Community discussions

MUM Europe 2020
 
savage
Forum Guru
Forum Guru
Topic Author
Posts: 1218
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

VRRP, Virtual IP address, or Virtual Interface?!?!?

Tue Nov 27, 2007 2:51 pm

Hi,

Need some input here, as this is starting to become really troublesome. When using VRRP, does it create Virtual IP Addresses (like 99.9999% of other products supporting VRRP), or does it create Virtual Interfaces (which, increases work and configuration in a insanely high manner). Please have a look at the following... I can't see why this is NOT working

Access List that is in use:
[cknipe@CPT-CORE01] /ip firewall filter> ..address-list print
Flags: X - disabled, D - dynamic
 #   LIST               ADDRESS
<snip>
 6   ACME CTN           172.19.44.0/24
 7   ACME CTN           172.19.45.0/26
[cknipe@CPT-CORE01] /ip firewall filter>
Forwarding Chain in use:
[cknipe@CPT-CORE01] /ip firewall filter> pr chain=forward
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Drop All Peer to Peer Taffic
     chain=forward action=reject reject-with=icmp-network-unreachable p2p=all-p2p

 1   ;;; CTN via MPLS Outbound (Allowed)
     chain=forward action=accept dst-address=0.0.0.0/0 src-address-list=ACME CTN out-interface=VLAN100

 2   ;;; CTN via MPLS Outbound (Log)
     chain=forward action=log out-interface=VLAN100 - Gateway MPLS log-prefix=""

 3   ;;; CTN via MPLS Outbound (Reject)
     chain=forward action=reject reject-with=icmp-network-unreachable out-interface=VLAN100

 4   ;;; CTN via MPLS Inbound (Allowed)
     chain=forward action=accept src-address=0.0.0.0/0 dst-address-list=ACME CTN in-interface=VLAN100

 5   ;;; CTN via MPLS Inbound (Log)
     chain=forward action=log in-interface=VLAN100 - Gateway MPLS log-prefix=""

 6   ;;; CTN via MPLS Inbound (Reject)
     chain=forward action=reject reject-with=icmp-network-unreachable in-interface=VLAN100
Interface lists:
[cknipe@CPT-CORE01] /interface> /interface print brief
Flags: X - disabled, R - running, D - dynamic, S - slave
 #    NAME                                                                                                                            TYPE             MTU
<snip>
 2 R  ;;; VRRP for Incoming MPLS Data
      VRRP - MPLS                                                                                                                     vrrp             1500
 3 R  ;;; Internal Office Network (Prioritised)
      VLAN10                                                                                                                          vlan             1500
 4 R  ;;; VRRP for Prioritised Internal Network
      VRRP - VLAN10                                                                                                                   vrrp             1500
 5 R  ;;; Internal Office Network
      Internal                                                                                                                        ether            1500
 6 R  ;;; MPLS Interface
      VLAN100 - Gateway MPLS                                                                                                          vlan             1500
<snip>
Logs:
14:24:08 firewall,info forward: in:VRRP - MPLS out:VLAN10, src-mac 00:1b:2a:b2:5e:82, proto TCP (SYN,ACK), 172.20.44.15:110->172.19.45.14:3321, len 48
14:24:08 firewall,info forward: in:VRRP - MPLS out:VLAN10, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,PSH), 172.20.44.15:110->172.19.45.14:3321, len 102
14:24:08 firewall,info forward: in:VRRP - MPLS out:VLAN10, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK), 172.20.44.15:110->172.19.45.14:3321, len 40
14:24:08 firewall,info forward: in:VRRP - MPLS out:VLAN10, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,PSH), 172.20.44.15:110->172.19.45.14:3321, len 75
14:24:08 firewall,info forward: in:VRRP - MPLS out:VLAN10, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,PSH), 172.20.44.15:110->172.19.45.14:3321, len 99
14:24:08 firewall,info forward: in:VRRP - MPLS out:Internal, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,PSH), 172.20.44.15:110->172.19.44.102:1828, len 72
14:24:08 firewall,info forward: in:VRRP - MPLS out:Internal, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,PSH), 172.20.44.15:110->172.19.44.102:1828, len 71
14:24:08 firewall,info forward: in:VRRP - MPLS out:VLAN10, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,PSH), 172.20.44.15:110->172.19.45.14:3321, len 49
14:24:08 firewall,info forward: in:VRRP - MPLS out:Internal, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,PSH), 172.20.44.15:110->172.19.44.102:1828, len 75
14:24:08 firewall,info forward: in:VRRP - MPLS out:Internal, src-mac 00:1b:2a:b2:5e:82, proto TCP (SYN), 172.20.44.41:3399->172.19.44.43:8080, len 48
14:24:08 firewall,info forward: in:VRRP - MPLS out:Internal, src-mac 00:1b:2a:b2:5e:82, proto TCP (SYN), 172.20.44.21:1269->172.19.44.91:8080, len 48
14:24:08 firewall,info forward: in:VRRP - MPLS out:Internal, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,PSH), 172.20.44.15:110->172.19.44.102:1828, len 101
14:24:08 firewall,info forward: in:VRRP - MPLS out:VLAN10, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,PSH), 172.20.44.15:110->172.19.45.14:3321, len 103
14:24:08 firewall,info forward: in:VRRP - MPLS out:VLAN10, src-mac 00:1b:2a:b2:5e:82, proto TCP (ACK,FIN), 172.20.44.15:110->172.19.45.14:3321, len 40

Now, the firewall sees the packets as coming on the Virtual Interface, instead of the real interface... Why?

Is it now -really- required to duplicate ALL my rules for every single VRRP Interface (more than 8 on this specific router) in order to please this rather absurd behaviour by the firewall? It wasn't like this on 2.9 and it changed now for some reason on 3.0...

I really cannot understand this. MT's VRRP implementation is the ONLY one I have EVER seen that does this... What happens when the VRRP becomes a Slave and drops the IP address? All of a sudden all my rules becomes invalid??? I cannot see why VRRP must be based on Interfaces in MT, why can't you just stick to virtual IP addresses like normal people -sigh- :(
Regards,
Chris
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1730
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: VRRP, Virtual IP address, or Virtual Interface?!?!?

Wed Nov 28, 2007 12:21 pm

It was made to correct MAC address change problems, basically VRRP was not working according to standard in v2.9 - now it is.

If i understand your situation correctly you should put VLAN on VRRP interface and use VLAN interface in the firewall.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
savage
Forum Guru
Forum Guru
Topic Author
Posts: 1218
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: VRRP, Virtual IP address, or Virtual Interface?!?!?

Wed Nov 28, 2007 12:35 pm

Not quite...

Incoming traffic now goes via the VRRP interface, outgoing traffic now goes via the Physical interface (depending on which site of the firewall / router you are). I need BOTH interfaces in the firewall, meaning that everything should now be listed twice... It creates an absurdly high amount of work as everything needs to be done twice.

At the very least, could we at least have a selection box where more than one in/out interface can be selected on the firewall rules then? I pretty much scrapped my forwarding rules and just allowed everything now. I'm not maintaining forwarding rules for 16 (8 physical, 8 virtual) interfaces on a firewall. It's creating massive complexities where complexities is not required... :(
Regards,
Chris

Who is online

Users browsing this forum: Bing [Bot], Cubiceye, eworm, robsgax and 84 guests