vrrp

marypoppins · January 28, 2020, 3:28pm

Dear All,

On a router every interface has a vrrp interface, which is the gateway for those interface’s subnet. I would like to make separated firewall rules like this:
ip firewall filter add chain=forward out-interface=<?which_if?> action=jump jump-target=fwd_subnet_1

My question is what interface should i use as outgoing interface? The vrrp or the real one?

thank you

StubArea51 · January 28, 2020, 3:42pm

It should be the real one…VRRP only answers ARP for the common MAC address and passes the traffic to the real interface. IIRC outbound traffic should originate from the physical interface.

marypoppins · January 29, 2020, 8:38am

Thank you very much!
Have a nice day!

marypoppins · February 11, 2020, 12:37pm

Dear All,

However everybody tell me I should use the ‘real’ interface, but it seems that does not want to work. The playground:

pc1 —ether1@TheBox@ether5/vrrp5 — pc2

TheBox:
ether1 - 192.168.90.1/24

ether5 - 192.168.99.99/24
vrrp5 - 192.168.99.100/24 (on ether5)

The filter chain:

chain=forward action=accept protocol=icmp in-interface=ether1
A)) chain=forward action=accept in-interface=vrrp5
B)) chain=forward action=accept in-interface=ether5
chain=forward action=drop

When only B)) is enabled there is no icmp traffic, while when A)) is enabeld it work like the charm [ in this case B)) is unnecessary/disabled].

Another example:
I would like to make separate forward chains for ethernet interfaces, like this:
chain=forward action=jump jump-target=eth5 out-interface=ether5

The “chain=eth5 action=accept” does not work until I changed the out-interface from ether5 to vrrp5.

Could somebody explain it, please?
Thank you very much.

System resources:
version: 6.46.2 (stable)
architecture-name: mmips
board-name: hEX

marypoppins · February 11, 2020, 1:35pm

Another test:
I have these interfaces with these ip addresses. I have forward filter which includes only the interface ether5 (not vrrp5). I begin to ping the target, and during the echo request/reply I change the service ip between the real and vrrp interface with command:
/ip address disable number=4; /ip address enable number=3
I also added a log rule in the forwarding chain at the first place.

2 192.168.99.99/24 192.168.99.0 ether5
3 X 192.168.99.100/24 192.168.99.0 vrrp5
4 192.168.99.100/24 192.168.99.0 ether5

This is the log during icmp echo request, while I change the ip “location”:

The log shows: (log is the first passthrough rule in the forward chain)
05:02:11 firewall,info forward eleje forward: in:ether1 out:ether5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:11 firewall,info forward eleje forward: in:ether5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
05:02:12 firewall,info forward eleje forward: in:ether1 out:ether5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:12 firewall,info forward eleje forward: in:vrrp5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
05:02:13 firewall,info forward eleje forward: in:ether1 out:vrrp5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:13 firewall,info forward eleje forward: in:vrrp5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
05:02:14 firewall,info forward eleje forward: in:ether1 out:vrrp5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:14 firewall,info forward eleje forward: in:vrrp5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84

First in the first three line the traffic pass between ether1 and ether5. After I activate the vrrp ip with the above mentioned command the ether5 becomes vrrp5. However the traffic is flowing (because it is established already), after I start a new icmp request, the filter drop it because ether5 interface in the rules has changed to vrrp5…

The forward rules:
1 chain=forward action=passthrough log=yes log-prefix=“forward eleje”
2 chain=forward action=accept connection-state=established,related
3 chain=forward action=jump jump-target=eth5 out-interface=ether5
5 chain=forward action=drop
6 chain=eth5 action=accept

Sob · February 11, 2020, 5:00pm

Vrrp interfaces should have single address(es), i.e. with /32 netmask. If you use same netmask as parent interface has, it usually seems to work, at least at first, but it does strange things. And I keep forgetting the explanation what exactly happens.

And yes, if something is coming to vrrp interface, either to IP address on it, ot its MAC address (e.g. when something uses vrrp IP address as gateway), then in-interface= is correct.

marypoppins · February 24, 2020, 2:38pm

Sorry for delay and thank you for your answer!

Could you explain why a vrrp ip should be /32? I have read this, but what does it mean?

“Note: address on VRRP interface must have /32 netmask if address configured on VRRP is from the same subnet as on router’s any other interface.”

thank you