VRRP - NewBie

So I just recently started messing around trying to learn VRRP.. and I feel like as I at least have it working in the sense that if one router shuts off.. the back up router works just fine.. NOW does that mean I am doing things perfectly.. probably not lol.i was going to post my config of the routers and see if anyone could point out anything wrong.. One thing I did notice was that.. in the ARP table.. connected devices were showing up twice.. one for the vlan interface and another time for the vrrp interface.. This setup is for an event network so it can get up to 4K to 5K user or more.. Dont know if that will be an issue, of is it just my config that is wrong.

ill post router 1 which is the master.. which is pretty much identical to router 2 expect just now for testing I am using the master for dhcp. (planning on getting a CCR2004 to act as a dhcp server for the two 2116’s .

Ill post a picture of the arp devices im seeing as well..

Thank you all in advance.

[joshhboss@Core1-CCR2116] > export       
# 2024-08-08 13:27:58 by RouterOS 7.12.1
#
# model = CCR2116-12G-4S+
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 disabled=yes name=ether1_WAN1
set [ find default-name=ether2 ] comment=WAN2 name=ether2_WAN2
set [ find default-name=ether3 ] disabled=yes name=ether3_WAN3
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] comment="Emergency Port"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=sfp-sfpplus1_WAN
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no name=sfp-sfpplus2_LAN
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface wireguard
/interface vlan
add interface=sfp-sfpplus2_LAN name=10-ApManagement vlan-id=10
add interface=sfp-sfpplus2_LAN name=130Production vlan-id=130
add interface=sfp-sfpplus2_LAN name=140Ticketing vlan-id=140
add interface=sfp-sfpplus2_LAN name=150Vendors vlan-id=150
add interface=sfp-sfpplus2_LAN name=160Vlan vlan-id=160
add interface=sfp-sfpplus2_LAN name=169Vlan vlan-id=169
add interface=sfp-sfpplus2_LAN name=170Vlan vlan-id=170
add interface=sfp-sfpplus2_LAN name=179Vlan vlan-id=179
add interface=sfp-sfpplus2_LAN name=180Vlan vlan-id=180
add interface=sfp-sfpplus2_LAN name=189Vlan vlan-id=189
add interface=sfp-sfpplus2_LAN name=190Vlan vlan-id=190
add interface=sfp-sfpplus2_LAN name=192-Toasts vlan-id=192
add interface=sfp-sfpplus2_LAN name=200Management vlan-id=200
add interface=sfp-sfpplus2_LAN name=210Vlan vlan-id=210
add interface=sfp-sfpplus2_LAN name=230Vlan vlan-id=230
add interface=sfp-sfpplus2_LAN name=240Vlan vlan-id=240
add interface=sfp-sfpplus2_LAN name=250Vlan vlan-id=250
add interface=sfp-sfpplus2_LAN name=260Vlan vlan-id=260
add interface=sfp-sfpplus2_LAN name=269Vlan vlan-id=269
add interface=sfp-sfpplus2_LAN name=270Vlan vlan-id=270
add interface=sfp-sfpplus2_LAN name=279Vlan vlan-id=279
add interface=sfp-sfpplus2_LAN name=280Vlan vlan-id=280
add interface=sfp-sfpplus2_LAN name=289Vlan vlan-id=289
add interface=sfp-sfpplus2_LAN name=290Vlan vlan-id=290
/interface vrrp
add interface=10-ApManagement name=vrrp1-vl10 vrid=10
add interface=130Production name=vrrp1-vl130 vrid=130
add interface=140Ticketing name=vrrp1-vl140 vrid=140
add interface=150Vendors name=vrrp1-vl150 vrid=150
add interface=160Vlan name=vrrp1-vl160 vrid=160
add interface=169Vlan name=vrrp1-vl169 vrid=169
add interface=170Vlan name=vrrp1-vl170 vrid=170
add interface=179Vlan name=vrrp1-vl179 vrid=179
add interface=180Vlan name=vrrp1-vl180 vrid=180
add interface=189Vlan name=vrrp1-vl189 vrid=189
add interface=190Vlan name=vrrp1-vl190 vrid=190
add interface=192-Toasts name=vrrp1-vl192 vrid=192
add interface=200Management name=vrrp1-vl200 vrid=200
add interface=210Vlan name=vrrp1-vl210 vrid=210
add interface=230Vlan name=vrrp1-vl230 vrid=230
add interface=240Vlan name=vrrp1-vl240 vrid=240
add interface=250Vlan name=vrrp1-vl250 vrid=250
add interface=260Vlan name=vrrp1-vl260 vrid=60
add interface=269Vlan name=vrrp1-vl269 vrid=69
add interface=270Vlan name=vrrp1-vl270 vrid=70
add interface=279Vlan name=vrrp1-vl279 vrid=79
add interface=280Vlan name=vrrp1-vl280 vrid=80
add interface=289Vlan name=vrrp1-vl289 vrid=89
add interface=290Vlan name=vrrp1-vl290 vrid=90
/interface list
add name=WAN
add name=TrustedLAN
add name=EV-LAN
add name=ISP1
add name=ISP2
add name=VRRP-LAN
add name=VRRP-INPUT
/ip pool
add name=140Ticketing ranges=10.140.0.50-10.140.3.254
add name=150Vendors ranges=10.150.0.50-10.150.15.254
add name=169Vlan ranges=10.169.0.2-10.169.255.254
add name=170Vlan ranges=10.170.0.50-10.170.3.254
add name=180Vlan ranges=10.180.0.50-10.180.3.254
add name=189Vlan ranges=10.189.0.50-10.189.3.254
add name=190Vlan ranges=10.190.0.50-10.190.3.254
add name=160Vlan ranges=10.160.0.100-10.160.15.254
add name=192-Toasts ranges=192.168.192.50-192.168.193.250
add name=179Vlan ranges=10.179.0.100-10.179.3.254
add name=10Ap-Management ranges=10.10.10.100-10.10.11.254
add name=130Production ranges=10.130.0.100-10.130.15.254
add name=210Vlan ranges=10.21.0.100-10.21.3.254
add name=230Vlan ranges=10.23.0.100-10.23.3.254
add name=240Vlan ranges=10.24.0.100-10.24.3.254
add name=250Vlan ranges=10.25.0.100-10.25.3.254
add name=260Vlan ranges=10.26.0.100-10.26.3.254
add name=270Vlan ranges=10.27.0.100-10.27.3.254
add name=279Vlan ranges=10.27.8.100-10.27.11.254
add name=280Vlan ranges=10.28.0.100-10.28.3.254
add name=289Vlan ranges=10.28.8.100-10.28.11.254
add name=290Vlan ranges=10.29.0.100-10.29.3.254
add name=Emergency ranges=192.168.13.10-192.168.13.254
add name=269Vlan ranges=10.26.32.2-10.26.63.254
/ip dhcp-server
add address-pool=140Ticketing interface=140Ticketing lease-time=1d name=140Ticketing
add address-pool=150Vendors interface=150Vendors lease-time=1d name=150Vendors
add address-pool=169Vlan interface=169Vlan lease-time=3h name=169Vlan
add address-pool=170Vlan interface=170Vlan lease-time=3h name=170Vlan
add address-pool=180Vlan interface=180Vlan lease-time=3h name=180Vlan
add address-pool=189Vlan interface=189Vlan lease-time=3h name=189Vlan
add address-pool=190Vlan interface=190Vlan lease-time=3h name=190Vlan
add address-pool=160Vlan interface=160Vlan lease-time=3h name=160Vlan
add address-pool=192-Toasts interface=192-Toasts lease-time=12h name=192-Toasts
add address-pool=179Vlan interface=179Vlan lease-time=3h name=179Vlan
add address-pool=10Ap-Management interface=10-ApManagement lease-time=1d name=10AP-Management
add address-pool=130Production interface=130Production lease-time=1d name=130Production
add address-pool=210Vlan interface=210Vlan lease-time=1d name=210Vlan
add address-pool=230Vlan interface=230Vlan lease-time=1d name=230Vlan
add address-pool=240Vlan interface=240Vlan lease-time=1d name=240Vlan
add address-pool=250Vlan interface=250Vlan lease-time=1d name=250Vlan
add address-pool=260Vlan interface=260Vlan lease-time=1d name=260Vlan
add address-pool=270Vlan interface=270Vlan lease-time=1d name=270Vlan
add address-pool=279Vlan interface=279Vlan lease-time=1d name=279Vlan
add address-pool=280Vlan interface=280Vlan lease-time=1d name=280Vlan
add address-pool=289Vlan interface=289Vlan lease-time=1d name=289Vlan
add address-pool=290Vlan interface=290Vlan lease-time=1d name=290Vlan
add address-pool=Emergency interface=ether13 name=Emergency
add address-pool=269Vlan interface=269Vlan lease-time=12h name=269Vlan
/port
set 0 name=serial0
/queue simple
add disabled=yes max-limit=150M/150M name=250Queue target=10.25.0.0/22
/routing table
add disabled=no fib name=WAN21
/snmp community
/ip firewall connection tracking
set tcp-established-timeout=30m tcp-time-wait-timeout=30s
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=sfp-sfpplus1_WAN list=WAN
add interface=miamieventwg1 list=TrustedLAN
add interface=ether13 list=TrustedLAN
add interface=200Management list=TrustedLAN
add interface=ether2_WAN2 list=WAN
add interface=2116chr list=TrustedLAN
add interface=smallpf list=TrustedLAN
add interface=130Production list=EV-LAN
add interface=140Ticketing list=EV-LAN
add interface=150Vendors list=EV-LAN
add interface=160Vlan list=EV-LAN
add interface=170Vlan list=EV-LAN
add interface=169Vlan list=EV-LAN
add interface=179Vlan list=EV-LAN
add interface=180Vlan list=EV-LAN
add interface=189Vlan list=EV-LAN
add interface=190Vlan list=EV-LAN
add interface=192-Toasts list=EV-LAN
add interface=210Vlan list=EV-LAN
add interface=230Vlan list=EV-LAN
add interface=240Vlan list=EV-LAN
add interface=250Vlan list=EV-LAN
add interface=260Vlan list=EV-LAN
add interface=269Vlan list=EV-LAN
add interface=270Vlan list=EV-LAN
add interface=279Vlan list=EV-LAN
add interface=280Vlan list=EV-LAN
add interface=289Vlan list=EV-LAN
add interface=290Vlan list=EV-LAN
add interface=sfp-sfpplus1_WAN list=ISP1
add interface=ether2_WAN2 list=ISP2
add interface=vrrp1-vl10 list=EV-LAN
add interface=vrrp1-vl130 list=VRRP-LAN
add interface=vrrp1-vl200 list=VRRP-LAN
add interface=10-ApManagement list=VRRP-INPUT
add interface=130Production list=VRRP-INPUT
add interface=140Ticketing list=VRRP-INPUT
add interface=vrrp1-vl140 list=VRRP-LAN
add interface=150Vendors list=VRRP-INPUT
add interface=160Vlan list=VRRP-INPUT
add interface=vrrp1-vl160 list=VRRP-LAN
add interface=169Vlan list=VRRP-INPUT
add interface=vrrp1-vl169 list=VRRP-LAN
add interface=170Vlan list=VRRP-INPUT
add interface=vrrp1-vl170 list=VRRP-LAN
add interface=179Vlan list=VRRP-INPUT
add interface=vrrp1-vl179 list=VRRP-LAN
add interface=180Vlan list=VRRP-INPUT
add interface=vrrp1-vl180 list=VRRP-LAN
add interface=189Vlan list=VRRP-INPUT
add interface=190Vlan list=VRRP-INPUT
add interface=192-Toasts list=VRRP-INPUT
add interface=210Vlan list=VRRP-INPUT
add interface=230Vlan list=VRRP-INPUT
add interface=240Vlan list=VRRP-INPUT
add interface=250Vlan list=VRRP-INPUT
add interface=260Vlan list=VRRP-INPUT
add interface=269Vlan list=VRRP-INPUT
add interface=270Vlan list=VRRP-INPUT
add interface=279Vlan list=VRRP-INPUT
add interface=280Vlan list=VRRP-INPUT
add interface=289Vlan list=VRRP-INPUT
add interface=290Vlan list=VRRP-INPUT
add interface=vrrp1-vl189 list=VRRP-LAN
add interface=vrrp1-vl190 list=VRRP-LAN
add interface=vrrp1-vl192 list=VRRP-LAN
add interface=vrrp1-vl230 list=VRRP-LAN
add interface=vrrp1-vl240 list=VRRP-LAN
add interface=vrrp1-vl250 list=VRRP-LAN
add interface=vrrp1-vl260 list=VRRP-LAN
add interface=vrrp1-vl269 list=VRRP-LAN
add interface=vrrp1-vl270 list=VRRP-LAN
add interface=vrrp1-vl279 list=VRRP-LAN
add interface=vrrp1-vl150 list=VRRP-LAN
add interface=vrrp1-vl280 list=VRRP-LAN
add interface=vrrp1-vl289 list=VRRP-LAN
add interface=vrrp1-vl290 list=VRRP-LAN
/ip address
add address=192.168.13.1/24 comment=defconf interface=ether13 network=192.168.13.0
add address=10.6.6.13/24 comment=MiamiEventWG interface=miamieventwg1 network=10.6.6.0
add address=10.130.0.2/20 interface=130Production network=10.130.0.0
add address=10.140.0.2/22 interface=140Ticketing network=10.140.0.0
add address=10.150.0.2/20 interface=150Vendors network=10.150.0.0
add address=10.160.0.2/20 interface=160Vlan network=10.160.0.0
add address=10.169.0.2/16 interface=169Vlan network=10.169.0.0
add address=10.170.0.2/22 interface=170Vlan network=10.170.0.0
add address=10.180.0.2/22 interface=180Vlan network=10.180.0.0
add address=10.189.0.2/22 interface=189Vlan network=10.189.0.0
add address=10.190.0.2/22 interface=190Vlan network=10.190.0.0
add address=192.168.200.2/24 interface=200Management network=192.168.200.0
add address=192.168.192.2/23 interface=192-Toasts network=192.168.192.0
add address=10.179.0.2/22 interface=179Vlan network=10.179.0.0
add address=10.10.10.2/23 interface=10-ApManagement network=10.10.10.0
add address=10.4.1.2/24 interface=2116chr network=10.4.1.0
add address=10.21.0.2/22 interface=210Vlan network=10.21.0.0
add address=10.23.0.2/22 interface=230Vlan network=10.23.0.0
add address=10.24.0.2/22 interface=240Vlan network=10.24.0.0
add address=10.25.0.2/22 interface=250Vlan network=10.25.0.0
add address=10.26.0.2/22 interface=260Vlan network=10.26.0.0
add address=10.26.32.2/19 interface=269Vlan network=10.26.32.0
add address=10.27.0.2/22 interface=270Vlan network=10.27.0.0
add address=10.27.8.2/22 interface=279Vlan network=10.27.8.0
add address=10.28.0.2/22 interface=280Vlan network=10.28.0.0
add address=10.28.8.2/22 interface=289Vlan network=10.28.8.0
add address=10.29.0.2/22 interface=290Vlan network=10.29.0.0
add address=10.7.9.57/24 interface=smallpf network=10.7.9.0
add address=10.17.0.101/24 interface=sfp-sfpplus1_WAN network=10.17.0.0
add address=10.10.10.1 interface=vrrp1-vl10 network=10.10.10.1
add address=10.130.0.1 interface=vrrp1-vl130 network=10.130.0.1
add address=192.168.200.1 interface=vrrp1-vl200 network=192.168.200.1
add address=10.140.0.1 interface=vrrp1-vl140 network=10.140.0.1
add address=10.150.0.1 interface=vrrp1-vl150 network=10.150.0.1
add address=10.160.0.1 interface=vrrp1-vl160 network=10.160.0.1
add address=10.169.0.1 interface=vrrp1-vl169 network=10.169.0.1
add address=10.170.0.1 interface=vrrp1-vl170 network=10.170.0.1
add address=10.179.0.1 interface=vrrp1-vl179 network=10.179.0.1
add address=10.180.0.1 interface=vrrp1-vl180 network=10.180.0.1
add address=10.189.0.1 interface=vrrp1-vl189 network=10.189.0.1
add address=10.190.0.1 interface=vrrp1-vl190 network=10.190.0.1
add address=192.168.192.1 interface=vrrp1-vl192 network=192.168.192.1
add address=10.21.0.1 interface=vrrp1-vl210 network=10.21.0.1
add address=10.23.0.1 interface=vrrp1-vl230 network=10.23.0.1
add address=10.24.0.1 interface=vrrp1-vl240 network=10.24.0.1
add address=10.25.0.1 interface=vrrp1-vl250 network=10.25.0.1
add address=10.26.0.1 interface=vrrp1-vl260 network=10.26.0.1
add address=10.26.32.1 interface=vrrp1-vl269 network=10.26.32.1
add address=10.27.0.1 interface=vrrp1-vl270 network=10.27.0.1
add address=10.27.8.1 interface=vrrp1-vl279 network=10.27.8.1
add address=10.28.0.1 interface=vrrp1-vl280 network=10.28.0.1
add address=10.28.8.1 interface=vrrp1-vl289 network=10.28.8.1
add address=10.29.0.1 interface=vrrp1-vl290 network=10.29.0.1
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add add-default-route=no disabled=yes interface=ether3_WAN3
add add-default-route=no disabled=yes interface=ether2_WAN2 script="/ip dhcp-client\r\
    \n:global interface ether2_WAN2\r\
    \n# Disable the automatic addition of the default route\r\
    \nset [find where interface=\$interface] add-default-route=no\r\
    \n\r\
    \n# Using the gateway-address implicit variable\r\
    \n:local dhcpGateway \$\"gateway-address\"\r\
    \n\r\
    \n# Log the gateway for verification\r\
    \n:log info \"Gateway for \$interface is: \$dhcpGateway\"\r\
    \n\r\
    \n# If we have a valid gateway, then manually add the default route and specific route\r\
    \n:if (\$dhcpGateway != \"\") do={\r\
    \n    # Remove any existing default route and 1.0.0.1 route with the \"WAN2\" or \"WAN2-dns\" comment\r\
    \n    /ip route remove [find dst-address=\"0.0.0.0/0\" comment=\"WAN2\"]\r\
    \n    /ip route remove [find dst-address=\"1.0.0.1/32\" comment=\"WAN2-dns\"]\r\
    \n\r\
    \n    # Add the new default route with the discovered gateway and a distance of 2, with comment \"WAN2\"\r\
    \n    /ip route add dst-address=0.0.0.0/0 gateway=\$dhcpGateway distance=2 comment=\"WAN2\"\r\
    \n    :log info \"Added WAN2 default route via \$dhcpGateway with distance 2\"\r\
    \n\r\
    \n    # Add the new route for 1.0.0.1 with the comment \"WAN2-dns\" and a distance of 1\r\
    \n    /ip route add dst-address=1.0.0.1/32 gateway=\$dhcpGateway distance=1 comment=\"WAN2-dns\"\r\
    \n    :log info \"Added WAN2-dns route to 1.0.0.1 via \$dhcpGateway with distance 1\"\r\
    \n} else {\r\
    \n    :log error \"Failed to find a gateway for \$interface\"\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.10.10.0/23 dhcp-option=eventcloud dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.21.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.21.0.1
add address=10.23.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.23.0.1
add address=10.24.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.24.0.1
add address=10.25.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.25.0.1
add address=10.26.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.0.1
add address=10.26.8.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.8.1
add address=10.26.32.0/19 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.32.1
add address=10.27.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.27.0.1
add address=10.27.8.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.27.8.1
add address=10.28.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.28.0.1
add address=10.29.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.29.0.1
add address=10.130.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.130.0.1
add address=10.140.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.140.0.1
add address=10.150.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.150.0.1
add address=10.160.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.160.0.1
add address=10.169.0.0/16 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.169.0.1
add address=10.170.0.0/22 dhcp-option=effective dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.170.0.1
add address=10.179.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.179.0.1
add address=10.180.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.180.0.1
add address=10.189.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.189.0.1
add address=10.190.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.190.0.1
add address=192.168.13.0/24 gateway=192.168.13.1
add address=192.168.88.0/24 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=192.168.88.1
add address=192.168.192.0/23 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=192.168.192.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
/ip firewall address-list
add address=10.130.0.0/20 list=130Production
add address=10.140.0.0/22 list=140Ticketing
add address=10.150.0.0/20 list=150Vendors
add address=10.160.0.0/20 list=160
add address=10.169.0.0/16 list=169
add address=10.170.0.0/22 list=170
add address=10.180.0.0/22 list=180
add address=10.189.0.0/22 list=189
add address=10.190.0.0/22 list=190
add address=192.168.192.0/24 list=192Toast
add address=10.10.10.0/23 list=10AP-Management
add address=10.10.10.0/23 list=NTP-DNS
add address=192.168.200.0/24 list=NTP-DNS
add address=10.25.0.0/22 list=SimpleQueueList
add address=10.0.0.0/8 list=PrivateIPs
add address=172.16.0.0/12 list=PrivateIPs
add address=192.168.0.0/16 list=PrivateIPs
add address=10.25.0.0/22 list=WAN2-EVLAN
add address=10.27.8.0/22 list=279
add address=10.26.32.0/19 list=269Guest
add address=10.179.0.0/22 list=179
/ip firewall filter
add action=drop chain=output comment=ISP2-Drop-Ping-To-ISP1-DNS-Check dst-address=1.1.1.1 out-interface-list=ISP2 protocol=icmp
add action=drop chain=output comment=ISP1-Drop-Ping-To-ISP2-DNS-Check dst-address=1.0.0.1 out-interface-list=ISP1 protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment=AllowVRRP in-interface-list=VRRP-INPUT protocol=vrrp
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment=UDP-DNS-NTP dst-port=53,123 protocol=udp src-address-list=NTP-DNS
add action=accept chain=input comment=TCP-DNS dst-port=53 protocol=tcp src-address-list=NTP-DNS
add action=accept chain=input comment="Allow Authorized" src-address-list=Authorized
add action=accept chain=input comment="Allow AP to Management - 8291" dst-address=192.168.200.1 dst-port=8291 protocol=tcp src-address-list=10AP-Management
add action=drop chain=input comment=DropALLElse
add action=accept chain=forward comment="SimpleQueue Established,Related, SRC" connection-state=established,related disabled=yes src-address-list=SimpleQueueList
add action=accept chain=forward comment="SimpleQueue Established,Related, DST" connection-state=established,related disabled=yes dst-address-list=SimpleQueueList
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=Allow-AP-TO-Controllers dst-address-list=AllowRemoteControllers in-interface=vrrp1-vl10
add action=accept chain=forward comment="AllowInternet For LAN" in-interface-list=VRRP-LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Authorized ALL" src-address-list=Authorized
add action=accept chain=forward comment=AllPortForwarding connection-nat-state=dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL ELSE"
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new disabled=yes in-interface=250Vlan new-connection-mark=useWAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Internet Rule - Wan 1" out-interface=sfp-sfpplus1_WAN
add action=masquerade chain=srcnat comment="Masquerade Internet Rule - Wan 2" out-interface=ether2_WAN2
add action=masquerade chain=srcnat comment="Masquerade Internet Rule - Wan 3 DHCP" disabled=yes out-interface=ether3_WAN3
/ip firewall raw
add action=notrack chain=prerouting comment="Dont Track Broadcast" disabled=yes dst-address=255.255.255.255
/ip firewall service-port
set ftp disabled=yes
/ip route
add comment=WAN1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.17.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN1-dns disabled=no distance=1 dst-address=1.1.1.1/32 gateway=10.17.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN1-21 disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=X.X.X.158 pref-src="" routing-table=WAN21 scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN2-21 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=X.X.X.1 pref-src="" routing-table=WAN21 scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=X.X.X.158 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN2-dns disabled=no distance=1 dst-address=1.0.0.1/32 gateway=X.X.X.158 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set api-ssl disabled=yes
/routing rule
add action=lookup-only-in-table comment="PrivateIPs - 192.168.0.0/16" disabled=no dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table comment="PrivateIPs - 172.16.0.0/12" disabled=no dst-address=172.16.0.0/12 table=main
add action=lookup-only-in-table comment="PrivateIPs - 10.0.0.0/8" disabled=no dst-address=10.0.0.0/8 table=main
add action=lookup comment=WAN21-Production disabled=yes src-address=10.130.0.0/20 table=WAN21
/system clock
set time-zone-autodetect=no time-zone-name=America/New_York
/system identity
set name=Core1-CCR2116
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=time.windows.com
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add interval=1w name=every-week on-event=backup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script
add dont-require-permissions=no name=backup owner=joshhboss policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local backupconf \"\$[/system identity get name]-\$[/system resource get version]-CONF.backup\
    \"\r\r\
    \n:local backuplog \"\$[/system identity get name]-\$[/system resource get version]-LOG.txt\"\r\r\
    \n:local backuprsc \"\$[/system identity get name]-\$[/system resource get version]-Export.rsc\"\r\r\
    \n\r\r\
    \n\r\r\
    \n/system resource print file=resource\r\r\
    \n/system health print file=temperature\r\r\
    \n\r\r\
    \n:delay 10\r\r\
    \n\r\r\
    \n/system backup save name=\$backupconf\r\r\
    \n\r\r\
    \n:delay 10\r\r\
    \n\r\r\
    \n/log print file=\$backuplog\r\r\
    \n\r\r\
    \n:delay 10\r\r\
    \n\r\r\
    \n/export file=\$backuprsc\r\r\
    \n\r\r\
    \n:delay 10\r\r\
    \n\r\r\
    \n:local files {\$backupconf;\$backuplog;\$backuprsc}\r\r\
    \n:local status [file get resource.txt contents ]\r\r\
    \n:local temp [file get temperature.txt contents ]\r\r\
    \n\r\r\
    \n/tool e-mail send to=\"email.com\" \\\r\r\
    \n        subject=\"\$[/system identity get name]-\$[/system resource get version] Backup Configuracion\" \\\r\r\
    \n        body=\"\$status \$temp \" \\\r\r\
    \n        file=\$files\r\r\
    \n\r\r\
    \n\r\r\
    \n:delay 30\r\r\
    \n\r\r\
    \n\r\r\
    \n/file remove \$backupconf\r\r\
    \n/file remove \$backuplog\r\r\
    \n/file remove \$backuprsc\r\r\
    \n/file remove resource.txt\r\r\
    \n/file remove temperature.txt"
/tool mac-server
set allowed-interface-list=TrustedLAN
/tool netwatch
add comment="Internet Test - WAN1" disabled=no down-script="ip route disable [find where comment=WAN1]" host=1.1.1.1 http-codes="" interval=10s packet-count=10 packet-interval=500ms test-script="" thr-avg=700ms thr-jitter=2s thr-max=\
    2s thr-stdev=700ms timeout=500ms type=icmp up-script="ip route enable [find where comment=WAN1]"
add comment="Internet Test - WAN2" disabled=no down-script="/ip route disable [find where comment=WAN1-21]\r\
    \n" host=1.0.0.1 http-codes="" test-script="" thr-avg=700ms thr-jitter=2s thr-max=2s thr-stdev=500ms type=icmp up-script="/ip route enable [find where comment=WAN1-21]\r\
    \n"
/tool romon
set enabled=no

Normal to see duplicate ARP entries. A disturbing rendition of a bird informs us that this is normal behaviour.

I could potentially reach 4k clients connected.. if that means I’d have double the arps would that be a problem. I google and read that Mikrotik’s limit is 8092 or something.

You only add one ARP address per VRRP interface. VRRP responds to any arp for the default gateway (aka vrrp address), so it just needs one fake MAC address per VLAN in this case. The number of users will increase ARP counts, but there still only one MAC per client even with VRRP.

Otherwise VRRP looks okay to me. The fact the VRRP interface needs to be allowed by firewall is an “easy-to-forget part”, which you have covered by an /interface/list.

I was just noticing that everything that connected was also having an arp address on the VLAN interface as well. So each device creates 2 arp entries.. what do i do when i have 5K devices lets say, and the limit for Mikrotik is 8192 (according to google) i mean i did see an option to where you could change it, just wondered if that was something i should/shouldnt do. And if i do it, in what increments would be safe to do so. It’s a (2) 2116’s so they’re pretty power routers. But still I don’t know what I don’t know.. lol

Thanks

Guess this is my answer..

I should have checked myself, but you’re right it creates multiple ARP cache entries.

You can certainly increase the ARP cache size, which sounds like a good idea. But even if the ARP cache gets full… it’s not like things just stop working. Rather, there just more ARP requests on the network (which is less efficient, but typically not disastrous).

Yeah looks like that will be what happens.. this is my home router.. I dont even have 2 routers but I started the learning process here before moving it over to the (2) 2116s (and the failover works great)
But here is the arp table at home home

Side not.. my next move for these potential 4k clients is to use the smaller CCR2004 for a dhcp server.. I think it should be more than enough.. what do you think ?

If you had some monitoring, you can see if there is some meaningful effect on memory from increasing the ARP cache - but I suspect not.

In thinking about this… Perhaps the double ARPs are due to the /ip/dhcp-server. i.e. the DHCP servers for your VLANs are listening on the VLAN interfaces, so one ARP cache entry may be caused by that (other on VRRP interface be expected since that’s the default gateway).

There are few ways to handle DHCP server with multiple VRRP routers. This is where VRRP requires some decisions/complexity IMO. I typically have DHCP listen on the VRRP interface for a VLAN, on each VRRP router – so the DHCP server becomes inactive on the backup/non-active VRRP router & there is only one active DHCP server (on each VLAN) at time. Another way is just run DHCP server on “real” VLAN interface - either just one (and lose DHCP server if backup) or on both (perhaps with some delay on one of them) - not sure which one you’re using BUT it may be why you’re getting multiple ARPs.

FWIW, one more note about DHCP server with VRRP: any static lease would need to be manually sync’ed (script or cut-and-paste) as that’s not part of VRRP (not even with connection tracking).

I am running the dhcp on the vlan interface on the first VRRP router just because I wanted to test the failover.. I didnt know about delays or backup dhcp server options.. this is new to me but I can start playing with it.. also we would just trust the “conflict detection” feature.. anyone had any issues with that?