Community discussions

MikroTik App
 
LukasSVK
newbie
Topic Author
Posts: 40
Joined: Tue Dec 07, 2010 1:57 am
Location: Bratislava, Slovakia

VRRP with only virtual IP

Sun Jan 15, 2012 1:19 am

Hello, i plan to implement VRRP for customer redundancy but have problem with free IP's in customer subnet.
Is there way to implement this without 2 additional real/free IP's from customer subnet?

I tested following configuration:

Master: ROS 5.11, RB450G
Backup: ROS 5.11, RB750G

Master - RouterA:

[admin@RouterA] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-uplink ether 1500 1520 1520
1 R ether2-downlink ether 1500 1520 1520
2 ether3-local ether 1500 1520 1520
3 ether4-local ether 1500 1520 1520
4 ether5-local ether 1500 1520 1520
5 R vrrp1-uplink vrrp 1500
6 R vrrp2-donwlink vrrp 1500
[admin@RouterA] >

[admin@RouterA] > /interface vrrp print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
# NAME INTERFACE MAC-ADDRESS VRID PRIORITY INTERVAL VERSION V3-PROTOCOL
0 RM vrrp1-uplink ether1-uplink 00:00:5E:00:01:01 1 250 1s 3 ipv4
1 RM vrrp2-donwlink ether2-downlink 00:00:5E:00:01:02 2 250 1s 3 ipv4

[admin@RouterA] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; WAN VRRP Address
192.168.1.2/24 192.168.1.0 vrrp1-uplink
1 ;;; WAN Blind REAL
1.1.1.2/24 1.1.1.0 ether1-uplink
2 ;;; LAN VRRP
192.168.88.1/24 192.168.88.0 vrrp2-donwlink
3 ;;; WAN Blind VRRP
1.1.1.1/32 1.1.1.1 vrrp1-uplink
4 ;;; LAN Blind REAL
2.2.2.2/24 2.2.2.0 ether2-downlink
5 ;;; LAN Blind VRRP
2.2.2.1/32 2.2.2.1 vrrp2-donwlink

[admin@RouterA] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=192.168.1.2 src-address=192.168.88.0/24 out-interface=vrrp1-uplink

Backup - RouterB:

[admin@RouterB] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-uplink ether 1500 1520 1520
1 R ether2-downlink ether 1500 1520 1520
2 ether3-slave-local ether 1500 1520 1520
3 ether4-slave-local ether 1500 1520 1520
4 ether5-slave-local ether 1500 1520 1520
5 vrrp1-uplink vrrp 1500
6 vrrp2-downlink vrrp 1500


[admin@RouterB] /interface vrrp> print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
# NAME INTERFACE MAC-ADDRESS VRID PRIORITY INTERVAL VERSION V3-PROTOCOL
0 B vrrp1-uplink ether1-uplink 00:00:5E:00:01:01 1 100 1s 3 ipv4
1 B vrrp2-downlink ether2-downlink 00:00:5E:00:01:02 2 100 1s 3 ipv4

[admin@RouterB] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; WAN Blind REAL
1.1.1.3/24 1.1.1.0 ether1-uplink
1 ;;; WAN VRRP
192.168.1.2/24 192.168.1.0 vrrp1-uplink
2 ;;; LAN VRRP
192.168.88.1/24 192.168.88.0 vrrp2-downlink
3 ;;; WAN Blind VRRP
1.1.1.1/32 1.1.1.1 vrrp1-uplink
4 ;;; LAN Blind REAL
2.2.2.3/24 2.2.2.0 ether2-downlink
5 ;;; LAN Blind VRRP
2.2.2.1/32 2.2.2.1 vrrp2-downlink

[admin@RouterB] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=192.168.1.2 src-address=192.168.88.0/24 out-interface=vrrp1-uplink

This seems working. So my question is, must be real ip from same subnet as virtual ip? Can someone test this? Thanks.
 
User avatar
jvr
just joined
Posts: 10
Joined: Tue May 17, 2011 7:12 pm

Re: VRRP with only virtual IP

Fri Mar 30, 2012 7:14 am

I was just working on this myself. In my lab setup I've got a pair of routers doing VRRP on the ether2 interface while the ether1 interfaces on both connect back into an OSPF mesh. I set up ether2 with the addresses of 10.10.10.1/30 and 10.10.10.2/30 and gave the VRRP interface the address of 10.100.100.1/24. From all the testing I've done they work as they should, including the router in the backup state not advertising the route for the virtual IP network into OSPF unless it becomes the master.

When I was looking through all of the documentation I noticed that all of the examples always show the 3 IPs involved as being in the same subnet. Nowhere, however, does it say you CAN'T have the virtual IP in a different subnet from the interface IPs. I just wonder if its something that will bite me if I deploy it live - can anyone comment? The (eventual) router pair I want to deploy this on serves multiple colocation customers and so like Lukas I really don't want to have to burn that many non-rfc1918 addresses - especially since most of these customers only have /29 or /28 block assigned to them and can't spare the IPs themselves (and I certainly don't want to readdress them into bigger blocks if I can avoid it).

On that note has anyone ever come across any routing platforms that do something like VRRP or CARP but only on a layer2 level? i.e. using ethernet broadcasts instead of multicast for the heartbeat and not using layer 3 at all except for floating the IP? I'd love to see that and something like pfsync in RouterOS.
 
libove
newbie
Posts: 42
Joined: Tue Aug 14, 2012 5:18 pm

Re: VRRP with only virtual IP

Mon Dec 31, 2012 11:08 am

Bump.

Can anyone confirm (now at RouterOS 5.22) that the setup proposed by jvr is "correct"? That is, that not only does it seem to work for jvr, but that it isn't conflicting in some way with the standards and likely to break, either if the "wrong" kind of other network gear is connected on the same layer 2 segment, or with some future MikroTik RouterOS update/upgrade?

I have that same problem, and I imagine many others do too - I have only one IP address from one of my Internet providers, so I simply cannot give each physical router an IP address in the same subnet as the one (only) virtual router IP address which I want to share between the two physical MikroTik routers.

Thanks,
 
rborz
newbie
Posts: 29
Joined: Sat Nov 29, 2008 11:41 pm

Re: VRRP with only virtual IP

Fri Jan 04, 2013 11:15 pm

Hi libove,

I tested such a setup in a live network last night using RouterOS 5.22 and two RB1100AHx2 boards. I only tested IPv4 and VRRP version 3. Both routers got IP addresses from another subnet as the virtual IP address. All of them were public IP addresses.

Having only one virtual IP address at the VRRP interface everything worked quite well, but adding (one) more virtual IP addresses to the VRRP interfaces on both routers lead to no traffic forwarding at all. No one of the routers was responding to any of the virtual IPs. Also enabling/disabling VRRP interfaces didn't make it work. The only solution was to remove the additional virtual IP addresses.

Maybe this issue is concerned with the recommendation to have real and virtual IP addresses from the same subnet. I think I will do an additional test in one of the next nights with virtual and real IP adresses from the same subnet.


Robert.

Who is online

Users browsing this forum: No registered users and 51 guests