I want to set up VRRP with preemption mode and connection tracking sync at the same time. However, both my routers complain that these settings are mutually exclusive. The goal is to have a “main router” connected to fiber internet that we want as much as possible. It should sync its connections with the backup router. When this main router’s not available, I want VRRP to switch to a backup LTE one that we want as little as possible as I only have 4GB of data on it. When the main router comes back up, the LTE should go into backup mode. However, with preemption mode turned off, this couldn’t happen unless I activated it on only one router. Could this be done, or will I have to live without v7’s connection syncing?
Mikrotik explicitly state that pre-emption mode must be off for connection sync as it currently stands - unknown if this is a temporary limitation or not.
But - it looks like you should still be able to use priorities etc to force master back to being master (which I thought was VRRP default anyways if the 1st router comes back with higher priority) using ‘Owner’
Note: Preemption mode is ignored if Owner router becomes available.
https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP#Owner
Will probably take a bit of trial and error to get it working how you like. In my experience - unless you are big corporate or multi-user ISP, then people don’t much care about the destruction of the connection. Most applications and protocols (web browsers & http/s) are pretty smart about re-establishing the connection and continuing on - as from my experience a change of src IP of your clients may likely destroy most connections anyway.
The problem with using an Owner router is that ROS simply doesn’t support it. I’d like for connection switching to be as seamless as possible, as some of the users in the home where this is being used complain about their internet suddenly going out, which tracking might help a little with.
No - tracking won’t really help a notice-able amount. I’d fore-go it and use preemptive mode.
That’s a good question. While the Mikrotik documentation states that preemption mode and sync connection tracking are mutually exclusive, it does not explain why. Let me clarify that.
Let’s begin with a short recap of why connection sync is needed. Most firewalls have rules to allow established or related connections. Without connection syncing, the backup router knows nothing about the established connection on the master. When the master goes down and traffic starts going through the backup router, the latter treats all connections as new. Which, under certain circumstances, may lead to connections drop. The same story with NAT - it is impossible to do network address translation without connection tracking. When the backup router becomes the VRRP master, all clients behind NAT lose all their connections unless the connection sync has been on.
Sync connection tracking works the best when both master and backup routers are identical or close performance-wise.
If the backup router is significantly slower than the master router, and the latter goes down during heavy load, the situation is similar to a DDoS attack to the former. In such a case it is better to have sync-connection-tracking=no. Yes, the existing connections get dropped, but at least the backup router can handle new (or re-established) connections during the master’s downtime.
Moreover, connection sync does not work with the standard VRRP preemption. For example, if the master rebooted and gets back online with a higher VRRP priority value, it becomes the VRRP master again according to the VRRP protocol. But at this moment, the master does not have connections synced from the backup router yet! It leads to a drop of established or/and NAT’ed connections. According to VRRP, if the routers’ priority is higher and preemption mode enabled, it immediately becomes the VRRP master. VRRP does not have an option for the backup router (which is temporarily VRRP-master now) to tell the original master something like “please wait until connection sync and then become the master”.
Theoretically, Mikrotik could implement an extension to VRRP that would allow delayed preemption. But that’s a lot of development effort for little-to-no benefit. Moreover, while VRRP is the standard protocol, the extension would not work with third-party routers or even Mikrotik routers running RouterOS v6.
- If both master and backup routers are identical (or similar), then there is no difference in which one is handling traffic. Set:
preemption-mode=no sync-connection-tracking=yes
- If the backup router is significantly slower and may not handle all the traffic, don’t bother with connection syncing. Set:
preemption-mode=yes sync-connection-tracking=no
Great post and explanation! THis is the #1 reason I had in my head why it would be that way but great to get confirmation.
To address OP’s situation -w hich I assume is NAT
Even though the connections are synced to the 2nd router - in a home NAT instance you can expect the customers WAN IP to change - so would most connections already experience a breakdown and re-establishment to the new WAN IP? VRRP connection syncing is only really beneficial if the WAN IP address stays the same correct? (i.e. multiple circuits from one provider, or BGP IP space and the like)
This is why I suggested to OP they should scrap it - as I would assume using a 4G backup service, the WAN IP is not portable between the 2 connections.
In the case of NAT, you can run two vrrp interfaces: one for LAN and WAN. Then, assign a single WAN IP to the VRRP WAN interface. That makes sure that WAN IP will not change on the router change. Of course, it does not help if you have two different ISP (e.g., ethernet + 4G). But with a single WAN connection and two routers, that is a way to do.
Also, we introduced VRRP groups in RouterOS v7, making sure that all VRRP instances on the same router retain the same role (either all are VRRP master, or all are backups). Here is a configuration example:
/interface vrrp
add interface=bridge1 name=vrrplan preemption-mode=no priority=200 sync-connection-tracking=yes vrid=10
add interface=ether1 name=vrrpwan preemption-mode=no priority=200 vrid=20
set vrrplan,vrrpwan group-master=vrrplan
Easy solution - as many routers have. Just add the VRRP preemption delay/hold time.
Juniper. VyOS has this to name a few.
I too am wondering whether this would be implemented in ROS 7.x.
A delay/hold timer is definitely needed in order not to drop connections when the Master router comes back.
Please let us know if this is something in development 
Actually, the feature has already been implemented and released in RouterOS v7.5:
*) vrrp - added "sync-connection-tracking" compatibility with preemption-mode;
When both sync-connection-tracking and preemption-mode are enabled, and a router with higher VRRP priority becomes online, the connections get synchronized first, and only then the router with higher priority becomes the VRRP master.
Thank you for your reply! It was not very clear to me.
Glad this has been implemented.
So, practically, we now can define the VRRP interface used for connection-syncing as a VRRP Group master interface, assign rest VRRP interfaces as slaves. So then in the event of a reboot of the primary router, the backup will first sync back the connections to the primary, then the primary will become the VRRP master again. I will have to test this, however I’m feeling lucky:)
@raimondsp you should do a YouTube on VRRP. It’s such a useful feature – that seems under-utilized – and not hard to setup.