Community discussions

MikroTik App
 
wolfsbane
just joined
Topic Author
Posts: 1
Joined: Mon Sep 14, 2020 11:55 pm

VRRP sync-connection-tracking setup

Tue Sep 15, 2020 12:00 am

Hello,

I am playing around with 7.1beta2 and noticed with VRRP there is an option to enable sync-connection-tracking.
I have not been able to find any documentation on how to configure it. I have it enabled and have the remote IP set to the other router but nothing ever seems to be synced when i look under the firewall connections.

Is there any documentation for this feature or is it still incomplete?
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 185
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP sync-connection-tracking setup

Tue Sep 15, 2020 3:51 pm

If VRRP is up and running, then in most cases, simply setting
sync-connection-tracking=yes
on both ends should do the trick: VRRP master syncing its connection with the backup router.

Some useful info / limitations:
  1. MikroTik uses its own proprietary protocol for connection syncing. Therefore, both routers must be MikroTik.
  2. Both routers must be running the same version of RoutersOS v7 (e.g., 7.1beta2).
  3. While VRRP allows multiple backup routers, the connection syncing protocol supports only one (i.e., there must be only two routers: one master + one backup).
  4. VRRP Preemption Mode must be disabled (preemption-mode=no).
  5. The connection syncing protocol uses IPv4 for the internal data channel. In case of IPv6 (v3-protocol=ipv6), remote-address is mandatory.
  6. In case of IPv4, remote-address is optional, however, recommended (reduces VRRP latency).
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 185
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP sync-connection-tracking setup

Tue Sep 15, 2020 3:59 pm

If the above information is insufficient, please provide the output of:
/interface export hide-sensitive
/interface/vrrp print detail
from both routers.

If you have a VRRP password set, please manually remove it from the output, since the print command doesn't have a hide-sensitive option.
 
mculibrk
just joined
Posts: 5
Joined: Fri Mar 30, 2018 12:02 pm

Re: VRRP sync-connection-tracking setup

Mon Feb 15, 2021 9:34 pm

If VRRP is up and running, then in most cases, simply setting
sync-connection-tracking=yes
on both ends should do the trick: VRRP master syncing its connection with the backup router.

Some useful info / limitations:
  1. MikroTik uses its own proprietary protocol for connection syncing. Therefore, both routers must be MikroTik.
  2. Both routers must be running the same version of RoutersOS v7 (e.g., 7.1beta2).
  3. While VRRP allows multiple backup routers, the connection syncing protocol supports only one (i.e., there must be only two routers: one master + one backup).
  4. VRRP Preemption Mode must be disabled (preemption-mode=no).
  5. The connection syncing protocol uses IPv4 for the internal data channel. In case of IPv6 (v3-protocol=ipv6), remote-address is mandatory.
  6. In case of IPv4, remote-address is optional, however, recommended (reduces VRRP latency).
This is fantastic.... but...
What is the status of "firewall rules" sync between routers?
Or even better - config sync?

Are there any "suggested/verified" methods? There are some user proposed scripts... but nothing "universally useful"...
There is the excellent https://github.com/svlsResearch/ha-mikrotik but that's an active/passive solution requiring reboots for failovers which takes time and drops *any/all* state

Any plans in that regard? What do you suggest to use to have a "proper" HA (with minimal or no loss of connectivity) solution for Mikrotik devices?

Are there any "suggested" centralized management SW where you could edit/modify config to be automatically pushed to "paired" devices? That in combination with vrrp-sync could do the trick...

(if only Mikrotik config handling would allow direct "editing" (injecting/changing a specific <b>line</b> of configuration or some sort of <i>diff</i> apply...)

Any suggestions?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6610
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: VRRP sync-connection-tracking setup

Tue Feb 16, 2021 12:20 pm

Currently there are several centralised configuration management options: TR069, API, SSH, and now even REST.
 
mculibrk
just joined
Posts: 5
Joined: Fri Mar 30, 2018 12:02 pm

Re: VRRP sync-connection-tracking setup

Tue Feb 16, 2021 12:54 pm

Yeah... I know about the "possibilities" or "options" for centralized management...
but are there any "suggested"/Recommended "product/solution" for that purpose?

I know about for ex Unimus and some other similar products and the TR-69 (Genie-ACS...) options... but it seems to me that's oriented more to "collecting configurations" than "managing" especially some HA (paired) setups.
Correct me if I'm wrong... or even better, suggest some "actual" solution.

Thanks!

Regards,
 
dminev
just joined
Posts: 1
Joined: Fri Jan 18, 2013 3:20 pm

Re: VRRP sync-connection-tracking setup

Fri Sep 03, 2021 1:14 pm

Yeah... I know about the "possibilities" or "options" for centralized management...
but are there any "suggested"/Recommended "product/solution" for that purpose?

I know about for ex Unimus and some other similar products and the TR-69 (Genie-ACS...) options... but it seems to me that's oriented more to "collecting configurations" than "managing" especially some HA (paired) setups.
Correct me if I'm wrong... or even better, suggest some "actual" solution.

Thanks!

Regards,
Hi guys,

Any news/suggestions on the topic?

Is there a recommended way to sync the router's configurations?

Thanks!
Daniel
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 185
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP sync-connection-tracking setup

Fri Sep 03, 2021 6:26 pm

Hi,

The entire team is focused 100% on stabilizing v7.1. Let's get back to this topic after v7.1 stable release.
 
mculibrk
just joined
Posts: 5
Joined: Fri Mar 30, 2018 12:02 pm

Re: VRRP sync-connection-tracking setup

Fri Sep 03, 2021 6:44 pm

Nice... someone is actually *reading this*...

Great! I really hope the 7.1 will hit "production" soon and that config sync will follow soon...

Mikrotik "clusters" would be *FANTASTIC* after all this years and a requirement for "enterprise" deployments.

Keep the good work you guys!

Best regards
M.C
 
RcRaCk2k
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Mon May 07, 2012 10:40 pm

Re: VRRP sync-connection-tracking setup

Tue Oct 05, 2021 5:41 pm

Is it possible to sync connection tracking state in an active/active setup?
I like to peer via BGP with my upstream provider, so i like to have two active bgp sessions and so on to route the traffic from WAN to LAN where the traffic arrives. So there is a possibility of asymmetric routing. Because of that, syncing the connection tracking tables is important.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 185
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP sync-connection-tracking setup

Thu Oct 07, 2021 1:53 pm

Is it possible to sync connection tracking state in an active/active setup?
I like to peer via BGP with my upstream provider, so i like to have two active bgp sessions and so on to route the traffic from WAN to LAN where the traffic arrives. So there is a possibility of asymmetric routing. Because of that, syncing the connection tracking tables is important.
We are considering decoupling sync connection tracking from VRRP, and make connection syncing a standalone feature that users may set up in any way they want. However, I wouldn't expect this feature soon because the developers are fully focused on stabilizing v7.1, and there is a growing list of features to be developed after v7.1 stable. Meanwhile, you can create a "fake VRRP interface" that is used for nothing but syncing connections in the opposite way.
 
TeslaBMWandTheRest
just joined
Posts: 2
Joined: Wed Oct 23, 2019 9:38 pm

Re: VRRP sync-connection-tracking setup

Wed Dec 08, 2021 11:57 am

Nice... someone is actually *reading this*...

Great! I really hope the 7.1 will hit "production" soon and that config sync will follow soon...

Mikrotik "clusters" would be *FANTASTIC* after all this years and a requirement for "enterprise" deployments.

Keep the good work you guys!

Best regards
M.C
1000% agree with above statement. Been waiting for this feature for years. At this moment in time I have to use products from competitors. Once Mikrotik does this, no more need for the products from competitors.
 
RcRaCk2k
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Mon May 07, 2012 10:40 pm

Re: VRRP sync-connection-tracking setup

Thu Jan 27, 2022 10:45 pm

We are considering decoupling sync connection tracking from VRRP, and make connection syncing a standalone feature that users may set up in any way they want.
This sounds greate.

But i have an another question:
While R1 is VRRP Master and CONNTRACK Master, should i see the connections on the BACKUP-Router R2 under IP > Firewall > Connections?

Because currently i do not.

Running v7.2rc2.

Currently i can only see the connection tracked on master, but not on slave?
side-by-side.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 185
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP sync-connection-tracking setup

Fri Jan 28, 2022 8:58 am

If sync-connection-tracking is set and running, you should be able to see the connections on the backup router (no counters, though). Make sure you have the same Firewall rules set on both ends. Also, forcing connection tracking might help:
/ip/firewall/connection/tracking/set enabled=yes
 
RcRaCk2k
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Mon May 07, 2012 10:40 pm

Re: VRRP sync-connection-tracking setup

Fri Jan 28, 2022 11:53 am

Okay, i beleave that there is no initial sync? I am right?
For my point of view only new connections will be synchronized to the Backup-Router?

EDIT: And if there was a SIP-Connection this information is not synchronized between Master <> Backup Router. When a new session will be established at port 5060, master syncs the tracking to the backup, but is loosing the SIP-Conntrack-Type. The UDP message is only alive for 30 secs after creation on the backup router when it is 1h alive on the master.

If i reboot the Backup-Router, the whole connection tracking table is empty. But when new connections are made, the connection appears on the backup router.

After 8 hours, both routers are not in sync. I do not think, that this is a configuration issue. I think there is a initial sync missing.

By the way: will it come to a point, where connection-tracking-syncing is able to handle active/active sync? So we can make use of the potential power of two routers instead of one doing the hard work and the another is sleeping all day long?

Form a software engineers view: Doing some MQTT / Message Broker Stuff on Mikrotik to exchange the connection-tracking informations, when initially connected to the broker and when new connections gets established and when a connection will die because of reached timeout. In this setup you will be able to handle more than just two routers for connection tracking.

This is my related firewall and vrrp configuration:
[rack@ROBEL-VoIP-Gateway-RZ1] > /ip/firewall/export
# jan/28/2022 10:43:35 by RouterOS 7.2rc1
# software id = QWJ1-SK2Q
#
# model = RB5009UG+S+
# serial number = EC190FA9F86B
/ip firewall nat
    add action=src-nat chain=srcnat out-interface=ether1.Uplink-RSM to-addresses=185.58.31.141
/ip firewall service-port
    set sip sip-direct-media=no
/interface vrrp
    add interface=ether2.Uplink-Core-Switch name=vrrp.voip-router preemption-mode=no priority=50 remote-address=10.1.160.3 sync-connection-tracking=yes vrid=88
/ip address
    add address=10.1.160.2/24 interface=ether2.Uplink-Core-Switch network=10.1.160.0
    add address=10.1.160.1/24 interface=vrrp.voip-router network=10.1.160.0
    add address=185.58.31.141/28 interface=ether1.Uplink-RSM network=185.58.31.128
    add address=172.16.18.3/29 interface=ether1.Uplink-RSM network=172.16.18.0

[rack@ROBEL-VoIP-Gateway-RZ2] > /ip/firewall/export
# jan/28/2022 10:44:00 by RouterOS 7.2rc1
# software id = SEY8-DGED
#
# model = RB5009UG+S+
# serial number = EC190FC52FD2
/ip firewall nat
    add action=src-nat chain=srcnat out-interface=ether1.Uplink-RSM to-addresses=185.58.31.141
/ip firewall service-port
    set sip sip-direct-media=no
/interface vrrp
    add interface=ether2.Uplink-Core-Switch name=vrrp.voip-router preemption-mode=no remote-address=10.1.160.2 sync-connection-tracking=yes vrid=88
/ip address
    add address=185.58.31.141/28 interface=ether1.Uplink-RSM network=185.58.31.128
    add address=10.1.160.3/24 interface=ether2.Uplink-Core-Switch network=10.1.160.0
    add address=10.1.160.1/24 interface=vrrp.voip-router network=10.1.160.0
    add address=172.16.18.4/29 interface=ether1.Uplink-RSM network=172.16.18.0
 
RcRaCk2k
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Mon May 07, 2012 10:40 pm

Re: VRRP sync-connection-tracking setup

Wed Feb 02, 2022 4:49 pm

Also i see the following information in log after Reboot (marked interesting log entity with >>>>):
currently running 7.2rc3 on both routers.
 14:46:15 system,info router rebooted
 14:46:15 vrrp,info vrrp.voip-router now BACKUP
 14:46:15 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 >>>> 14:46:15 vrrp,warning NFCT_SLAVE: could not open NETLINK socket (93) - Protocol not supported
 14:46:16 interface,info sfp-sfpplus1.qv-rz2 link up (speed 1G, full duplex)
 14:46:19 interface,info ether1.Uplink-RSM link up (speed 1G, full duplex)
 14:46:19 interface,info ether2.Uplink-Core-Switch link up (speed 1G, full duplex)
 14:46:20 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 14:46:22 system,info,account user rack logged in from 185.58.28.171 via winbox
 15:48:08 system,info,account user rack logged in from 185.58.28.171 via local
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 185
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP sync-connection-tracking setup

Wed Feb 02, 2022 5:15 pm

IP address on VRRP interface must have /32 netmask if address configured on VRRP is from the same subnet as on router's any other interface.

In your case, it should be:
/ip/address add address=10.1.160.1/32 interface=vrrp.voip-router

Regarding the NETLINK socket error, did you force connection tracking (change from the default "auto" to "yes")?
/ip/firewall/connection/tracking/set enabled=yes
 
RcRaCk2k
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Mon May 07, 2012 10:40 pm

Re: VRRP sync-connection-tracking setup

Thu Feb 10, 2022 7:02 pm

(change from the default "auto" to "yes")?
After changing both to routers to yes, the message is gone, but there is no initial sync after booting R2 (Backup).

 16:58:00 system,info router rebooted
 16:58:10 vrrp,info vrrp.voip-router now BACKUP
 16:58:10 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 16:58:10 vrrp,warning UDP send error (101) - Network unreachable
 16:58:10 interface,info sfp-sfpplus1.qv-rz2 link up (speed 1G, full duplex)
 16:58:11 vrrp,warning UDP send error (101) - Network unreachable
 16:58:12 vrrp,warning UDP send error (101) - Network unreachable
 16:58:13 vrrp,warning UDP send error (101) - Network unreachable
 16:58:13 vrrp,warning UDP send error (101) - Network unreachable
 16:58:13 interface,info ether1.Uplink-RSM link up (speed 1G, full duplex)
 16:58:13 interface,info ether2.Uplink-Core-Switch link up (speed 1G, full duplex)
 16:58:15 vrrp,info vrrp.voip-router stop CONNTRACK
 16:58:15 vrrp,info vrrp.voip-router starting CONNTRACK SLAVE
 16:58:16 system,info,account user rack logged in from 185.58.28.171 via winbox
 18:00:10 system,info,account user rack logged in from 185.58.28.171 via local
Screenshot 2022-02-10 180205.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 185
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP sync-connection-tracking setup

Mon Feb 14, 2022 4:43 pm

We were unable to reproduce your issue. On our side, initial sync gets performed as intended.

Please create a support ticket, so we can reproduce exactly the same setup as yours.

Who is online

Users browsing this forum: tigro11 and 9 guests