Community discussions

MikroTik App
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Proper VRRP configuration

Wed May 10, 2023 9:28 pm

So in v6 I normally handed VRRP this way.

RTR 1
address = 10.55.55.1/30 interface =ether1
address = 100.64.1.1/24 interface=vrrp1

RTR 2
address = 10.55.55.2/30 interface =ether1
address = 100.64.1.1/24 interface=vrrp1

This way the VRRP can monitor the .1 on the local interface (ether1), then if VRRP needs to change hands OSPF will advertise the 100.64.1.0/24 out RTR 2 when the VRRP interface becomes MASTER

In v7, v6 and according to MikroTik documents, you should:

RTR 1
address = 100.64.1.2/24 interface=ether1
address = 100.64.1.1/32 interface=vrrp

RTR 2
address = 100.64.1.3/24 interface=ether1
address = 100.64.1.1/32 interface=vrrp

But when you do it this way, the ether1, always advertises the OSPF route, or if you setup OSPF to advertise the VRRP interface, it advertises the /32 not the /24....

what is the correct method to allow for OSPF to failover and move the /24s when VRRP moves?
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Proper VRRP configuration ??

Mon Jun 05, 2023 3:05 pm

Bump...
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Proper VRRP configuration

Sat Jun 10, 2023 12:18 pm

Even at v6 times, the manual was suggesting that the IP address attached to the VRRP interface should be a /32 one. The thing is that in the generic case, the /24 may be up on multiple routers simultaneously, and there may be multiple VRRP interfaces within that /24, each preferring another physical router. This inevitably, and by design, leads to non-symmetric routing where the request packet from the LAN host in the /24 goes via the physical router on which its gateway IP is currently up as the VRRP /32 but the response packet to that LAN host goes via the physical router that is chosen as a gateway to the /24.

The trouble begins once you want to use stateful firewalls on those physical routers, because stateful firewalls can only handle non-symmetric routing if the connection tracking table is synchronized between them. In v7, such a synchronisation is possible, but it is bound to VRRP and requires very specific settings.

Vice versa, in v7 you can still attach a /24 address to the VRRP interface; if there is only one VRRP interface per subnet, the whole subnet then migrates between the physical routers along with the VRRP interface, and OSPF only advertises it on the physical router where it is currently up. But without synchronizing the connection tracking, the stateful firewall will still drop existing connections if the VRRP and the whole /24 migrate to another physical router.
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Proper VRRP configuration

Fri Jul 07, 2023 8:15 pm

Thanks for the reply, but in v7 I cannot get the /24 on the VRRP interface to work .. :( I have upgraded routers from v6, and it works just fine, but if I create a new one it does not. I have a open ticket with MikroTik on these.

The question is what one is correct? or is both correct depending on your use cases. The second question, I just thought of while rereading your post, is does that mean you cannot put MORE than one subnet on a VRRP interface? I have a number of them, but these were upgrade from v6...
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Proper VRRP configuration

Fri Jul 07, 2023 9:20 pm

My ROS 7 test CHRs never ran ROS 6, and they accept an address with a /24 without any issue (freshly deleted an added to be sure):

[me@chr-7-1] > ip/address/print where interface=vrrp1
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
15 192.168.216.1/24 192.168.216.0 vrrp1
[me@chr-7-1] > interface/vrrp/print
Flags: R - RUNNING; M, F - FAILURE
Columns: NAME, INTERFACE, MAC-ADDRESS, VRID, PRIORITY, INTERVAL, VERSION, V3-PROTOCOL, SYNC-CONNECTION-TRACKING
# NAME INTERFACE MAC-ADDRESS VRID PRIORITY INTERVAL VERSION V3-PROTOCOL SYNC-CONNECTION-TRACKING
0 RM vrrp1 eoip1 00:00:5E:00:01:01 1 203 1s 3 ipv4 no

[me@chr-7-2] > ip address/print where interface=vrrp1
Flags: I, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
13 I 192.168.216.1/24 192.168.216.0 vrrp1
[me@chr-7-2] > interface/vrrp/print
Flags: B, F - FAILURE
Columns: NAME, INTERFACE, MAC-ADDRESS, VRID, PRIORITY, INTERVAL, VERSION, V3-PROTOCOL, SYNC-CONNECTION-TRACKING
# NAME INTERFACE MAC-ADDRESS VRID PRIORITY INTERVAL VERSION V3-PROTOCOL SYNC-CONNECTION-TRACKING
0 B vrrp1 eoip1 00:00:5E:00:01:01 1 100 1s 3 ipv4 no


The question is what one is correct? or is both correct depending on your use cases.
I don't feel competent to give an authoritative answer, but the RFC 5798 doesn't state anything regarding subnet size associated to the virtual address.

The second question, I just thought of while rereading your post, is does that mean you cannot put MORE than one subnet on a VRRP interface?
The same RFC says there may be multiple virtual addresses on the interface; given how VRRP works as a whole, it would make little sense if they were from the same subnet. It also doesn't require that the primary address of the interface is in the same subnet like any of the virtual ones.
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Proper VRRP configuration

Sat Jul 08, 2023 4:32 am

@ sindy

are you sure your vrrp example in a running state?
[me@chr-7-2] > ip address/print where interface=vrrp1
Flags: I, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
13 I 192.168.216.1/24 192.168.216.0 vrrp1
it has 'i' in it as invalid?

by the way, this is interesting
0 RM vrrp1 eoip1 00:00:5E:00:01:01 1 203 1s 3 ipv4 no
hmm.. do you have multipath interface for it?

++ edit

i mean, multipath eoip for it as well?

++ end edit.


@ gmsmstr,

reading all your post above, did you mean you only have 1 vlan/network with multiple ip subnet for your vrrp setup? so you need to put many vips on the vrrp link?

can you give us a text drawing so that we can look at your setup?
Last edited by wiseroute on Sat Jul 08, 2023 8:03 am, edited 1 time in total.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Proper VRRP configuration

Sat Jul 08, 2023 6:25 am

it has 'i' in it as invalid?

this site is VRRP backup
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Proper VRRP configuration

Sat Jul 08, 2023 6:27 am

My ROS 7 test CHRs never ran ROS 6, and they accept an address with a /24 without any issue (freshly deleted an added to be sure):
great news!!
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Proper VRRP configuration

Sat Jul 08, 2023 8:02 am

@ nichky

aaa... yes, sorry. i didnt take a closer look below that line

'i' as inactive. backup site.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Proper VRRP configuration

Sat Jul 08, 2023 10:14 am

hmm.. do you have multipath interface for it? i mean, multipath eoip for it as well?
Sorry to disappoint you, no, it's just that the CHRs run on Hyper-V, which by default (like many other virtualization platforms) filters frames with source MAC addresses different from the own ones of the sending virtual network cards, and for this quick test, it was easier to bypass that using an EoIP tunnel between the two devices than to change the Hyper-V settings for the actual interfaces.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Proper VRRP configuration

Tue Jul 11, 2023 3:51 am

@sindy

did u noticed that (your e.g. above) this will not work if u use VPLS, not sure why. EoIP works fine.

Who is online

Users browsing this forum: No registered users and 61 guests