Community discussions

MikroTik App
 
libove
newbie
Topic Author
Posts: 42
Joined: Tue Aug 14, 2012 5:18 pm

1 or 2 VRRP to failover both "inside" & "outside" interfaces

Mon Nov 12, 2012 6:33 pm

I am going to add a second MikroTik RB1200 to my existing RB1200. Call them RB#1 (in production) and RB#2 (soon to be added).
My configuration is fairly straightforward
- an internal LAN, to which both RB1200s are connected on their respective Ether5 ports
- an Internet connection, to which both RB1200s are connected through a pair of VLAN linked switches (using port-based VLAN assignment, so the RB1200s will not be aware that a VLAN is involved; just to separate that traffic from the rest of the broadcast domain) to a router provided by an ISP
- a second Internet connection, again to which both RB1200s are connected through the same pair of switches on a different VLAN, for the same reason, to another router provided by that second ISP

VRRP will be used for failover of all three shared IP addresses - 192.168.1.1 will be shared on the internal LAN; and a couple of static IP addresses (one each from the two ISPs) will be shared on the two external VRRP port pairs.

My questions are:
1. Should I set up three different virtual routers, one for the LAN plus two more, one for each of the two ISPs? Or should I set up one VRRP which somehow causes all three virtual IP addresses to shift between the two RB1200s? My assumption is that I should have three complete VRRP setups.
2. On the internal LAN interfaces of the RB1200s, IP addresses are available. I can use the traditional 192.168.1.1 as the virtual IP, plus 192.168.1.2 and .3 as the two physical interface IP addresses. However on the ISP side I may not have more than one real IP address available. I presume that I can set up 192.168.253.2/28 and 192.168.253.3/28 as the two physical interface IP addresses for ISP #1, and 192.168.253.10/28 and 192.168.253.11/28 as the two physical interface IP addresses for ISP #2, with the real IPs being virtually shared between the two RB1200s being whatever real IP addresses the two ISPs have assigned me, right? That is, that there is no requirement for the physical interface IP addresses on which the two MikroTiks communicate VRRP broadcasts to each other, and the actual virtual router IP address which they share between them, right?

Thanks!
-Jay
 
libove
newbie
Topic Author
Posts: 42
Joined: Tue Aug 14, 2012 5:18 pm

Re: 1 or 2 VRRP to failover both "inside" & "outside" interf

Thu Dec 06, 2012 7:13 pm

I have performed the initial setup here.
I chose to go with one VRRP failover (just the internal LAN), with on-master and on-backup scripts.

BUT this is clearly insufficient:
When a VRRP failover occurs, the MikroTik which knows it has become Master will enable its IP addresses for our Internet links, and the MikroTik which knows it has become Backup will disable those IP addresses. BUT there are cases - in particular when an internal LAN partition occurs (e.g. someone unplugs the Ethernet cable between a MikroTik and the core switch on the internal LAN, or a core switch port fails which a MikroTik was using to talk to the internal LAN) where BOTH MikroTiks will 'KNOW' they are Master, and BOTH will keep the Internet addresses active.
This may confuse Internet communications ... or it may not (since only one of the MikroTiks will really be able to pass connections all the way through).

How do you handle this situation, to assure that even in the case where a partition occurs and both MikroTiks in a VRRP failover group believe that they are Master, that communications still work correctly through whichever path is really functional, with the other MikroTik (although it still thinks it is Master) not causing (enough) interference to break things?

Thanks.

Who is online

Users browsing this forum: oskarsk, rukverc, stefki, vialli and 141 guests