Hey guys,

1) In VRRP and VRRP Examples on the wiki it says that a VRRP interface must have an IP with a /32 mask? Why is this?
2) What about DHCP client on a VRRP interface? (when DHCP assigns a different mask then /32)
3) What protocols and ports in firewall does VRRP need? I figured out it will need VRRP Protocol and IPSec-AH when using v2 with AH authentication. Anything else?

Thanks,

tom

1) that's the virtual IP address shared by the routers. Whichever router is the master has that IP address, when the master goes down a backup router jumps in and takes over for that IP address. This IP is separate from the unique IPs each router also needs. A common design is to have .1 be the virtual, and have .2 and .3 assigned to the two routers.
2) the virtual IP address can't be assigned via DHCP. It has to be the same on both routers. A DHCP server wouldn't give two hosts the same IP address. Therefore you can't use DHCP to assign the virtual VRRP IP address. It doesn't make sense to use DHCP, anyway. VRRP is a first hop redundancy protocol, meaning that it provides redundancy for the gateway IP addresses clients behind the routers use. Obviously you wouldn't want this IP address to change, so it doesn't make sense to ever use anything but a static IP address for this.
3) that is sufficient. You could lock it down even further by only allowing the VRRP protocol between the well known VRRP multicast IP address (224.0.0.18) and the unique server IPs.

1) that's the virtual IP address shared by the routers. Whichever router is the master has that IP address, when the master goes down a backup router jumps in and takes over for that IP address. This IP is separate from the unique IPs each router also needs. A common design is to have .1 be the virtual, and have .2 and .3 assigned to the two routers.
2) the virtual IP address can't be assigned via DHCP. It has to be the same on both routers. A DHCP server wouldn't give two hosts the same IP address. Therefore you can't use DHCP to assign the virtual VRRP IP address. It doesn't make sense to use DHCP, anyway. VRRP is a first hop redundancy protocol, meaning that it provides redundancy for the gateway IP addresses clients behind the routers use. Obviously you wouldn't want this IP address to change, so it doesn't make sense to ever use anything but a static IP address for this.
3) that is sufficient. You could lock it down even further by only allowing the VRRP protocol between the well known VRRP multicast IP address (224.0.0.18) and the unique server IPs.

1) Thats what im currently testing. (.1 as virtual , .2 and .3 for routers) Few questions: which interface should I assigned DHCP server on? The actual interface on which VRRP is on (vlan1), or to the VRRP interface (VRRP-vlan1)? What about firewall, will packets coming in be classified as incoming interface VRRP-vlan1 or just vlan1?
2) Wouldnt DHCP always assign the same IP to both routers on the VRRP interface, since the MAC of the VRRP interface is the same on both routers?

Question now with 120% visual examples



What about this case? I need DHCP and VRRP in order to get redundancy and for my internet to work if one of the RBs fail.

Since the VRRP interfaces on both RBs have the same MAC, the ISP would always give me the same IP. In order for VRRP to work I still need the individual router IPs and then a router IP which acts as the virtual router for ether10. I am testing this setup right now, and it seems working, with VRRP doing what its supposed to do and getting the same IP on ether10 from my DHCP and failover is working as well.

Ah, that makes more sense - VRRP on two different interfaces.

I have no practical experience with doing that on RouterOS (I run the WAN interfaces separately and not against a shared UP) and guessing won't help you, so I'm afraid I can't be of much help here.