VRRP with VLAN -> problem

Fritzman · January 6, 2019, 11:47am

Hi,

we have setup VRRP on our router. But we face the following problem.
As example:

VLAN323 (Interface, IP10.10.1.2)
—VRRP323 (Interface, IP10.10.1.1)

VLAN324 (Interface, IP10.10.2.2)
—VRRP324 (Interface, IP10.10.2.1)

All clients have the 10.10.X.1 as gateway defined.

If Client A (10.10.2.21) pings to Server A (10.10.1.5) this fails because the log says:
Drop forward: In-Interface VRRP324, Out-Interface VLAN323

If antoher client (lets say Client B, 10.10.2.25) pings to Server A (10.10.1.5) it works, log says:
In-Interface VRRP324, Out-Interface VRRP323.

The firewall is configured: In-Interface VRRP324 - Out-Interface VRRP323 - accept —> it fails for Client A, but works for Client B
If we reconfigure: In-Interface VRRP324 - Out-Interface VLAN323 - accept —> it works for Client A but fails for Client B

It would make it very diffcult to setup rules for each “VRRP->VLAN” and “VRRP->VRRP” connection.

The question is, why does it sometimes goes VRRP->VLAN and sometimes VRRP->VRRP?
Another strange thing, this is not consistent, after a few minutes (or hours) Client B fails as well (with VRRP->VLAN).

Any thoughts?

BRGDS

sebastia · January 6, 2019, 1:13pm

Hi

If you consult the documentation https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP, you’ll notice that vrrp routers are supposed to be each other backups, and hence need to reside in same broadcast domain / subnet.

Fritzman · January 6, 2019, 2:26pm

We need in every VLAN a VRRP-virtual router and the Mikrotik(s) itself need an IP as well in every VLAN. Otherwise the VRRP won’t get active (and stays red).

This results in the following route list:
10.10.1.0/24 | VLAN323 reachable, VRRP323 reachable
10.10.2.0/24 | VLAN324 reachable, VRRP324 reachable

Now it seems the router sometimes takes the VLAN-gateway and sometimes the VRRP-gateway.
This leads to the trouble with firewall rules.

How can we achieve that the router takes always the VRRP gateway? Is there a way to “block” the VLAN as a (dynamic)-gateway?

The documentation is quite useless in this case, because it covers only a simple non-VLAN-scenario…
For testing purposes there is only the VRRP-master connected. The “to be” VRRP-slave is offline.

BRGDS

tdw · January 6, 2019, 4:21pm

It appears you have the wrong netmask on the VRRP interface - unlike all the other VRRP implementations I’ve seen Mikrotik need the VRRP address to be specfied with /32 NOT /24 (or whatever is appropriate for your LAN/VLAN), see https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP#IPv4. You then get two routes:
10.10.1.0/24 | VLAN323 reachable
10.10.1.1/32 | VRRP323 reachable

Fritzman · January 6, 2019, 9:21pm

Thanks, I edited the VRRP-Interfaces with a /32 mask (ROS removes “/32”, so I don’t know if this works correctly?).
This results in the following routes:

10.10.1.0/24 | VLAN323 reachable
10.10.1.0 | VRRP323 reachable (NOT 10.10.1.1/32)
10.10.2.0/24 | VLAN324 reachable
10.10.2.0 | VRRP324 reachable (NOT 10.10.2.1/32)

But we still have the problem that if I ping from a client to the server I get this log:
DROP FORWARD forward: in:VRRP324 out:VLAN323 […]

BRGDS