VRRP sync-connection-tracking setup

Hello,

I am playing around with 7.1beta2 and noticed with VRRP there is an option to enable sync-connection-tracking.
I have not been able to find any documentation on how to configure it. I have it enabled and have the remote IP set to the other router but nothing ever seems to be synced when i look under the firewall connections.

Is there any documentation for this feature or is it still incomplete?

If VRRP is up and running, then in most cases, simply setting

sync-connection-tracking=yes

on both ends should do the trick: VRRP master syncing its connection with the backup router.

Some useful info / limitations:

1. MikroTik uses its own proprietary protocol for connection syncing. Therefore, both routers must be MikroTik.
2. Both routers must be running the same version of RoutersOS v7 (e.g., 7.1beta2).
3. While VRRP allows multiple backup routers, the connection syncing protocol supports only one (i.e., there must be only two routers: one master + one backup).
4. VRRP Preemption Mode must be disabled (preemption-mode=no).
5. The connection syncing protocol uses IPv4 for the internal data channel. In case of IPv6 (v3-protocol=ipv6), remote-address is mandatory.
6. In case of IPv4, remote-address is optional, however, recommended (reduces VRRP latency).

If the above information is insufficient, please provide the output of:

/interface export hide-sensitive
/interface/vrrp print detail

from both routers.

If you have a VRRP password set, please manually remove it from the output, since the print command doesn’t have a hide-sensitive option.

This is fantastic… but…
What is the status of “firewall rules” sync between routers?
Or even better - config sync?

Are there any “suggested/verified” methods? There are some user proposed scripts… but nothing “universally useful”…
There is the excellent https://github.com/svlsResearch/ha-mikrotik but that’s an active/passive solution requiring reboots for failovers which takes time and drops any/all state

Any plans in that regard? What do you suggest to use to have a “proper” HA (with minimal or no loss of connectivity) solution for Mikrotik devices?

Are there any “suggested” centralized management SW where you could edit/modify config to be automatically pushed to “paired” devices? That in combination with vrrp-sync could do the trick…

(if only Mikrotik config handling would allow direct “editing” (injecting/changing a specific line of configuration or some sort of diff apply…)

Any suggestions?

Currently there are several centralised configuration management options: TR069, API, SSH, and now even REST.

Yeah… I know about the “possibilities” or “options” for centralized management…
but are there any “suggested”/Recommended “product/solution” for that purpose?

I know about for ex Unimus and some other similar products and the TR-69 (Genie-ACS…) options… but it seems to me that’s oriented more to “collecting configurations” than “managing” especially some HA (paired) setups.
Correct me if I’m wrong… or even better, suggest some “actual” solution.

Thanks!

Regards,

Hi guys,

Any news/suggestions on the topic?

Is there a recommended way to sync the router’s configurations?

Thanks!
Daniel

Hi,

The entire team is focused 100% on stabilizing v7.1. Let’s get back to this topic after v7.1 stable release.

Nice… someone is actually reading this…

Great! I really hope the 7.1 will hit “production” soon and that config sync will follow soon…

Mikrotik “clusters” would be FANTASTIC after all this years and a requirement for “enterprise” deployments.

Keep the good work you guys!

Best regards
M.C

Is it possible to sync connection tracking state in an active/active setup?
I like to peer via BGP with my upstream provider, so i like to have two active bgp sessions and so on to route the traffic from WAN to LAN where the traffic arrives. So there is a possibility of asymmetric routing. Because of that, syncing the connection tracking tables is important.

We are considering decoupling sync connection tracking from VRRP, and make connection syncing a standalone feature that users may set up in any way they want. However, I wouldn’t expect this feature soon because the developers are fully focused on stabilizing v7.1, and there is a growing list of features to be developed after v7.1 stable. Meanwhile, you can create a “fake VRRP interface” that is used for nothing but syncing connections in the opposite way.

1000% agree with above statement. Been waiting for this feature for years. At this moment in time I have to use products from competitors. Once Mikrotik does this, no more need for the products from competitors.

This sounds greate.

But i have an another question:
While R1 is VRRP Master and CONNTRACK Master, should i see the connections on the BACKUP-Router R2 under IP > Firewall > Connections?

Because currently i do not.

Running v7.2rc2.

Currently i can only see the connection tracked on master, but not on slave?

If sync-connection-tracking is set and running, you should be able to see the connections on the backup router (no counters, though). Make sure you have the same Firewall rules set on both ends. Also, forcing connection tracking might help:

/ip/firewall/connection/tracking/set enabled=yes

Okay, i beleave that there is no initial sync? I am right?
For my point of view only new connections will be synchronized to the Backup-Router?

EDIT: And if there was a SIP-Connection this information is not synchronized between Master <> Backup Router. When a new session will be established at port 5060, master syncs the tracking to the backup, but is loosing the SIP-Conntrack-Type. The UDP message is only alive for 30 secs after creation on the backup router when it is 1h alive on the master.

If i reboot the Backup-Router, the whole connection tracking table is empty. But when new connections are made, the connection appears on the backup router.

After 8 hours, both routers are not in sync. I do not think, that this is a configuration issue. I think there is a initial sync missing.

By the way: will it come to a point, where connection-tracking-syncing is able to handle active/active sync? So we can make use of the potential power of two routers instead of one doing the hard work and the another is sleeping all day long?

Form a software engineers view: Doing some MQTT / Message Broker Stuff on Mikrotik to exchange the connection-tracking informations, when initially connected to the broker and when new connections gets established and when a connection will die because of reached timeout. In this setup you will be able to handle more than just two routers for connection tracking.

This is my related firewall and vrrp configuration:

[rack@ROBEL-VoIP-Gateway-RZ1] > /ip/firewall/export
# jan/28/2022 10:43:35 by RouterOS 7.2rc1
# software id = QWJ1-SK2Q
#
# model = RB5009UG+S+
# serial number = EC190FA9F86B
/ip firewall nat
    add action=src-nat chain=srcnat out-interface=ether1.Uplink-RSM to-addresses=185.58.31.141
/ip firewall service-port
    set sip sip-direct-media=no
/interface vrrp
    add interface=ether2.Uplink-Core-Switch name=vrrp.voip-router preemption-mode=no priority=50 remote-address=10.1.160.3 sync-connection-tracking=yes vrid=88
/ip address
    add address=10.1.160.2/24 interface=ether2.Uplink-Core-Switch network=10.1.160.0
    add address=10.1.160.1/24 interface=vrrp.voip-router network=10.1.160.0
    add address=185.58.31.141/28 interface=ether1.Uplink-RSM network=185.58.31.128
    add address=172.16.18.3/29 interface=ether1.Uplink-RSM network=172.16.18.0

[rack@ROBEL-VoIP-Gateway-RZ2] > /ip/firewall/export
# jan/28/2022 10:44:00 by RouterOS 7.2rc1
# software id = SEY8-DGED
#
# model = RB5009UG+S+
# serial number = EC190FC52FD2
/ip firewall nat
    add action=src-nat chain=srcnat out-interface=ether1.Uplink-RSM to-addresses=185.58.31.141
/ip firewall service-port
    set sip sip-direct-media=no
/interface vrrp
    add interface=ether2.Uplink-Core-Switch name=vrrp.voip-router preemption-mode=no remote-address=10.1.160.2 sync-connection-tracking=yes vrid=88
/ip address
    add address=185.58.31.141/28 interface=ether1.Uplink-RSM network=185.58.31.128
    add address=10.1.160.3/24 interface=ether2.Uplink-Core-Switch network=10.1.160.0
    add address=10.1.160.1/24 interface=vrrp.voip-router network=10.1.160.0
    add address=172.16.18.4/29 interface=ether1.Uplink-RSM network=172.16.18.0

Also i see the following information in log after Reboot (marked interesting log entity with >>>>):
currently running 7.2rc3 on both routers.

 14:46:15 system,info router rebooted
 14:46:15 vrrp,info vrrp.voip-router now BACKUP
 14:46:15 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 >>>> 14:46:15 vrrp,warning NFCT_SLAVE: could not open NETLINK socket (93) - Protocol not supported
 14:46:16 interface,info sfp-sfpplus1.qv-rz2 link up (speed 1G, full duplex)
 14:46:19 interface,info ether1.Uplink-RSM link up (speed 1G, full duplex)
 14:46:19 interface,info ether2.Uplink-Core-Switch link up (speed 1G, full duplex)
 14:46:20 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 14:46:22 system,info,account user rack logged in from 185.58.28.171 via winbox
 15:48:08 system,info,account user rack logged in from 185.58.28.171 via local

IP address on VRRP interface must have /32 netmask if address configured on VRRP is from the same subnet as on router’s any other interface.

In your case, it should be:

/ip/address add address=10.1.160.1/32 interface=vrrp.voip-router

Regarding the NETLINK socket error, did you force connection tracking (change from the default “auto” to “yes”)?

/ip/firewall/connection/tracking/set enabled=yes

After changing both to routers to yes, the message is gone, but there is no initial sync after booting R2 (Backup).

 16:58:00 system,info router rebooted
 16:58:10 vrrp,info vrrp.voip-router now BACKUP
 16:58:10 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 16:58:10 vrrp,warning UDP send error (101) - Network unreachable
 16:58:10 interface,info sfp-sfpplus1.qv-rz2 link up (speed 1G, full duplex)
 16:58:11 vrrp,warning UDP send error (101) - Network unreachable
 16:58:12 vrrp,warning UDP send error (101) - Network unreachable
 16:58:13 vrrp,warning UDP send error (101) - Network unreachable
 16:58:13 vrrp,warning UDP send error (101) - Network unreachable
 16:58:13 interface,info ether1.Uplink-RSM link up (speed 1G, full duplex)
 16:58:13 interface,info ether2.Uplink-Core-Switch link up (speed 1G, full duplex)
 16:58:15 vrrp,info vrrp.voip-router stop CONNTRACK
 16:58:15 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 16:58:16 system,info,account user rack logged in from 185.58.28.171 via winbox
 18:00:10 system,info,account user rack logged in from 185.58.28.171 via local

We were unable to reproduce your issue. On our side, initial sync gets performed as intended.

Please create a support ticket, so we can reproduce exactly the same setup as yours.

Yeah i will send you the support-ticket as far as i can.

But i have a related question: Is it possible that the Slave dont have the synced connections in his own conntrack-table?

Our setup looks like this:

Green = Upstrem to the Internet - works
Blue = Downstream from the Internet - works
Orange = Downstream from the Internet via R2 - do not work - R2 discards packets

We looked to the FIREWALL > CONNECTIONS Table and saw correct UDP and TCP connections. We did some Tests with UDP Echo-Server and sent a packet from PC to Internet to get new entry in connection tracking. When we routed the traffic via R1, the echoserver was functional. But as we sent the traffic via R2, packets reached the server but the answers were discarded on R2.

This looks like, the conntrack-table is only in memory and not active on R2.

When marking R1 as Slave and R2 as Active, the UDP-Echo-Server was full functional when we sent traffic via R2. But as we switched traffic to R1, the Echo-Server stopped working.

Active-Active is possible with linux conntrackd userspace client without any issues:
https://conntrack-tools.netfilter.org/manual.html#sync-aa