Hi there,
ROS 6.38.5
I'm trying to figure out which ports I need to open to get VRRP to work, by taking a working setup and breaking it. So far I haven't been able to break it even after dropping practically everything it still works. I need some help...
How can I break VRRP in IP firewall?
Edit:
On a receiving router I receive traffic from the router on which I am dropping the traffic on proto 112 (VRRP) heading to 224.0.0.18. I have explicit rules in the output chain to drop both of those cases separately but it still gets out. Is this a bug?
Re: What ports / protocols does VRRP use?
https://tools.ietf.org/html/rfc3768#section-7.2
It sounds easy enough. I'd turn on logging w/a global drop in GNS3 to see which chain and interface you need in particular. This may be further complicated if you are using bridges. If so you'll have to enable the use-ip-firewall flag on the bridge at the least.
It sounds easy enough. I'd turn on logging w/a global drop in GNS3 to see which chain and interface you need in particular. This may be further complicated if you are using bridges. If so you'll have to enable the use-ip-firewall flag on the bridge at the least.
Re: What ports / protocols does VRRP use?
I've tried dropping on input, output and forward. That should cover all possibilities should it not? I'm not using bridge mode, as multicast is a L3 concept is it not?https://tools.ietf.org/html/rfc3768#section-7.2
It sounds easy enough. I'd turn on logging w/a global drop in GNS3 to see which chain and interface you need in particular. This may be further complicated if you are using bridges. If so you'll have to enable the use-ip-firewall flag on the bridge at the least.
Re: What ports / protocols does VRRP use?
I can pick it up on the input chain... Just booted up some 6.39 CHR in GNS3 real fast and logged traffic from an ACL as well as verified in WireShark.
14:18:15 firewall, info input: in:ether1 out:(none), src-mac 00:00:5e:00:01:01 proto 112, 10.1.1.253->224.0.0.18, len 32
I however don't see it on either forward or output. I wonder if RouterOS automatically allows this traffic out? Something for the devs to answer. That said I don't know why you'd configure VRRP and then choose to block it.
You aren't trying to do that thing some other folks have posted about getting VRRP to run on an interface that is separate from the broadcast domain the address should belong to because you don't want customers mucking with it are you?
If not give us a bit of a story about why you want to block VRRP. Maybe we can brainstorm a better option for you.
14:18:15 firewall, info input: in:ether1 out:(none), src-mac 00:00:5e:00:01:01 proto 112, 10.1.1.253->224.0.0.18, len 32
Code: Select all
/ip firewall filter add action=accept chain=input log=yes protocol=vrrpYou aren't trying to do that thing some other folks have posted about getting VRRP to run on an interface that is separate from the broadcast domain the address should belong to because you don't want customers mucking with it are you?
If not give us a bit of a story about why you want to block VRRP. Maybe we can brainstorm a better option for you.
Re: What ports / protocols does VRRP use?
I can also filter it on input, but not on forward or output. But I'm wondering why I can't block it on output should I want to? The firewall should be able to drop anything.I can pick it up on the input chain... Just booted up some 6.39 CHR in GNS3 real fast and logged traffic from an ACL as well as verified in WireShark.
14:18:15 firewall, info input: in:ether1 out:(none), src-mac 00:00:5e:00:01:01 proto 112, 10.1.1.253->224.0.0.18, len 32
I however don't see it on either forward or output. I wonder if RouterOS automatically allows this traffic out? Something for the devs to answer. That said I don't know why you'd configure VRRP and then choose to block it.Code: Select all/ip firewall filter add action=accept chain=input log=yes protocol=vrrp
You aren't trying to do that thing some other folks have posted about getting VRRP to run on an interface that is separate from the broadcast domain the address should belong to because you don't want customers mucking with it are you?
If not give us a bit of a story about why you want to block VRRP. Maybe we can brainstorm a better option for you.
No, I'm not trying to do that. I'm trying to get VRRP to work on the mesh interface, as the mesh interface does not necessarily have an external default gateway. If I can get VRRP to work in the mesh I can have a virtual default gateway. The only reason why I looked at what it would take to break VRRP is so that I could use that to inversely figure out why it isn't working in Mesh mode.
Re: What ports / protocols does VRRP use?
WDS Mesh? If so I believe that may be your issue. Have you thought about using OSPF and pushing a default route through that? You can obtain the preferred path with cost. You'll need to define OSPF NBMA neighbors it looks like. This tells me that it the NBMA nature of the mesh interface is likely what's causing hiccups with VRRP, multicast is supposed to be broadcast out all interfaces if the router is not IGMP aware and has any members in that group.
That said I only have 1 hAP AC Lite unit and it's in a different building. MikroTik, wireless and I aren't intimately acquainted yet.
That said I only have 1 hAP AC Lite unit and it's in a different building. MikroTik, wireless and I aren't intimately acquainted yet.
Re: What ports / protocols does VRRP use?
I wonder if the VRRP daemon links the raw interface, bypassing the firewall for output traffic like the DHCP server process does....