problem. If I start playing with IP and network address to solve problem 2 not any script works any longer!

To work on problem 2 I take over the failing script task by hand. (Disable the two interfaces manually.)

Problem 2:

In the routing table it shows that on the master unit only the IP of the real interface ehter1 becomes active. The vrrp interface stays non-active.
Browsing is still possible over the router but traffic is slow and intermittend.

*1 After reading some tread tried to set the vrrp IP to 10.50.50.2/32.
Now routing table shows correctly both IP/interface combinations, like I would expect.
BUT, in this case none of the scripts are working any longer!
Although the routers change status on their vrrp interfaces (ether1) the scripts are not performed on either router!

Questions:

Does the vrrp interface have to be setup on the ´local´ side of the router? (Like is given in the manual and examples.)
if so, in case of two local networks attached to the same vrrp router, do the vrrp interface have to be set up on BOTH of the interfaces/networks?
What is the proper IP setup for the vrrp interface in relation to its ´mother´ interface? (subnets. The examples/manual are giving contradictory info.)
can a dhcp server run on a vrrp interface and work? (If physical router change the IP’s of the dhcp clients are still the same, do they need to be updated by the new dhcp server? Even if all IP’s are the same?)

Anybody can help me out here, would give a nice tutorial for others…

Rudy

mrz · December 29, 2008, 8:13am

You have to set /32 address on VRRP interface, otherwise it will not work correctly.
Scripts are executed only when vrrp status changes. If the vrrp router is unable to see any other vrrp routers on network, it sets himself as a master. For example, if master router becomes unavailable, it still thinks that it is master and state is never changed to backup.

About scripts not executing at all.

/interface print
/enable ether2
/enable ether3

I don’t think that script above will ever work.

‘/’ sets the root menu and there is no enable command in root menu.
Correct script is:

/interface enable ether2
/interface enable ether3

WirelessRudy · December 29, 2008, 10:42am

mrz,

Thanks for the reply,

I found out about the /32 setting for the VRRP interface. This is the only way to get the VRRP interface’ IP active on the master. This is in contrary of the MT manual were clearly is spoken of /24 IP’s for the VRRP and the ´mother´ ether interface.
MT should look at this!

Regarding the scripts, yes I made a mistake, only because also the
/interface enable ether2
/interface enable ether3
doesn’t work for me on the master. I tried it and only in the slave node it works fine.

The master ´On backup´ or ´On master´ script is just not performed, no matter what script…

I do test the setup as follows:
The backup node has priority 100 while the master node has 255. I change the master priority into 1 and then I see the master takes backup mode while the slave becomes master.
The slave initiates his script perfectly, but the master (ex- master now) scripts don’t perform.

Then I perform the (ex-)master script manual to what I want them to be and change the (ex-)master priority back in 255. Now the (ex-)master takes master mode again and the slave takes backup mode again.
On the slave the scripts are performing again while the now again master node again not initiates its ´On Master´ backup.

The fact that master and slave change status correctly proves to me the VRRP protocol does work, I only don’t understand why the master does not initiate its scripts… very frustrating! I tried it now on different routers and both on the public or the local side for the VRRP interface, everytime again I run into the same problem.

Rudy

mrz · December 29, 2008, 11:29am

v3.x has new VRRP implementation and v2.9 manual should not be used. Wiki has correct VRRP documentation
http://wiki.mikrotik.com/wiki/VRRP

As for the scripts. When you change priority on vrrp interface, it is not considered a state change. VRRP is restarted, startup state is backup and script at that moment is not executed.

WirelessRudy · December 29, 2008, 12:53pm

mrz

OK, difference in ROS makes sense. It would be nice MT notifies this on their manuals. Would save a lot of confusion with many users I bet.

Regarding the scripts:
I see you point. Makes sense. But how to test the VRRP working?

disabling the ether interface VRRP runs on disables the VRRP interface too. So the scripts won’t work.
power down the router will work for the slave, but can’t use this to see if the master had it scripts working.
disconnecting the cable of the ehter/VRRP interface only makes the master believe he is alone and he maintains to be the master. Since the slave now also thinks he is alone he becomes master too. Now on the other interfaces I have IP conflicts since both masters have same IP address in these networks.

In the last case I need to manually disable, or disconnect the cables, of the first node to get my networks working…

rudy