Hello all,
I have 2 routerboard 1100 running with 5.23.
They both have about 6 vlans and 6 vrrp configured.
VRRP worked perfectly until I started locking down the firewall.
Now both RBs become master on the configured VRRPs
What firewall rules are required for VRRP to function?
I use VRRP version 2 with ah authentication.
Kind regards,
Coert Waagmeester
Wireshark is my friend! I found the answer.
I added the following firewall rule:
add action=accept chain=input disabled=no dst-address=224.0.0.18 protocol=ipsec-ah
First I tried the same rule but with the protocol set to vrrp.
Anyway, it is working now!
Sorry to bring up an old thread but the wiki
http://wiki.mikrotik.com/wiki/Manual:Interface/VRRP
say 224.0.0.12 not 224.0.0.18
The Wiki is wrong, the multicast address is 224.0.0.18. The protocol is also 112 (VRRP) and not 51 (ipsec-ah).
Herewith a firewall rule confirmed to work on 6.37.1:
/interface vrrp add interface=vlan2000 name=vrrp-vlan2000 priority=254 vrid=23 # Master
/ip firewall filter add action=accept chain=input dst-address=224.0.0.18 in-interface=vlan2000 protocol=vrrp
PS: The multicast and protocol numbers could have changed at some point in the past but i doubt it.