Community discussions

MikroTik App
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

VRRP connection tracking and preemption mode

Thu Apr 29, 2021 12:06 am

I want to set up VRRP with preemption mode and connection tracking sync at the same time. However, both my routers complain that these settings are mutually exclusive. The goal is to have a "main router" connected to fiber internet that we want as much as possible. It should sync its connections with the backup router. When this main router's not available, I want VRRP to switch to a backup LTE one that we want as little as possible as I only have 4GB of data on it. When the main router comes back up, the LTE should go into backup mode. However, with preemption mode turned off, this couldn't happen unless I activated it on only one router. Could this be done, or will I have to live without v7's connection syncing?
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: VRRP connection tracking and preemption mode

Thu Apr 29, 2021 1:44 am

Mikrotik explicitly state that pre-emption mode must be off for connection sync as it currently stands - unknown if this is a temporary limitation or not.

But - it looks like you should still be able to use priorities etc to force master back to being master (which I thought was VRRP default anyways if the 1st router comes back with higher priority) using 'Owner'

Note: Preemption mode is ignored if Owner router becomes available.
https://wiki.mikrotik.com/wiki/Manual:I ... VRRP#Owner


Will probably take a bit of trial and error to get it working how you like. In my experience - unless you are big corporate or multi-user ISP, then people don't much care about the destruction of the connection. Most applications and protocols (web browsers & http/s) are pretty smart about re-establishing the connection and continuing on - as from my experience a change of src IP of your clients may likely destroy most connections anyway.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: VRRP connection tracking and preemption mode

Thu Apr 29, 2021 1:52 am

The problem with using an Owner router is that ROS simply doesn't support it. I'd like for connection switching to be as seamless as possible, as some of the users in the home where this is being used complain about their internet suddenly going out, which tracking might help a little with.
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: VRRP connection tracking and preemption mode

Thu Apr 29, 2021 4:15 am

as some of the users in the home where this is being used complain about their internet suddenly going out, which tracking might help a little with.
No - tracking won't really help a notice-able amount. I'd fore-go it and use preemptive mode.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP connection tracking and preemption mode

Thu Apr 29, 2021 10:47 am

That's a good question. While the Mikrotik documentation states that preemption mode and sync connection tracking are mutually exclusive, it does not explain why. Let me clarify that.

Let's begin with a short recap of why connection sync is needed. Most firewalls have rules to allow established or related connections. Without connection syncing, the backup router knows nothing about the established connection on the master. When the master goes down and traffic starts going through the backup router, the latter treats all connections as new. Which, under certain circumstances, may lead to connections drop. The same story with NAT - it is impossible to do network address translation without connection tracking. When the backup router becomes the VRRP master, all clients behind NAT lose all their connections unless the connection sync has been on.

Sync connection tracking works the best when both master and backup routers are identical or close performance-wise.

If the backup router is significantly slower than the master router, and the latter goes down during heavy load, the situation is similar to a DDoS attack to the former. In such a case it is better to have sync-connection-tracking=no. Yes, the existing connections get dropped, but at least the backup router can handle new (or re-established) connections during the master's downtime.

Moreover, connection sync does not work with the standard VRRP preemption. For example, if the master rebooted and gets back online with a higher VRRP priority value, it becomes the VRRP master again according to the VRRP protocol. But at this moment, the master does not have connections synced from the backup router yet! It leads to a drop of established or/and NAT'ed connections. According to VRRP, if the routers' priority is higher and preemption mode enabled, it immediately becomes the VRRP master. VRRP does not have an option for the backup router (which is temporarily VRRP-master now) to tell the original master something like "please wait until connection sync and then become the master".

Theoretically, Mikrotik could implement an extension to VRRP that would allow delayed preemption. But that's a lot of development effort for little-to-no benefit. Moreover, while VRRP is the standard protocol, the extension would not work with third-party routers or even Mikrotik routers running RouterOS v6.

  • If both master and backup routers are identical (or similar), then there is no difference in which one is handling traffic. Set:
    preemption-mode=no sync-connection-tracking=yes
  • If the backup router is significantly slower and may not handle all the traffic, don't bother with connection syncing. Set:
    preemption-mode=yes sync-connection-tracking=no
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: VRRP connection tracking and preemption mode

Fri Apr 30, 2021 2:24 am

the master does not have connections synced from the backup router yet!
Great post and explanation! THis is the #1 reason I had in my head why it would be that way but great to get confirmation.

To address OP's situation -w hich I assume is NAT

Even though the connections are synced to the 2nd router - in a home NAT instance you can expect the customers WAN IP to change - so would most connections already experience a breakdown and re-establishment to the new WAN IP? VRRP connection syncing is only really beneficial if the WAN IP address stays the same correct? (i.e. multiple circuits from one provider, or BGP IP space and the like)

This is why I suggested to OP they should scrap it - as I would assume using a 4G backup service, the WAN IP is not portable between the 2 connections.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP connection tracking and preemption mode

Fri Apr 30, 2021 9:42 am

Great post and explanation! THis is the #1 reason I had in my head why it would be that way but great to get confirmation.

To address OP's situation -w hich I assume is NAT

Even though the connections are synced to the 2nd router - in a home NAT instance you can expect the customers WAN IP to change - so would most connections already experience a breakdown and re-establishment to the new WAN IP? VRRP connection syncing is only really beneficial if the WAN IP address stays the same correct? (i.e. multiple circuits from one provider, or BGP IP space and the like)

This is why I suggested to OP they should scrap it - as I would assume using a 4G backup service, the WAN IP is not portable between the 2 connections.
In the case of NAT, you can run two vrrp interfaces: one for LAN and WAN. Then, assign a single WAN IP to the VRRP WAN interface. That makes sure that WAN IP will not change on the router change. Of course, it does not help if you have two different ISP (e.g., ethernet + 4G). But with a single WAN connection and two routers, that is a way to do.

Also, we introduced VRRP groups in RouterOS v7, making sure that all VRRP instances on the same router retain the same role (either all are VRRP master, or all are backups). Here is a configuration example:
/interface vrrp
add interface=bridge1 name=vrrplan preemption-mode=no priority=200 sync-connection-tracking=yes vrid=10
add interface=ether1 name=vrrpwan preemption-mode=no priority=200 vrid=20
set vrrplan,vrrpwan group-master=vrrplan
 
OlofL
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: VRRP connection tracking and preemption mode

Fri Apr 30, 2021 10:27 am


Moreover, connection sync does not work with the standard VRRP preemption. For example, if the master rebooted and gets back online with a higher VRRP priority value, it becomes the VRRP master again according to the VRRP protocol. But at this moment, the master does not have connections synced from the backup router yet! It leads to a drop of established or/and NAT'ed connections. According to VRRP, if the routers' priority is higher and preemption mode enabled, it immediately becomes the VRRP master. VRRP does not have an option for the backup router (which is temporarily VRRP-master now) to tell the original master something like "please wait until connection sync and then become the master".

Theoretically, Mikrotik could implement an extension to VRRP that would allow delayed preemption. But that's a lot of development effort for little-to-no benefit. Moreover, while VRRP is the standard protocol, the extension would not work with third-party routers or even Mikrotik routers running RouterOS v6.
Easy solution - as many routers have. Just add the VRRP preemption delay/hold time.
Juniper. VyOS has this to name a few.
 
stathismes
newbie
Posts: 28
Joined: Sun May 14, 2017 3:34 pm

Re: VRRP connection tracking and preemption mode

Wed Dec 14, 2022 3:41 pm

I too am wondering whether this would be implemented in ROS 7.x.
A delay/hold timer is definitely needed in order not to drop connections when the Master router comes back.
Please let us know if this is something in development :)
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP connection tracking and preemption mode

Thu Dec 15, 2022 1:46 pm

I too am wondering whether this would be implemented in ROS 7.x.
A delay/hold timer is definitely needed in order not to drop connections when the Master router comes back.
Please let us know if this is something in development :)

Actually, the feature has already been implemented and released in RouterOS v7.5:
*) vrrp - added "sync-connection-tracking" compatibility with preemption-mode;

When both sync-connection-tracking and preemption-mode are enabled, and a router with higher VRRP priority becomes online, the connections get synchronized first, and only then the router with higher priority becomes the VRRP master.
 
stathismes
newbie
Posts: 28
Joined: Sun May 14, 2017 3:34 pm

Re: VRRP connection tracking and preemption mode

Thu Dec 15, 2022 3:24 pm

Thank you for your reply! It was not very clear to me.
Glad this has been implemented.

So, practically, we now can define the VRRP interface used for connection-syncing as a VRRP Group master interface, assign rest VRRP interfaces as slaves. So then in the event of a reboot of the primary router, the backup will first sync back the connections to the primary, then the primary will become the VRRP master again. I will have to test this, however I'm feeling lucky:)
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP connection tracking and preemption mode

Thu Dec 15, 2022 4:16 pm

So, practically, we now can define the VRRP interface used for connection-syncing as a VRRP Group master interface, assign rest VRRP interfaces as slaves. So then in the event of a reboot of the primary router, the backup will first sync back the connections to the primary, then the primary will become the VRRP master again.
Yes, exactly!
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: VRRP connection tracking and preemption mode

Tue Feb 07, 2023 1:52 pm

@raimondsp you should do a YouTube on VRRP. It's such a useful feature – that seems under-utilized – and not hard to setup.

Who is online

Users browsing this forum: No registered users and 19 guests