VRRP 1 MT 2 Internet Connections

shmali · October 4, 2006, 4:28pm

From everything I’v read it would appear that vrrp is designed for 2 mt boxes acting as routers with seperate internet connections for each. My scenario is i have one MT with 2 internet connections and i am looking for a good way to do redundant connections. Is vrrp the way to go, is it even designed to do this on one box? I would appreciate any info/help/examples that people have come across, the one in the manual is for 2 mt each with their own connection.

-Adam

Eugene · October 4, 2006, 8:45pm

VRRP makes your router (the box itself) redundant. That’s why it uses two routers to do the job. In your case you have to do simple fail-over. Search the manual for “check-gateway” parameter of static routes.

danielillu · October 5, 2006, 12:52pm

If you have 1 MT box with 2 internet connections and want to use one of them as backup or distribute load over the 2 lines, you should try Bonding.
you can add one under /interface, do add bonding (or use winbox, instead)

shmali · October 5, 2006, 3:12pm

Thanks Eugene,

That is pretty much what i thought but was just looking for confirmation. So now my question is this, after reading about check-gateway and searching all the different posts i’m a little fuzzy on what exactly it does. Correct me if i am wrong but here is what i think happens.

Setup is 2 ip address on the bridge, with two dst-addr = 0.0.0.0/0 in routing table, each one has the gateway for its respective ip address. The router chooses a primary connection and makes that route active, if it can’t be reached, it switches the active gateway until it can be reached and then switches back.

Is this what happens or am i missing something?

I’ve already tried this setup and it seems to work, i am just not sure if i am overlooking something else that should be important. Is there any benefit to doing it like this as opposed to utilizing netwatch and scripts to swap the gateways (i’ve tried this as well and it also works)? I appreciate any feedback you might have.

Danielillu,

I thought to use bonding you needed mikrotik boards on both sides of the connections (that is the way the examples show it). If this is the case I don’t see how it can work for me in this instance as i only have one mt being used to provide access to the internet.

-Adam

danielillu · October 5, 2006, 10:27pm

I think yes, a couple of MT boxes are needed. Regarding to what examples show. You are right, sorry.

I’ll do some testings next weeks using a MT box and some “standard” hardware (also i’ll test using 2 MT) to get a backup system working.

jmyers · October 6, 2006, 12:11am

are the two links you have going to two different ISPs? For us, one link1 is getting a class C network space, and the link2 is just a single IP. Normally, everything from my class C space gets routed out the way it came in (via link1). Everything else (192.168.x.x for example) gets masq’d and goes out link2.
In the event of a link going down, I manually disable rules, and enable others, which will masq my public IPs to be send out link2… or if link2 is the one that goes down, sends those masq’d 192.168.x.x addresses out link1.. eventually, I’ll add the check-gateway thing, and have it do this automatically, but havnt gotten around to writing the script yet…

janisk · October 6, 2006, 3:11pm

do as eguene suggested.

on the other hadn you can set a netwach that does a skript that enables/disables neede routes on ping results from your default GW, no need to do manualy things you can do automaticaly - lasiness is what made us so smart

bmenking · October 6, 2006, 4:54pm

jmyers -

if you have a class C you should be able to use BGP peering to advertise that address block to either provider, depending on which is not down/preferred.

we will be attempting this shortly with two T1’s from different providers and two MT’s using VRRP with BGP and a class C, which leads into my next post about VRRP…

bmenking · October 6, 2006, 5:10pm

I have a MT with VRRP group and addresses for both the internal and external interface. (I actually have two MT’s in a VRRP, but it’s irrelevant for this particular question)

VRRP Group

[admin@MASTER] ip vrrp> print
Flags: X - disabled, I - invalid, M - master, B - backup 
 0   M name="vr1" interface=EXT vrid=1 priority=255 interval=1 
       preemption-mode=yes authentication=ah password="password"

VRRP Addresses

[admin@MASTER] ip vrrp address> print
Flags: X - disabled, A - active 
 #    ADDRESS            NETWORK         BROADCAST       INSTANCE INTERFACE
 0  A 192.168.10.101/24  192.168.10.0    192.168.10.255  vr1      EXT      
 1  A 172.26.15.254/24   172.26.15.0     172.26.15.255   vr1      INT

What I find interesting is that the 192.168.10.101/24 (EXT) virtual address has the proper VRRP MAC address, ie, 00-00-5e-00-01-01. But the 172.26.15.254/24 (INT) virtual address has the INT interface’s real MAC address, not the expected private MAC (which I would assume would be different than EXT’s private MAC).

Let’s add the backup MT with VRRP and priority=100 to this issue. This causes problems with computers on the INT interface who are, say, pinging an internet address. If the master’s EXT interface is unplugged (say hardware failure), the backup MT becomes the master (works great!) and picks up all the proper virtual addresses but the computers on the INT interface still have the MAC address from the master’s INT interface. Hence the computers receive no reply pings.

Is it possible to have a different private MAC for each interface in the VRRP address table?

Am I on track or have I derailed?

Thanks!

changeip · October 6, 2006, 5:45pm

You have ran into the exact same problem we did and is why we cannot use VRRP until they fix it. Interfaces that are not part of vrrp groups should not have their MACs affected… as it stands have a single mac across the entire router is not workable. Please MT fix this so we can start using vrrp.

Sam

bmenking · October 17, 2006, 5:20pm

Ok, the workaround seems to be to use a vrrp group for each interface.

That’s fine and all, it seems to work.

Now we have the ugly problem of the master’s external interface going down and the internal interface does not switch to the backup MT.

I’m assuming a couple scripts would take care of this, but I am not a MT scripting guru… yet.

How would a script tell a vrrp group to switch from master to backup or vice versa?

bmenking · October 18, 2006, 2:17am

Please consider this thread finished (for me, at least).

So far VRRP is sort-of working if I create a VRRP group for each interface (but don’t have two VRRP interfaces on the same network!) I believe the problems I am having can be solved with scripting.

I’ll be moving further discussion to the Scripting section.

acim · March 17, 2010, 6:35pm

Is it possible to use two metarouters in this context?

Set first metarouter to use first ISP as default gateway and set second metarouter to use second ISP as default gateway. Then set VRRP on these two. Is it possible?

I have scenario where I mark some clients to use first ISP and mark some other clients to use another ISP (policy based routing by IP addresses). In case one ISP stops, I want automatic failover to another.

mrz · March 18, 2010, 7:40am

Yes, it is possible, just forward traffic from first ISP to one metarouter and from another ISP to another metarouter.