The company I work for bought two CCR2004 routers to be used in a small deployment of servers at a colocation center. I have been tasked to set them up, and have managed to get most things to work as we want. So far I am quite impressed with the routers and routeros software, even if it requires quite some knowledge some of the time to get right.
A brief overview of the setup is that we have 3 external ips, router-01 is on ext.2, router 2 is on ext.3 and they have VRRP on ext.1. Internally we have a VLAN with a similar setup, router-01 is on 192.168.1.2, router-02 is on 192.168.1.3 and they have VRRP on 192.168.1.1. There is also a second VLAN internally with a similar setup.
Each router is also running a OpenVPN server which can be accessed by connecting to its external IP. Router-01 has a OpenVPN ip at 192.168.101.1/24 and a pool for clients on the same subnet. This is mirrored on router-02, but the network used is 192.168.102.0/24. To allow packets to reach back to the vpn clients from the main VLAN, I have put a route on each router, router-01 routes 192.168.102.0/24 to 192.168.1.3, i.e. router-02 and router-02 routes 192.168.101.0/24 to 192.168.1.2, i.e. router-01. All corresponding to which router the vpn client would be on.
This works fine when I am connected to the router that is currently VRRP master on the internal network. However, when I connect to the one that is currently backup, the packages do not find their way back to me. If router-01 is master, I connect over OpenVPN to router-02, and ping something on 192.168.1.123, the ping reply gets stuck on router-01 and dropped as invalid. Looking at the package log I can see that it had vlan2 (i.e. the one that has no route for vpn) as out-interface.
My questions are; Is this a sound setup overall? Am I doing something wrong in terms of having two routers with VRRP but also running OpenVPN on each of them? How can I get routing to work such that both OpenVPN servers work? Let me know if I should supply more information, I am a bit new to all this, so not completely sure which part of information to include.
On pure routers (i.e. ones not acting as a firewall), the setup you describe would work fine - both routers have an individual address in 192.168.1.0/24 so both can send packets to any host in that subnet, and since router-01 has a route to 192.168.102.0/24, if that host in 192.168.1.0/24 sends a response via the virtual gateway which is currently up on router-01, router-01 can forward that response to router-02. However, since firewalls are active there, and the ping response is the first packet of that “connection” that router-01 has seen (because the ping request has bypassed it), the firewall will not permit the response to pass.
You have multiple possibilities how to deal with this - you can
add a couple of rules to the firewalls, permitting this response traffic (basically permitting anything from 192.168.1.0/24 to 192.168.101.0/24 or 192.168.102.0/24)
activate synchronization of connection tracking data between the two routers. This functionality is only available in RouterOS 7 and some fixes to it have been added recently - ROS 7.5 if I remember correctly. You have to activate connection tracking data synchronization at just one of the VRRP interfaces on each router (the “same” one at both routers).
choose yet another approach to avoid upgrading to ROS 7 if you are lucky enough to be able to run RouterOS 6 on the 2004s. Instead of having individual addresses from 192.168.1.0/24 on the “physical” interfaces, and the virtual one (192.168.1.1) attached to the VRRP interfaces as a /32 one, you can attach individual IP addresses from some other subnet, even /32 ones, to the physical interfaces, and attach 192.168.1.1 as a /24 one to the VRRP interfaces. This way, only the router on which the VRRP interface is currently up will have an active route to 192.168.1.0/24; if you combine that with OSPF, that router will advertise that subnet to the other one. So if the OpenVPN client of router-02 sends something to a destination in 192.168.1.0/24 while the VRRP interface is active on router-01, router-02 will have to send it via router-01, so both router-02 and router-01 will see both the request and the response. For OSPF, you need the interconnection network between the routers to be a /30 or larger one. I’d suggest to use a dedicated VLAN to host that interconnection subnet rather than reusing the one to which the VRRP interface for 192.1681.1/24 is attached, as that way you will also avoid the redirection that would take place otherwise (if a router finds out that it forwards the packet out through the same interface though which it came in, it informs the sender that there is a better gateway accessible through the same interface, which sometimes causes issues if the IP address of the “better gateway” is outside the source subnet of the packet - which would be the case if you would have two subnets attached to the same interface).