Hi All,
I am new to Mikrotik and I have 2 RB3011UiAS-RM firewalls, one configured and working properly and another which is still boxed.
I want to set up the two firewall in HA and to ensure redundancy.
Is there a step by step guide that i may use to follow to achieve the setup.
Please bear in mind that I am very new to Mikrotik… and don’t have that knowledge…
any help is appreciated.
Hi All,
I am new to Mikrotik and I have 2 RB3011UiAS-RM firewalls, one configured and working properly and another which is still boxed.
I want to set up the two firewall in HA and to ensure redundancy.
Is there a step by step guide that i may use to follow to achieve the setup.
Please bear in mind that I am very new to Mikrotik… and don’t have that knowledge…
any help is appreciated.
I found this article but would that copy the config from the master to primary to the backup?
https://wiki.mikrotik.com/wiki/Manual:VRRP-examples
Hello,
VRRP will not copy one config to the other. It’s a protocol that insures the availability of a virtual ip address that is shared by two or more routers.
You will still need to setup both routers from scratch.
Best regards,
Sent from Tapatalk
Extra:
Your starting a nice project.
I don’t know what your time frame is but since you’re new to MikroTik, I’d suggest you make one work. Then you can think about redundancy. That won’t be too complicated.
If those routers are ISP facing, you’ll need to do vrrp in the LAN side also.
You’ll also need to ensure that the backup one stays current with the live one.
Regards,
Sent from Tapatalk
Hi Alain,
thanks for your reply. I have already set up the first one. Can I just restore the backup from the working one into the blank one and change the gateway IP address.
Would that work?
Regards,
Abbas
Restoring the binary backup “would work”, but you’d have to go to all ethernet interfaces and click “reset mac address” as that restore also restores mac addresses. Very bad!!! 
Officially, the binary backup is for the sane router, but it can work on the same model provided you reset macs.
After that, do remember to change the 2nd routers name. Minor but annoying detail 
Then, start the vrrp stuff.
I’d suggest that you use the current IPs for the vrrp and use the next available ones for the real IPs.
For example, LAN:
192.168.88.1 = shared address
192.168.88.2 = 1st router
192.168.88.3 = 2nd router
Same principal on the wan, but using isp supplied addresses, of course.
Regards,
Sent from Tapatalk
There’s no true HA feature in RouterOS.
That means that no state is synced/shared between two routerboards.
Also no configuration can be automatically synced/copied between two routerboards without custom scripting.
This means that if you do connection tracking (which I am certain you do) in your firewall when doing failover to the adjacent router, the connection tracking table is not synced. So established/related connections, NAT, etc will break for a few seconds and connections to end users will drop.
This feature has been requested since 2014 http://forum.mikrotik.com/t/feature-request-stateful-ha-with-conntrackd/75926/1
For web browsing this might not be a big issue, but for realtime stuff (eg: VoIP) it’s really problematic.
If you do pure routing without NAT or generally stateful firewall, failover can work just fine right away.
Also you will have to manually sync any configuration changes on both routers. Either manually (which can get bad really quick) or via custom scripting or external scripting/programming (which can become restricting in what you can do withing RouterOS).
If you are fluent in networking in general, you shouldn’t have any issues implementing what you need on MikroTik. MikroTik makes it rather easy to implement stuff when you understand at least the basics of TCP/IP, packet flows, etc. I’ve always found their UIs very intuitive even for stuff that I wasn’t originally familiar with.
If not, you are in for a steep learning curve when tackling advanced stuff like HA.
Thank you, this was very helpful. I am more of a Juniper/ASA guy where things are a bit easier when we talk about HA… Manually updating the configuration is not problematic as we do not implement too many changes. I will give it a go and see how it works.
Thanks again.
Abbas