[SOLVED] VRRP and reply mac address

RouterOS Beginner Basics
1

Hello

I recently migrated from pfsense to mikrotik when i bought HexS.

Everything works perfect. containers saved me from a bunch of BSD jail hacks i was running on pfsense.

I am facing issue when it comes to HA using VRRP. I have set up CHR instance via proxmox. Most part it works great fail over within 5secs and connections are synced.

Issue I am facing is when clients behind router send packet to virtual mac address, reply from router is sent to client with src mac address of the actual interface. this is fine with most of the devices. i have mac, iphone, android, windows all working. except if i put another another mikrotik device with filtering behind the main router. the child router will see reply as new connection as mac address reply is not the same and drop with connection state invalid for tcp ack packets or new for udp.

My actual setup is little complicated with bridges and multiple vlans and vrrp are on the vlan interfaces (/32 address on the same subnet) and bunch of wireguard vpns, containers and firewall rules. so I setup a lab environment in qemu with just

  1. router with vrrp (no firewall filter just src-nat rule for masq)
  2. linux client

I am seeing the same behaviour as before. I get reply from router with src mac set to interface mac ( except ARP req to virtual IP)

correct ARP response

arp
arp1069×129 36.1 KB

ping req with correct dst-mac

req
req712×312 51.6 KB

response with different src-mac

res
res647×341 46.5 KB

I am not sure is this the expected behavior ? should I add firewall rules in the clients to trust these reply

full config on the test router

# 2025-10-12 08:13:42 by RouterOS 7.20.1
# system id = wmCi2P9VhEL
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface vrrp
add interface=ether1 name=vrrp1 priority=101 version=2
/ip pool
add name=pool1 ranges=172.18.0.200-172.18.0.220
/ip dhcp-server
add address-pool=pool1 interface=ether1 name=server1
/ip address
add address=172.18.0.2/24 interface=ether1 network=172.18.0.0
add address=172.18.0.1 interface=vrrp1 network=172.18.0.0
/ip dhcp-client
add interface=ether4
/ip dhcp-server network
add address=172.18.0.0/24 dns-server=172.18.0.1 gateway=172.18.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether4
/system identity
set name=VRT1

Thanks for your help

2

I was able to solve this issue with routing tables.

Thanks