Good evening,
I have setup two crr1029 router connected in a high available way with vrrp enable behind the provider’s router. I have a /27 public ip range which the first addresses are given to the isp router internal interface, the mikrotik routers external interfaces and to the vrrp address. A couple of servers are connected behind the mikrotiks which have to be reachable from the internet. I have setup dst-nat to the mikrotik in order to access the servers with their public ip’s.
The problem i face is that the publish arp properties is not working properly and the servers most of times are not reachable. The only solution is to add static arp entries toy the isp routers that will point to the mikrotik vrrp mac address.
The version of routeros is 6.27.
Have anyone else face similar problem with the publish arp..?
Do you suggest any solution for this implementation…?
Thank you.
The problem is that VRRP isn’t designed to be a redundancy protocol for stateful things like firewalls and NAT translations.
In the event of an actual failover from box1 to box2, the connection state tracking is not going to fail over also, which is going to break all TCP connections that exist when it happens.
In the case of dst-nat, the Mikrotik is responding to an IP address that strictly speaking does not belong to the Mikrotik itself. Since the translation is generally only going to work on the box that actually makes it, it is natural for the Mikrotik to respond with its own MAC address…
If you can make it where the backup mikrotik doesn’t answer proxy arp requests when it is inactive on VRRP, this would fix your problem 98% of the way. (ARP cache timeout during failover would still be a possible problem for you, as well as connection state tracking problems)
If the backup Mikrotik has routing table information for the public IPs that eventually points out the WAN side, it should not answer ARP requests for those IPs.
(Maybe on R2, static route /32 for each one with next hop = vrrp address?)
This is a software bug. Because the scenario works well most of the times. Sometimes it just refuse to answer to requests.
I have also tried to disable the vrrp but the problem exist.
Have anybody else use publish arp feature..?