Poor mans config sync: vrrp

alex_rhys-hurn · February 21, 2014, 11:42am

Hello!

I would like to ask the advice and tips of all you gurus out there.

We have two ccr routers in VRRP setup. The config is fairly static except for firewall rules which we work on quite a bit.

My thoughts, and I am asking you guys if I am mad / wasting my time to try this, is to built a script on the master that dumps the filter config to a file, say twice a day, and then the slave pulls that file and imports it?

Does this sound like something worth trying or are there demons ahead?

Your thoughts much apreciated.

Alex

rickfrey · February 21, 2014, 3:34pm

No, its not crazy This is something I have experimented with as well. There are multiple ways to do this now, but yes it can be done. The biggest problem is making sure that you are not duplicating rules/ actions as you import the script. Here is an example, its for Layer 7 matchers, but it shows how to find particular script entries and make sure that you are not duplicating those rules. http://www.mikrotik.com/download/l7-protos.rsc. Try useing ftp/tftp to move the files. Then use scheduler to process the file.

TonyJr · February 24, 2014, 12:19am

There would be a point, when running the script, that the firewall had no entries, if you flush → import in a script.

The script would become very messy and resource intesive to check for existing rules (and on what basis?).

I think it is another feature that mikrotik could implement in the future though. I believe a lot of wisps would benefit from this.

Mikrotik seem to be very good at these kind of things i.e. idea to implementation. Maybe send them a message on the support email address.

alex_rhys-hurn · February 24, 2014, 5:55am

Hi there,

Thanks everyone for the thoughts.

Regarding the point where the filter table would be empty when tables flushed, I see your concern, and it is valid. In theory this would only happen on the passive/inactive vrrp partner which has no / little traffic passing through.

I can picture some nasty situations where the active device fails partially / badly and this starts to happen on the new active host.

I will have a think through.

Alex

Buster2 · March 23, 2014, 2:14pm

Hi,

beside MikroTik we run a linux debian based loadbalancer with multipath routing and there we use “iptables -F” to flush rules for routing marks and set new ones as needed. We experienced no problems so far.

Regards,
Buster

satish143 · March 28, 2016, 8:09pm

I am also looking for firewall sync script, which sync between two VRRP device.

Anybody has any example script?

mpreissner · March 30, 2016, 10:26am

A better option would be some type of unified management platform whereby routers in a VRRP configuration could be managed as a single unit, obviating the need to manually sync all the settings from the master to the slave. Or an automated process whereby a slave unit auto-synchronizes to the master when VRRP is configured.

nathan1 · April 11, 2016, 2:00am

I’d suggest you guys give this a try: https://github.com/svlsResearch/ha-mikrotik
Full and automatic configuration sync, you manage one unit and the other one stands by as a slave.
It has been in production for about 4 months at 6 different sites.