Community discussions

MikroTik App
 
phuney
just joined
Topic Author
Posts: 8
Joined: Wed Apr 13, 2022 4:39 pm

VRRP Issues

Wed Apr 13, 2022 5:19 pm

We've regularly used VRRP in our setups for automatic failover and it works great. Recently we had an install where we have a CCR1009-7G-1C-1S+ (MTik01) and an RB1100AHx2 (MTik02) (I know, not ideal to re-use the older hardware, but an issue called for using what we had onhand). Using the same configurations as usual, these 2 MikroTiks are able to communicate but each sets itself as the Master on VRRP and takes the assigned VRRP IP Address. I've tried a few different tweaks but have had no luck so far. Is this possibly an issue between the hardware models and this won't work? I've included a snippet of the configuration below.

MTik01
/ip address
add address=10.1.0.2/24 comment="LAN IP" interface=ether1 network=10.1.0.0
add address=10.3.0.2/24 comment="WiFi IP" interface=ether2 network=10.3.0.0
add address=10.1.0.1/24 comment="VRRP: LAN IP" interface=vrrp_lan network=10.1.0.0
add address=10.3.0.1/24 comment="VRRP: WiFi IP" interface=vrrp_wifi network=10.3.0.0
/interface vrrp
add comment="WiFi VRRP" interface=ether2 name=vrrp_wifi priority=150 vrid=200
add comment="LAN VRRP" interface=ether1 name=vrrp_lan priority=150 vrid=100

MTik02
/ip address
add address=10.1.0.3/24 comment="LAN IP" interface=ether1 network=10.1.0.0
add address=10.3.0.3/24 comment="WiFi IP" interface=ether2 network=10.3.0.0
add address=10.1.0.1/24 comment="VRRP: LAN IP" interface=vrrp_lan network=10.1.0.0
add address=10.3.0.1/24 comment="VRRP: WiFi IP" interface=vrrp_wifi network=10.3.0.0
/interface vrrp
add comment="WiFi VRRP" interface=ether2 name=vrrp_wifi priority=100 vrid=200
add comment="LAN VRRP" interface=ether1 name=vrrp_lan priority=100 vrid=100
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP Issues

Thu Apr 14, 2022 11:15 am

Which RouterOS version are you using? RouterOS v7 supports grouping of VRRP interfaces, where all group members are either VRRP MASTER or BACKUP. In your case, VRRP group will prevent the situation where vrrp_wifi is master but vrrp_lan is backup on the same device.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: VRRP Issues

Thu Apr 14, 2022 11:17 am

Also, your setup has an issue: the IP address of a VRRP interface must have a /32 prefix, not /24.
add address=10.1.0.1/32 comment="VRRP: LAN IP" interface=vrrp_lan network=10.1.0.0
 
phuney
just joined
Topic Author
Posts: 8
Joined: Wed Apr 13, 2022 4:39 pm

Re: VRRP Issues

Mon Apr 18, 2022 3:48 pm

Both routers are running v6.49.5.

I'll get the IP address updated to a /32.
 
phuney
just joined
Topic Author
Posts: 8
Joined: Wed Apr 13, 2022 4:39 pm

Re: VRRP Issues

Tue Apr 19, 2022 10:26 pm

Still having the same issue. Both routers continue to set to VRRP MASTER status and take the 10.1.0.1/32 address.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: VRRP Issues

Wed Apr 20, 2022 12:20 am

Post your firewall config on both routers. If both go into RM it means they cannot see Vrrp traffic between each other.
Do you approve Vrrp in firewall to input?
 
phuney
just joined
Topic Author
Posts: 8
Joined: Wed Apr 13, 2022 4:39 pm

Re: VRRP Issues

Wed Apr 27, 2022 8:29 pm

Below is all that is really on them, there's a few DSTNAT/SRCNATs for public IPs and DHCP networks. This config is the same as on other MikroTiks/sites and has no issues with VRRP. The only thing different here is MTik01 is a CCR1009 and MTik02 is a RB1100AHx2. I did add an input for VRRP which would increment, but both Routers continued to set as RM.

MTik01
/ip address
add address=10.1.0.2/24 comment="LAN IP" interface=ether1 network=10.1.0.0
add address=10.3.0.2/24 comment="WiFi IP" interface=ether2 network=10.3.0.0
add address=10.1.0.1 comment="VRRP: LAN IP" interface=vrrp_lan network=10.1.0.0
add address=10.3.0.1 comment="VRRP: WiFi IP" interface=vrrp_wifi network=10.3.0.0
/interface vrrp
add comment="WiFi VRRP" interface=ether2 name=vrrp_wifi priority=150 vrid=200
add comment="LAN VRRP" interface=ether1 name=vrrp_lan priority=150 vrid=100/ip firewall filter
add action=accept chain=input protocol=vrrp
add action=drop chain=forward comment="Clients<!>Client: Drop" in-interface-list=Client out-interface-list=Client
add action=drop chain=input dst-port=80,21,22,23,2222,8291,443,8728,8729 protocol=tcp src-address-list=!Trusted
add action=drop chain=input dst-port=161 protocol=udp src-address-list=!Trusted
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes

MTik02
/ip address
add address=10.1.0.3/24 comment="LAN IP" interface=ether1 network=10.1.0.0
add address=10.3.0.3/24 comment="WiFi IP" interface=ether2 network=10.3.0.0
add address=10.1.0.1 comment="VRRP: LAN IP" interface=vrrp_lan network=10.1.0.0
add address=10.3.0.1 comment="VRRP: WiFi IP" interface=vrrp_wifi network=10.3.0.0
/interface vrrp
add comment="WiFi VRRP" interface=ether2 name=vrrp_wifi priority=100 vrid=200
add comment="LAN VRRP" interface=ether1 name=vrrp_lan priority=100 vrid=100
/ip firewall filter
add action=accept chain=input protocol=vrrp
add action=drop chain=input dst-port=80,21,22,23,2222,8291,443,8728,8729 protocol=tcp src-address-list=!Trusted
add action=drop chain=input dst-port=161 protocol=udp src-address-list=!Trusted
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: VRRP Issues

Wed Apr 27, 2022 9:19 pm

How are they actually connected together, bridges or external switches? You can't just have MTik01 ether1 connected to MTik02 ether1, and similiarly MTik01 ether2 connected to MTik02 ether2, as nothing else whould be connected.
 
phuney
just joined
Topic Author
Posts: 8
Joined: Wed Apr 13, 2022 4:39 pm

Re: VRRP Issues

Wed Apr 27, 2022 10:17 pm

There's a switch in between. VLAN 100 is LAN Management and VLAN 101 is WIFI Management. VLANs are correct between the firewalls. Confirmed that they can see each other through neighbors and can ping local IP of each other. And for example, if I disable VRRP on MTik02, it can ping and see MTik01 with the correct .1 IP Address.
 
savage
Forum Guru
Forum Guru
Posts: 1262
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: VRRP Issues

Thu Apr 28, 2022 8:03 am

There's a switch in between. VLAN 100 is LAN Management and VLAN 101 is WIFI Management. VLANs are correct between the firewalls. Confirmed that they can see each other through neighbors and can ping local IP of each other. And for example, if I disable VRRP on MTik02, it can ping and see MTik01 with the correct .1 IP Address.
Check your switches / vlan configurations. VRRP sends a broadcast, if the master transits the packet and the slave does not receive said packet, the slave becomes master. That's really the only way how a slave can promote itself to master.

Either there's no communication between the routers on the interfaces that you've configured vrrp on, or the configurations don't match. the one router is not seeing the other router, and visa versa.

Does the routers see each other on layer 2? Does it have ARP entries for example for the neiboring routers?
 
phuney
just joined
Topic Author
Posts: 8
Joined: Wed Apr 13, 2022 4:39 pm

Re: VRRP Issues

Thu Apr 28, 2022 4:20 pm

Yes. I've confirmed both Routers can see each on Layer 2 and show up in each others Neighbors. VLANs are correct on the switches. I agree, it seems like the Routers aren't communicating on VRRP, but from the absolute best I can tell, nothing is wrong with the configuration. As I've mentioned earlier, the MikroTiks have the exact configuration as other MikroTiks at different locations where VRRP is working without issue. Same for the switch configs. The only difference here is that we have a CCR1009 with an RB1100AHx2. I've been curious all along if this is some hardware issue between the 2 that isn't playing nice.
Last edited by phuney on Thu Apr 28, 2022 5:22 pm, edited 2 times in total.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: VRRP Issues

Thu Apr 28, 2022 4:42 pm

The model shouldn't make any difference unless there is something broken in the version of RouterOS you are using on those architectures.

You could use the packet sniffer to see if each is receiving the VRRP packets from the other, and that the contents are correct (the are small enough to decode by hand, or stream the packet sniffer output to Wireshark, or similar)
 
phuney
just joined
Topic Author
Posts: 8
Joined: Wed Apr 13, 2022 4:39 pm

Re: VRRP Issues

Thu Apr 28, 2022 11:20 pm

Using the Packet Tracer tool from both MikroTiks I can see that neither is receiving VRRP packets; both only show sending which seems odd because the VRRP input in filter did increment when added, although slowly. Confirms what we've discussed, but I'm still unsure where the disconnect is. I've reviewed the switch config as well and I don't see anything that looks to be out of sorts there either; but I'll continue digging around in both the MikroTiks and switch.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: VRRP Issues

Thu Apr 28, 2022 11:43 pm

Is the switch between the two Mikrotiks the same as you are using elsewhere? Maybe filtering multicast which would break VRRP.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: VRRP Issues

Fri Apr 29, 2022 12:06 am

Must be the switches I assume. What brand are they?
 
phuney
just joined
Topic Author
Posts: 8
Joined: Wed Apr 13, 2022 4:39 pm

Re: VRRP Issues

Fri Apr 29, 2022 6:07 pm

Thanks for all the responses. Ended up finding the issue further down in the switch yesterday. IGMP Snooping had been enabled for this site and it by default had applied to all configured VLANs. Once I got that straightened out, VRRP started responding normally between the 2 MikroTiks.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: VRRP Issues

Sat Apr 30, 2022 1:01 am

Great news and on a Friday as well :D

Who is online

Users browsing this forum: No registered users and 75 guests