I have a lab set up with my laptop at 192.168.1.98/24
There is a VRRP above me with 192.168.1.1/24 on two routers - a ccr1009 and ccr2004. I am connection sharing between the two and the Backup of the vrrp is filing its connection tracking table.
The two ccr routers talk BGP a pair of RB960 above them. This is how the 192.168.1.0/24 makes it to the BGP routers. The pair of RB960 have internet above them with a private address and are masquerading the 192.168.1.0/24.
The problem/complaint/question I have is when the failover happens I’ll lose a ping (that’s fine), streaming video with a buffer works (Youtube, Netflix), however the two big obstacles are: 1) video games just get shut down specifically World of Warcraft and 2) Twitch streams will hang for a few seconds.
Is it possible to create a more seamless transition from master to backup? I recognize a failover is not a common occurrence, but I’d like to avoid the phone call we’ll get from a WoW player if/when our ccr1009 blows up.
The short ping loss is normal during a VRRP switch, but what’s breaking your games and Twitch sessions is the connection tracking state. When the backup CCR becomes master, it doesn’t have the same connection table, so existing NAT sessions are gone. From the client side, that looks like a new connection with a different source translation, and the remote servers just drop it.
The only way to reduce that impact is to enable conntrack synchronization between the two routers. RouterOS 7 supports it through the conntrack-sync package. It lets the backup keep the active session table in sync with the master. That way, VRRP failover won’t destroy the NAT state for ongoing sessions. Also check that both CCRs use the same NAT and routing path upstream.
If each does its own masquerade, the failover will always reset the source ports and IPs, so real seamless switchover won’t be possible.
>If each does its own masquerade, the failover will always reset the source ports and IPs, so real seamless switchover won’t be possible.
So when I do this with BGP on the top two routers (rb960 in this case) instead of NAT, that will solve my issue of lost connection state? It will still carry the public ip on the wan side so that makes sense. The next obstacle I’d have is dropping the incoming traffic, though if the router completely dies I’d have no way to tell my peer to drop those routes and would probably just have to wait a few minutes, right?
Yeah, exactly. Moving NAT up to the BGP layer will help because the public IP stays the same when VRRP switches, so you won’t lose session state anymore. The short pause you’re seeing is just BGP reconverging when one router drops.
You can reduce that with BFD or by lowering your BGP hold timers so routes are withdrawn faster. Just make sure both routers announce the same prefixes and attributes to keep things stable for upstream peers during failover.