Scenario
Two Router: Route A and Route B
Two Subnet, say 192.168.1.0/24 and 192.168.2.0/24
Two Machines: C (192.168.1.10), D (192.168.2.10)
Network Setup
Route A: 192.168.1.2/24 and 192.168.2.2/24
Route B: 192.168.1.3/24 and 192.168.2.3/24
VRRP Setup
Subnet 192.168.1.0/24: VRRP 192.168.1.1/32, primary on Router A, Standby on Route B
Subnet 192.168.2.0/24: VRRP 192.168.2.1/32, primary on Router B, Standby on Route A
Machine C default gateway: 192.168.1.1
Machine D default gateway: 192.168.2.1
Firewall
forward rule: only allow connection state: new, related, established, then deny all
RP-filter: no
Observation
ping from C to D
hop recorded: C > A > D > B > drop
/ip firewall connection
Route A: C F icmp 192.168.1.10 192.168.2.10
Route B: nothing
ping from D to C
hop recorded: D > B > C > A > drop
/ip firewall connection
Route A: nothing
Route B: C F icmp 192.168.2.10 192.168.1.10
I confirmed that this is due to the asymmetric route that the return path is not the same as forward path, I relaxed the firewall rule to include "invalid" state
Firewall:
forward rule: only allow connection state: new, related, established, invalid then deny all
and all ping work. But such relaxation creates connections with syn-sent states when there are TCP connections.
Discussion
Is there any smarter way to handle this scenario as it might be a security loophole to allow the forwarding of connection with "invalid" connection state. Is there any "connection database" sharing facility in mikrotik so that the connection information can be shared between two router for achieving the resilient/load balancing feature?