1) that's the virtual IP address shared by the routers. Whichever router is the master has that IP address, when the master goes down a backup router jumps in and takes over for that IP address. This IP is separate from the unique IPs each router also needs. A common design is to have .1 be the virtual, and have .2 and .3 assigned to the two routers.
2) the virtual IP address can't be assigned via DHCP. It has to be the same on both routers. A DHCP server wouldn't give two hosts the same IP address. Therefore you can't use DHCP to assign the virtual VRRP IP address. It doesn't make sense to use DHCP, anyway. VRRP is a first hop redundancy protocol, meaning that it provides redundancy for the gateway IP addresses clients behind the routers use. Obviously you wouldn't want this IP address to change, so it doesn't make sense to ever use anything but a static IP address for this.
3) that is sufficient. You could lock it down even further by only allowing the VRRP protocol between the well known VRRP multicast IP address (224.0.0.18) and the unique server IPs.
1) Thats what im currently testing. (.1 as virtual , .2 and .3 for routers) Few questions: which interface should I assigned DHCP server on? The actual interface on which VRRP is on (vlan1), or to the VRRP interface (VRRP-vlan1)? What about firewall, will packets coming in be classified as incoming interface VRRP-vlan1 or just vlan1?
2) Wouldnt DHCP always assign the same IP to both routers on the VRRP interface, since the MAC of the VRRP interface is the same on both routers?