Community discussions

 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

VRRP Riddle [Help Needed]

Mon Aug 12, 2019 2:14 am

Hey there,

I need some help from you guys. I am trying to set up a simple VRRP between two RBs. The problem is that when master drops, slave comes into play but does not make clients to be up.
Slave can ping out. I am not sure why this does happen.
Master: 10.50.10.1/24
Slave: 10.50.10.2/24
VRRP LAN: 10.50.10.3/32 (mask disappears once set)
Same ID, same interval.

Slave is a clone from a backup so, both have DHCP server of 10.50.10.0/24.

ISP's modem has 4 wan ports so each RB is connected independently to the modem. Although, RBs receive different public IPs.

Does this have something to do with routes?
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Tue Aug 13, 2019 11:08 pm

If you have really restored a backup rather than imported an export, you have cloned also the MAC addresses, so this is the first point to clarify.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Wed Aug 14, 2019 2:53 am

If you have really restored a backup rather than imported an export, you have cloned also the MAC addresses, so this is the first point to clarify.
Well, I did that. Export the Master backup, restore that backup using import from PC. Both RBs show their respective MAC addresses at Winbox.

I know that the gateway may be the problem. The VRRP is x.x.x.3.
I am using RB Master (which is x.x.x.1) as DNS and Webproxy servers. Both RBs have x.x.x.1 as gateways. Should I use x.x.x.x.3? If so, how can I bond the DNS and Webproxy seemlessly?
Can we use DHCP Relay as x.x.x.3 so VRRP works properly without distressing the static clients?

If previous is not possible, do we also have to delete the ClientIDs at Leases so VRRP can identify the devices?
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Wed Aug 14, 2019 2:11 pm

Well, I did that. Export the Master backup, restore that backup using import from PC. Both RBs show their respective MAC addresses at Winbox.
You can do either an import of .rsc file (which is a plaintext script) or a restore of .backup file (which is a compressed and ciphered binary file).
If you did the latter and it didn't rewrite MAC addresses, something must have changed in the way how the restore is done.

I know that the gateway may be the problem. The VRRP is x.x.x.3.
I am using RB Master (which is x.x.x.1) as DNS and Webproxy servers. Both RBs have x.x.x.1 as gateways. Should I use x.x.x.x.3?
I am lost. The idea of VRRP is that the addresses used by external devices are the virtual ones. So the two Mikrotiks using VRRP to backup each other should have their physical addresses e.g. like .253 and .254, and the virtual one should be .1. Or you have to configure the hosts (or the DHCP server) to have .3 as gateway and DNS.

You can use the virtual address as gateway for the other devices as a gateway is stateless. DNS is halfway to stateless - if the primary Tik stops responding and the DNS requests start coming to the secondary one, its cache will be empty so some DNS requests regarding records cached by the primary one will be forwarded to upstream server, but the client won't notice anything but slightly higher response time. But DHCP is completely stateful, so unless you'd find a way to synchronize the leases granted by the primary to the secondary (I don't know any such way), the clients may get different addresses from the secondary than which they got from the primary.

I don't use webproxy but I'd say it is similar to DNS behaviour; however, as you have different internet connection with a different public IP, existing connections will be broken and will have to be re-established by the client.

If so, how can I bond the DNS and Webproxy seemlessly?
As said above. DNS works the same from the perspective of the client regardless on which Tik the virtual IP is currently up. Webproxy will work the same but existing TCP sessions will break when VRRP moves the virtual IP.

Can we use DHCP Relay as x.x.x.3 so VRRP works properly without distressing the static clients?
If you mean a DHCP relay from these Tiks to some external DHCP server, then it doesn't matter which of the Tiks forwards the client's requests. But it just moves the issue one floor higher - if that server dies, you're left without the DHCP service. So for full redundancy, you need two DHCP servers which synchronize the leases.

If previous is not possible, do we also have to delete the ClientIDs at Leases so VRRP can identify the devices?
VRRP does not know anything about DHCP or the external devices' IDs. It just moves the virtual addresses among the VRRP group members. If the virtual address migrates, the virtual MAC address migrates too, so the external devices do not notice a change. The VRRP group member which become active will have to use ARP to determine MAC addresses of those external devices but that's also nothing worth worrying.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Wed Aug 14, 2019 6:15 pm

First of all, I thank your for your dedication explaining all of these. I beg pardon first and foremost because I struggling figuring everything out (I am a Teacher. Nothing related to Networking).

You can do either an import of .rsc file (which is a plaintext script) or a restore of .backup file (which is a compressed and ciphered binary file).
If you did the latter and it didn't rewrite MAC addresses, something must have changed in the way how the restore is done.
Yes, I used the ".backup" one.

I am lost. The idea of VRRP is that the addresses used by external devices are the virtual ones. So the two Mikrotiks using VRRP to backup each other should have their physical addresses e.g. like .253 and .254, and the virtual one should be .1. Or you have to configure the hosts (or the DHCP server) to have .3 as gateway and DNS.
Yes, both Tiks have their respective addresses within the same network so the Virtual one. They're like 1, 2, 3.
I was asking about the DHCP server because I use static clients and when the Backup RB comes into play, it is not leasing properly. That's why I was wondering if it had something to do with the gateway. What I've read, it's recommended to use the gateway of the virtual one so clients may connect properly. I am stuck around this point.

You can use the virtual address as gateway for the other devices as a gateway is stateless. DNS is halfway to stateless - if the primary Tik stops responding and the DNS requests start coming to the secondary one, its cache will be empty so some DNS requests regarding records cached by the primary one will be forwarded to upstream server, but the client won't notice anything but slightly higher response time. But DHCP is completely stateful, so unless you'd find a way to synchronize the leases granted by the primary to the secondary (I don't know any such way), the clients may get different addresses from the secondary than which they got from the primary.
So, the recommendation is to use both Tiks gateways in their own as DNS servers (which is as I've configured it right now for the Master)?
I tried last night to set the virtual one as gateway for all clients and I noticed that the leases changed due to the ClientID. Although I had those clients already static.

I don't use webproxy but I'd say it is similar to DNS behaviour; however, as you have different internet connection with a different public IP, existing connections will be broken and will have to be re-established by the client.
Alright.

As said above. DNS works the same from the perspective of the client regardless on which Tik the virtual IP is currently up. Webproxy will work the same but existing TCP sessions will break when VRRP moves the virtual IP.
Ok.

If you mean a DHCP relay from these Tiks to some external DHCP server, then it doesn't matter which of the Tiks forwards the client's requests. But it just moves the issue one floor higher - if that server dies, you're left without the DHCP service. So for full redundancy, you need two DHCP servers which synchronize the leases.
I was thinking of this in order to avoid messing with each Tiks server. I am not sure if using the Relay from the VRRP to save time and be messing around.

VRRP does not know anything about DHCP or the external devices' IDs. It just moves the virtual addresses among the VRRP group members. If the virtual address migrates, the virtual MAC address migrates too, so the external devices do not notice a change. The VRRP group member which become active will have to use ARP to determine MAC addresses of those external devices but that's also nothing worth worrying.
Ok.

I haven't sang victory yet
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Wed Aug 14, 2019 7:02 pm

I'm afraid you expect too much from VRRP. It provides nothing more than redundancy on a network segment where two (or more) physical devices can provide to other devices in the same network segment and IP subnet the service of a gateway (or other services which the clients need to contact on a static address regardless which physical device provides it, like DNS in your case) . It doesn't provide any means to synchronize context of stateful services between the physical devices; outside the Mikrotik world, such solutions do exist but they complement, not use, VRRP. So if one of the physical devices has to provide the same services (beyond gateway for routing) like the other ones, it must be configured the same way; where context synchronization is required, Mikrotik is not your choice.

Also, in enterprise grade networking, where the LAN-facing side of the physical routers uses VRRP, their WAN-facing side usually uses some dynamic routing protocol and tracking of the VRRP state so that the machine on which the VRRP virtual address is up is advertised as a router to the LAN subnet towards the WAN side. This makes no sense in your case as your two WAN uplinks are SOHO type with a fixed address and NAT, but might be interesting for you if you had a redundant connection where dynamic routing protocol would be supported.

As for the DHCP server - you can run it at both the Tiks if you use non-overlapping address pools on them and provision the static leases at both. You could have address conflicts if the same address was leased to one host by one server, that server would die afterwards, and the other one would see that address as free and lease it to another host. But if you do it this way, you can as well attach the DHCP servers to the physical interfaces, not to the VRRP ones - when a client asks for the IP configuration, it broadcasts a DHCPDISCOVERY request, and it must be able to handle answers from multiple servers.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Wed Aug 14, 2019 8:48 pm

Thanks for the clarification.
Even though, my main reason using VRRP is to have active connections to the clients at home while "rebooting, moving or upgrading the main MK".
The rest could wait. So far, I haven't been able to make it work. It even tried lowering the lease time so MK2 could get fresh clients but not even with that.
I'm stuck into this. I've read plenty about setting this up and people make it simple and easier but not sure why I am not able to do so.
Pulling in and out, rebooting, I managed to make my PC hold connection but not in my table or cellphone. That's why I'm not sure what's going on.
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Wed Aug 14, 2019 9:12 pm

I managed to make my PC hold connection but not in my table or cellphone.
Now wait. What means "hold connection", and what means "table" - a VoIP phone or a desktop PC? If the cellphone is connected using wireless as I suppose, there is not just the DHCP and gateway part, there is also the wireless authentication which cannot be inherited from one AP to another. So describe each case separately, and detail what means to "hold connection".
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Wed Aug 14, 2019 9:22 pm

I managed to make my PC hold connection but not in my table or cellphone.
Now wait. What means "hold connection", and what means "table" - a VoIP phone or a desktop PC? If the cellphone is connected using wireless as I suppose, there is not just the DHCP and gateway part, there is also the wireless authentication which cannot be inherited from one AP to another. So describe each case separately, and detail what means to "hold connection".
I meant with "hold connection" to be able to surf without problems (within 3-5 seconds after unplugging the Master MK) straight internet access.
I'm using my router with wireless DumbAP so clients go straight to MK.
Was a typo, it's "tablet".
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Wed Aug 14, 2019 9:38 pm

I meant with "hold connection" to be able to surf without problems (within 3-5 seconds after unplugging the Master MK) straight internet access.
OK, so not in the sense that you wouldn't have to re-establish the TCP connections.
I'm using my router with wireless DumbAP so clients go straight to MK.
So both the tablet and the mobile phone are connected to a wireless AP which just "translates wireless to Ethernet", but already the DHCP is running on the Tik. And there is a switch between the AP and the two Tiks so if one Tik is down the AP can still talk to the other one, correct?

Do the tablet and mobile phone have static leases reserved or do they get dynamic addresses? How long does it take them to recover, if they do at all? The point is that the client knows the IP of the server which has granted them the lease, and when it expires, the client first tries to renew it with that server before resorting to broadcasting again.

And, last point, have you changed the gateway and dns-server items in /dhcp server network to the virtual IP?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Wed Aug 14, 2019 10:04 pm

OK, so not in the sense that you wouldn't have to re-establish the TCP connections.
Yes.

So both the tablet and the mobile phone are connected to a wireless AP which just "translates wireless to Ethernet", but already the DHCP is running on the Tik. And there is a switch between the AP and the two Tiks so if one Tik is down the AP can still talk to the other one, correct?
Yes. Like: ISP > MK1+MK2 > Switch > AP

Do the tablet and mobile phone have static leases reserved or do they get dynamic addresses? How long does it take them to recover, if they do at all? The point is that the client knows the IP of the server which has granted them the lease, and when it expires, the client first tries to renew it with that server before resorting to broadcasting again.
They do have static leases. Normal lease (10min). That may be the case. That's why lowering the leases to 5s didn't work.

And, last point, have you changed the gateway and dns-server items in /dhcp server network to the virtual IP?
I did change the gateway in both MK to the same virtual one without luck. I didn't try to change the DNS to the virtual, instead I kept both same gateways of the MKs as DNS.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Thu Aug 15, 2019 7:55 pm

It must be something related to the VRRP and the DHCP.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Fri Aug 16, 2019 10:07 pm

I haven't found a solution yet.
Any help will be appreciated.
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Fri Aug 16, 2019 10:12 pm

Post the current configuration of both the Mikrotiks.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Sat Aug 17, 2019 1:50 am

 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Sat Aug 17, 2019 12:32 pm

What I can see is that you now only deal with the static leases (as the parameter address-pool of /ip dhcp-server is set to the default value static-only), so the fact that the pools for dynamic leases are the same at both routers does not cause any trouble now.

But I can see that on the 450, the default gateway assigned to the DHCP clients is the physical 10.0.50.1, which means that the client devices lose it once that router goes down. On the 750, it is properly set to the virtual address 10.0.50.3. So set it to 10.0.50.3 also on the 450 under /ip dhcp-server network, enable the 450, wait until the DHCP client devices renew their leases while the 450 is enabled, and then disable/disconnect the 450 again. The mobile devices should continue to work normally, like the PC. Is my guess correct that you have set the IP configuration statically on the PC, with default gateway set to 10.0.50.3, whereas the tablet and phone get the gateway address via DHCP?

Off topic, what subject do you teach?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Sat Aug 17, 2019 3:27 pm

What I can see is that you now only deal with the static leases (as the parameter address-pool of /ip dhcp-server is set to the default value static-only), so the fact that the pools for dynamic leases are the same at both routers does not cause any trouble now.
Yes, I use static to avoid messing with the queues and other stuff.

But I can see that on the 450, the default gateway assigned to the DHCP clients is the physical 10.0.50.1, which means that the client devices lose it once that router goes down. On the 750, it is properly set to the virtual address 10.0.50.3. So set it to 10.0.50.3 also on the 450 under /ip dhcp-server network, enable the 450, wait until the DHCP client devices renew their leases while the 450 is enabled, and then disable/disconnect the 450 again. The mobile devices should continue to work normally, like the PC. Is my guess correct that you have set the IP configuration statically on the PC, with default gateway set to 10.0.50.3, whereas the tablet and phone get the gateway address via DHCP?
Yes, I had to put back the 450 to gateway 10.0.10.1 from 10.0.10.3 in order to make a step back. The problem was that some devices renewed on the 450 (even though this last one was disconnected) and some others on the 750. Even waiting for the leases to be renown. That was a mess. I didn't understand why some devices kept waiting for the 450 and not liking to the then active 750.
I have set all clients to static leases. Their addresses are set by DHCP, even my PC.

Off topic, what subject do you teach?
I teach English as a second language. I have done all my networking stuff by myself in a trial and error manner :) .
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Sun Aug 18, 2019 7:02 pm

The problem was that some devices renewed on the 450 (even though this last one was disconnected) and some others on the 750. Even waiting for the leases to be renown. That was a mess. I didn't understand why some devices kept waiting for the 450 and not liking to the then active 750.
Attach the DHCP servers at both machines to the VRRP interface rather than the "physical" interface. The client remembers the IP address of the DHCP server from which it got the lease so it asks it for renewal using DHCPREQUEST to its individual (unicast) address before reverting to broadcasting a DHCPDISCOVER. And it may take a different time with different client implementations before the client gives up trying with the previous server and starts broadcasting again. If you attach the DHCP servers to the VRRP interfaces, only the DHCP server attached to the currently active VRRP interface will be active, but it will inherit the virtual IP address from the VRRP interface so the clients will get the virtual address not only as the default-gateway and dns-server one but also as the leasing-server one. It is still valid that the pools should not overlap to avoid conflicting addresses to be assigned.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Tue Aug 20, 2019 1:09 am

Attach the DHCP servers at both machines to the VRRP interface rather than the "physical" interface. The client remembers the IP address of the DHCP server from which it got the lease so it asks it for renewal using DHCPREQUEST to its individual (unicast) address before reverting to broadcasting a DHCPDISCOVER. And it may take a different time with different client implementations before the client gives up trying with the previous server and starts broadcasting again. If you attach the DHCP servers to the VRRP interfaces, only the DHCP server attached to the currently active VRRP interface will be active, but it will inherit the virtual IP address from the VRRP interface so the clients will get the virtual address not only as the default-gateway and dns-server one but also as the leasing-server one. It is still valid that the pools should not overlap to avoid conflicting addresses to be assigned.
Ok, let me wrap this scenario (I don't want to mess the network):
First, set the DHCP to VVRP interface.
Then, let clients pick up the addresses given by the VRRP.

Do I also have to make the DHCP server gateway eg 10.50.10.3 to both Tiks? Or just leave each one with their own gateways.
In regards to DNS, Tik1 has DNS server (10.50.10.1) should I leave it as it is or make VRRP also to be the DNS server?
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Tue Aug 20, 2019 7:12 am

Both the gateway and the dns-server in the /ip dhcp-server network shall also be set to the virtual address 10.50.10.3 so that nothing changes from the client's perspective when the virtual address migrates between the physical devices.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Tue Aug 20, 2019 4:53 pm

I did everything suggested but it is not working properly. Some routers (Openwrt) receive their leases fine but the following happens. I can ping them a few seconds after the Tik reboots but I get timeouts after a few seconds of receiving the lease. Openwrt receive default VRRP gateway and DNS fine. I can even ping from within the Openwrt to check internet and works fine but I am totally confused about this behavior.



Offtopic: From the given config that I posted a few posts before, what things do you see I can improve or polish?
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Tue Aug 20, 2019 10:57 pm

I did everything suggested but it is not working properly. Some routers (Openwrt) receive their leases fine but the following happens. I can ping them a few seconds after the Tik reboots but I get timeouts after a few seconds of receiving the lease. Openwrt receive default VRRP gateway and DNS fine. I can even ping from within the Openwrt to check internet and works fine but I am totally confused about this behavior.
To double-check: pinging anything (the VRRP address itself, or anything in the internet, like 8.8.8.8 or 9.9.9.9) from the OpenWRT works fine, but pinging the OpenWRT's leased address from the Mikrotik on which the VRRP floating address is currently up only works for a short while after rebooting the Tik? If this is the case, can you start the ping this way, let it run, and then in another window run ip firewall connection print detail where protocol=icmp and post the result?

Offtopic: From the given config that I posted a few posts before, what things do you see I can improve or polish?
  • stop using PPTP - it provides no actual security and no known advantage as compared to L2TP, except that recent updates of Windows 10 have broken L2TP/IPsec functionality whilst PPTP seems tto have survived
  • to post configurations, place them between [code] and [/code] tags directly to the post; if you upload them as files, use plain text format, not .doc or .docx as there are no attributes of the text for whose transport you'd need the extra capabilities of these formats, and most people with basic awareness of network security do not download files in these formats from unknown sources as they have a history of being used to convey malware
  • it is useless to create a static dhcp lease for the virtual VRRP address - should not be harmful though
  • it is a bad idea to have overlapping IP address pools (the one for dhcp and the one for ppp clients), I'm not sure how the machine coordinates leases from different pools
  • it is better not to assign to PPP clients addresses from local LAN subnets as it makes it necessary to activate arp-proxy on the LAN interfaces from these subnets, and arp-proxy is not selective (you cannot say which for which destination connected subnets it should work and for which it should not)
  • I personally prefer firewalls which drop everything except what you selectively permit to firewalls which permit everything what you selectively drop. If you forget to permit anything, your legal users will come to complain quickly; if you forget to drop something, your illegal users will never complain
  • check the idea of a stateful firewall - it allows you to only carefully inspect the first packet of each new connection, the second and further packets of connections whose first packets you've let through will be handled by a single rule (action=accept connection-state=established,related) at the top of each chain, lowering the CPU consumption on firewalling. This may not be exactly true where connection tracking (which is the key element of a stateful firewall) is not activated, as connection-tracking itself is quite CPU-intensive, but whenever you use NAT, connection tracking gets activated anyway so no point in ignoring it in filter
  • there is no need to specify to-ports in action=dst-nat rules if the to-ports value equals the dst-port value - but it's not harmful
  • if you ever start using ssh, only use allow-none-crypto=yes if really necessary (which means never unless you're the guy who asked for it to be implemented) an use strong-crypto=yes
  • only enable upnp if you really cannot live without it as it is a security disaster
  • tidy up after tests - /ipv6 route add distance=1 gateway=*5 shows that there used to be some interface which you've removed later (supposedly a 6to4 one)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4411
Joined: Mon Apr 20, 2009 9:11 pm

Re: VRRP Riddle [Help Needed]

Tue Aug 20, 2019 11:16 pm

... arp-proxy is not selective (you cannot say which for which destination connected subnets it should work and for which it should not)
Selective form of proxy ARP does exist:
/ip arp
add address=192.168.10.254 interface=bridge published=yes
(bridge has 192.168.10.0/24 and standard arp=enabled, VPN client has 192.168.10.254)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Wed Aug 21, 2019 12:13 am

Yeah, but that's a manual arp record per each individual IP... so you'd need the on-up/on-down scripts in /ppp profile to add/remove it, or to add it once for each address from the pool used for ppp clients, so a source of headache if you extend the pool and forget to add arp records, or even worse if you shrink the pool and forget to remove them... so keeping the ppp pools separate from LAN subnets seems so much simpler to understand and manage to me. I know, Windows and their L2 transparency requirements for some services to work, is that real or an urban legend? arp-proxy doesn't mean a real L2 transparency (no need to tell you) so what's the real merit?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4411
Joined: Mon Apr 20, 2009 9:11 pm

Re: VRRP Riddle [Help Needed]

Wed Aug 21, 2019 12:41 am

Something does (or at least did, I haven't checked it lately) depend on L2, some local name resolution, discovery of other computers (shown in network neighborhood), possibly other stuff. I used overlapping subnets with proxy ARP in the past, but I'm not really sure anymore, why I was doing that. It breaks L2 anyway. Could it be that I was just lazy to reconfigure default firewall that allows access to some services only from local (same) subnet? :) I sometimes use published APR when I need to "move" public address elsewhere using tunnel (when it's not independently routed to router).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Lebzul
newbie
Topic Author
Posts: 44
Joined: Wed Feb 21, 2018 12:54 am

Re: VRRP Riddle [Help Needed]

Thu Aug 22, 2019 2:34 am

  • stop using PPTP - it provides no actual security and no known advantage as compared to L2TP, except that recent updates of Windows 10 have broken L2TP/IPsec functionality whilst PPTP seems tto have survived
Yes, I had it there because of Windows. For others, I use L2TP.

[*]to post configurations, place them between [code] and [/code] tags directly to the post; if you upload them as files, use plain text format, not .doc or .docx as there are no attributes of the text for whose transport you'd need the extra capabilities of these formats, and most people with basic awareness of network security do not download files in these formats from unknown sources as they have a history of being used to convey malware
I know for next time.

[*]it is useless to create a static dhcp lease for the virtual VRRP address - should not be harmful though
I use to use it because I don't want my cousins to connect extra devices. What should I do then?

[*]it is a bad idea to have overlapping IP address pools (the one for dhcp and the one for ppp clients), I'm not sure how the machine coordinates leases from different pools
I had to do it in order to "see" my routers. Also, I had to activate Proxy-Arp in LAN.

[*]it is better not to assign to PPP clients addresses from local LAN subnets as it makes it necessary to activate arp-proxy on the LAN interfaces from these subnets, and arp-proxy is not selective (you cannot say which for which destination connected subnets it should work and for which it should not)
Is there another simple way rather than using p-arp? Let's say, I want 10.50.10.x (LAN) pool to communicate to 10.50.15.x (VPN) but couldn't figure it out.

[*]I personally prefer firewalls which drop everything except what you selectively permit to firewalls which permit everything what you selectively drop. If you forget to permit anything, your legal users will come to complain quickly; if you forget to drop something, your illegal users will never complain
Not sure what to do here.

[*]check the idea of a stateful firewall - it allows you to only carefully inspect the first packet of each new connection, the second and further packets of connections whose first packets you've let through will be handled by a single rule (action=accept connection-state=established,related) at the top of each chain, lowering the CPU consumption on firewalling. This may not be exactly true where connection tracking (which is the key element of a stateful firewall) is not activated, as connection-tracking itself is quite CPU-intensive, but whenever you use NAT, connection tracking gets activated anyway so no point in ignoring it in filter
I need to understand this later. Not clear to my actual knowledge.

[*]there is no need to specify to-ports in action=dst-nat rules if the to-ports value equals the dst-port value - but it's not harmful
Oh, I didn't know this.

[*]if you ever start using ssh, only use allow-none-crypto=yes if really necessary (which means never unless you're the guy who asked for it to be implemented) an use strong-crypto=yes
I haven't used SSH.

[*]only enable upnp if you really cannot live without it as it is a security disaster
I activated this so I can have NAT=Open in PS4 and Xbox. Otherwise, "strict" or "moderate" in best cases.

[*]tidy up after tests - /ipv6 route add distance=1 gateway=*5 shows that there used to be some interface which you've removed later (supposedly a 6to4 one)[/list]
No ipv6 in my ISP so far.


Thanks for taking the time explaining all of this.
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP Riddle [Help Needed]

Thu Aug 22, 2019 9:58 pm

[*]it is a bad idea to have overlapping IP address pools (the one for dhcp and the one for ppp clients), I'm not sure how the machine coordinates leases from different pools
I had to do it in order to "see" my routers. Also, I had to activate Proxy-Arp in LAN.
[*]it is better not to assign to PPP clients addresses from local LAN subnets as it makes it necessary to activate arp-proxy on the LAN interfaces from these subnets, and arp-proxy is not selective (you cannot say which for which destination connected subnets it should work and for which it should not)
Is there another simple way rather than using p-arp? Let's say, I want 10.50.10.x (LAN) pool to communicate to 10.50.15.x (VPN) but couldn't figure it out.
That must be a firewall issue then. Without any firewall rules configured, a router routes automatically between all its connected subnets, without need to configure anything. If ypu place the ppp clients' addresses into LAN subnet, the LAN hosts assume that they can reach them using L2, so instead of routing packets to them via a gateway, they send an ARP request, assuming that the destination host will respond. So the router has to respond instead of the destination host, thus making the sending host to send the packet to the router.

[*]I personally prefer firewalls which drop everything except what you selectively permit to firewalls which permit everything what you selectively drop. If you forget to permit anything, your legal users will come to complain quickly; if you forget to drop something, your illegal users will never complain
Not sure what to do here.
[*]check the idea of a stateful firewall - it allows you to only carefully inspect the first packet of each new connection, the second and further packets of connections whose first packets you've let through will be handled by a single rule (action=accept connection-state=established,related) at the top of each chain, lowering the CPU consumption on firewalling. This may not be exactly true where connection tracking (which is the key element of a stateful firewall) is not activated, as connection-tracking itself is quite CPU-intensive, but whenever you use NAT, connection tracking gets activated anyway so no point in ignoring it in filter
I need to understand this later. Not clear to my actual knowledge.
A "connection" is a logical abstraction of different types of packet exchanges, the details depend on particular protocol used. So a "connection" in this sense can be a TCP session, an ICMP echo request/echo response exchange, a bi-directional UDP stream such as RTP of a VoIP call, a bi-directional GRE stream... Each packet which arrives to the firewall is compared to a list of existing connections; if its source and destination addresses and ports (or other flow identifiers in case of protocols which do not use the notion of ports but do contain some fields applicable for such purpose) match one of them, the packet is deemed part of that connection and flagged with connection-state=established. A packet which doesn't match any existing connection is inspected for capability to initiate a new connection; if it qualifies, it is flagged with connection-state=new, otherwise it is flagged with connection-state=invalid. If a packet flagged with connection-state=new is accepted by the firewall filter, a corresponding record in the connection table is created. Packets flagged with connection-state=new are also handled by the rules in /ip firewall nat; all the packets belonging to existing connections are src-nated or dst-nated (and un-src-nated and un-dst-nated in the opposite direction) based on the result of handling of the initial packet which is stored in the record representing the connection.

So the whole firewall then only needs to inspect in detail the initial packet of each connection; all the subsequent ones are handled by just a single rule (or by no rule at all if fasttracking is used).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 69 guests