Hi guys,

Im looking at some Mikrotiks for my company to do some routing duties for our firewalls. What im looking for is some high availability GRE tunnels, looks like it will be VRRP on these Mikrotiks.


Im thinking of using VRRP on the LAN and WAN interfaces. Could i say for example use VRRP on the WAN interface so the Mikrotik will create a GRE tunnel using the VRRP WAN IP address to another Mikrotik in the datacentre, then should the primary Mikrotik have a power failure, then the GRE tunnel will automatically form on the secondary Mikrotik as long as the config matches the primary?

Im wondering if anyone has ever used a similar setup like this and if its possible to create VPN GRE tunnels using VRRP addresses on WAN interfaces for redundancy?

You could create a GRE tunnel from the WAN IP (not VRRP) on both routers, assign a transit network for each tunnel, and do BGP (or OSPF) over it.

Hi Patrick,

Would would mean having ospf running over both tunnels? What what happens if for some reason traffic runs over the second (secondary) GRE tunnel but the LAN interface of the secondary Mikrotik is not the VRRP master to pass the traffic onto the initiating LAN host?


I probably need to lab it up to see for myself but do do you know if its possible to source the GRE tunnel from a VRRP ip address?

Patrick has the right idea (IMHO). You might also look at running two routers in the data center, each on its own IP then you have two GRE tunnels from the remote site and the two routers at the DC use VRRP on the LAN IP only with OSPF to handle tunnel failover.

Trying to use VRRP to move both IP's (internal and external) just doesn't provide the redundancy most people are looking for in my experience.

Joe
P.S. Don't have it all plugged into the same power strip else you have one 5-cent capacitor as your single-point-of-failure.

Yes i see your point JJC, i think that should be quite nice actually. What happens if i wanted a third GRE tunnel in the mixer built on a new (backup fttc) internet connection using a PPPOE dialler interface? I cant exactly configure it on both Mikrotiks as they will both try dial the connection at the same time?

For example if both my GRE tunnels fail on both Mikrotiks because the internet connections they are built over are broken, this leaves the single backup FTTC connection using PPPOE dialler, which Mikrotik do i configure it on?


I cant see how this will work just yet..

You could try an enable/disable of the PPPoE interface in the VRRP Master/Backup scripts, but now it sounds like your starting to violate the KISS principle.

I'm currently doing that using pfsense.
Two firewalls using carp(vrrp) and sync the state table.
The magic is that the gre source and destination should use the carp ip.
Works like a champ for two years on dozen of installs.

Thanks for that Duduhandelman - have you got a pppoe backup in the mixer too to dialup a backup GRE tunnel incase the other two are down?

Cheers,

Sorry but I'm using those two only why would you need a third backup?

To make it uber resilient. one tunnel is built over mpls, another over a leased line, the third to be over a fttc!

Just for grins really to see if i can get it to work like this.

mpls/vpls is great option/alternative in that application, yep
and for fourth backup you may had sstp link over LTE for really desperate issues