Community discussions

MikroTik App
 
User avatar
mhenriques
newbie
Topic Author
Posts: 47
Joined: Sat Mar 23, 2019 8:45 pm
Location: BRAZIL
Contact:

VRRP and ISP failover?

Sat Dec 04, 2021 11:37 pm

Hello guys

I'm being asked to add a second mikrotik as gateway to both internal LANs using both VRRP and ISP failover as per network diagram below. Any hints how to implement this?

Thanks for any help.

Mauricio
You do not have the required permissions to view the files attached to this post.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: VRRP and ISP failover?

Sun Dec 05, 2021 2:07 pm

I recommend to configure Router A ( RB3011) and Router B (RB450)
before even starting with the VRRP-Setting.

Step 1: Configure Basic LAN-Network (IP-Address)

Router A: ether10 --> 172.16.15.251/20
Router B: ether5 --> 172.16.15.252/20

Step 2: Configure Main-ISP
Configure Router A and Cable-ISP
Configure Router B and Fiber-ISP
*like you would normally do ...

Step 3: Configure Backup-ISP

Configure Router A with Router B as Backup-ISP
Config-Exemple: /ip route add distance=100 gateway=172.16.15.252

Configure Router B with Router A as Backup-ISP
Config-Exemple: /ip route add distance=100 gateway=172.16.15.251

Step 4: Test ISP-Backup

Check if Failover works!

Exemple:
Ping 8.8.8.8 via Router A
Disconnect Cable-ISP from Router A
If should switch over to Router B
(some Ping's may fail during the failover)


Step 5: VRRP

Router A:
/interface vrrp add interface=ether10 name=vrrp1 priority=200 vrid=55
/ip address add address=172.16.15.254 interface=vrrp1 network=172.16.15.254

Router B:
/interface vrrp add interface=ether5 name=vrrp1 priority=100 vrid=55
/ip address add address=172.16.15.254 interface=vrrp1 network=172.16.15.254



Résumé:
Router A is always the Main VRRP-Router
When Router A is active (vrrp) Cable-ISP is primary and Fiber-ISP is failover
When Router B is active (vrrp) Fiber-ISP is primary and Cable-ISP is failover
After everything works , simply repeat the process for every LAN-Network
 
User avatar
mhenriques
newbie
Topic Author
Posts: 47
Joined: Sat Mar 23, 2019 8:45 pm
Location: BRAZIL
Contact:

Re: VRRP and ISP failover?

Sun Dec 05, 2021 2:53 pm

Hello

Thanks for your reply. I'll try your recommendations on the 172.16.0.0/20 LAN first.

Regards
Maurício
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP and ISP failover?

Sun Dec 05, 2021 3:31 pm

Once you get this to work, have a look at @Chupaka's explanation of monitoring of network transparency using recursive next-hop search. The benefit is that the route becomes inactive not only when the WAN interface of the router goes physically down (i.e. the ISP modem loses power or someone disconnects the Ethernet cable between the modem and the router), but also when any problem occurs between the modem and the internet (remote ISP router down, TV cable/telecom pair disconnected from the modem).

Later on, you can add a script lowering the priority of the VRRP interface if the WAN fails, allowing to exclude the router with failed WAN from the routing path completely as the VRRP address in the LAN subnet will migrate to the other one.
 
User avatar
mhenriques
newbie
Topic Author
Posts: 47
Joined: Sat Mar 23, 2019 8:45 pm
Location: BRAZIL
Contact:

Re: VRRP and ISP failover?

Thu Dec 16, 2021 5:05 pm

Is it possible on this VRRP scenario to direct which ISP each subnet will use as primary? Example:
  • subnet admin (192.168.0.0/24) should use Cable ISP as primary and Fiber ISP as failover
  • subnet cftv (172.16.0.0/20) should use Fiber ISP as primary and Cable ISP as failover
Thanks for any help!
Maurício
 
aesmith
Member Candidate
Member Candidate
Posts: 264
Joined: Wed Mar 27, 2019 6:43 pm

Re: VRRP and ISP failover?

Thu Dec 16, 2021 5:47 pm

VRRP is only intended to deal with a router failure, not a downstream route failure. So what I'd do is first configure you primary router so that it can use either ISP, routing via the second router to reach ISP2 if ISP1 fails. Then configure VRRP on both so if router 1 drops dead altogether then router 2 will pick up the active role.
 
User avatar
mhenriques
newbie
Topic Author
Posts: 47
Joined: Sat Mar 23, 2019 8:45 pm
Location: BRAZIL
Contact:

Re: VRRP and ISP failover?

Thu Dec 16, 2021 6:55 pm

Is it technically possible to define RB3011 (connected to Cable ISP) as the master router for VRRP on subnet 192.168.0.0/24 and RB450 as the master router for VRRP on subnet 172.16.0.0/20? If yes, would that achieve the objective of having each subnet using a separate ISP link?

Maurício
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: VRRP and ISP failover?

Thu Dec 16, 2021 7:02 pm

You need to configure 2 VRRP

1 for the 192.168.0.0/24 Network
1 for the 172.16.0.0/20 Network

With the Paramter "Priority" you can set where the VRRP run's per default
In oder words / Exemple:

RB3011 VRRP (192.168.0.0/24) Priority=200
RB3011 VRRP (172.16.0.0/20) Priority=100
RB450 VRRP (192.168.0.0/24) Priority=100
RB450 VRRP (172.16.0.0/20) Priority=200
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: VRRP and ISP failover?

Thu Dec 16, 2021 7:10 pm

would that achieve the objective of having each subnet using a separate ISP link?
The Segregation of Traffic over two separate ISP link, as "nothing" to do with VRRP.

You can configure your VRRP-Routers as you would any Router.
Mangel & Tag Traffic, use QoS, Firewall, PCC, etc....

In theory, you can even configure each Router in the VRRP-Config,
to provide different Services and Rules.

Important to understand is :
Only ONE Router of the VRRP-Config is active
and when the Router is active , the local Configuration (firewall, Mangel, etc..) of the Router is active.
 
User avatar
mhenriques
newbie
Topic Author
Posts: 47
Joined: Sat Mar 23, 2019 8:45 pm
Location: BRAZIL
Contact:

Re: VRRP and ISP failover?

Wed Jan 19, 2022 7:23 pm

I'm testing the scenario below using GNS3 and it seems to work. Any comments before testing in real life?

Thanks for all your help.

Mauricio
vrrp config.png
You do not have the required permissions to view the files attached to this post.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: VRRP and ISP failover?

Thu Jan 20, 2022 3:13 pm

Everything seams to be O.K !

Good Luck =)
 
alexv305
just joined
Posts: 2
Joined: Fri Feb 09, 2024 11:35 pm

Re: VRRP and ISP failover?

Fri Feb 09, 2024 11:41 pm

I recommend to configure Router A ( RB3011) and Router B (RB450)
before even starting with the VRRP-Setting.

Step 1: Configure Basic LAN-Network (IP-Address)

Router A: ether10 --> 172.16.15.251/20
Router B: ether5 --> 172.16.15.252/20

Step 2: Configure Main-ISP
Configure Router A and Cable-ISP
Configure Router B and Fiber-ISP
*like you would normally do ...

Step 3: Configure Backup-ISP

Configure Router A with Router B as Backup-ISP
Config-Exemple: /ip route add distance=100 gateway=172.16.15.252

Configure Router B with Router A as Backup-ISP
Config-Exemple: /ip route add distance=100 gateway=172.16.15.251

Step 4: Test ISP-Backup

Check if Failover works!

Exemple:
Ping 8.8.8.8 via Router A
Disconnect Cable-ISP from Router A
If should switch over to Router B
(some Ping's may fail during the failover)


Step 5: VRRP

Router A:
/interface vrrp add interface=ether10 name=vrrp1 priority=200 vrid=55
/ip address add address=172.16.15.254 interface=vrrp1 network=172.16.15.254

Router B:
/interface vrrp add interface=ether5 name=vrrp1 priority=100 vrid=55
/ip address add address=172.16.15.254 interface=vrrp1 network=172.16.15.254



Résumé:
Router A is always the Main VRRP-Router
When Router A is active (vrrp) Cable-ISP is primary and Fiber-ISP is failover
When Router B is active (vrrp) Fiber-ISP is primary and Cable-ISP is failover
After everything works , simply repeat the process for every LAN-Network
Dear ConnyMercier,

This little guide helped me get VRRP working, thank you for that. However, I have a strange issue. In either direction either from Router A to Router B or Router B to Router A, during a failover, the firewall rule that drops INVALID packets in the forward chain is stopping traffic from flowing through. I can ping any IP on the internet but when I try to browse using a web browser, I see my firewall logs loading up in the INVALID drops. As soon as I disable the rule, failover works perfectly in either direction. Any idea what causes this?

Here is the firewall rule:
/ip firewall filter add action=drop chain=forward connection-state=invalid
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP and ISP failover?

Sat Feb 10, 2024 10:51 am

Any idea what causes this?
I dare to answer although I'm obviously not @ConnyMercier :)

The stateful firewall tracks the state of connections for multiple reasons - to allow most packets to only run through a few firewall rules, to provide NAT etc. Unless connection state synchronisation has been activated in the VRRP configuration, which is only possible in RouterOS 7, only the connection tracking module of the firewall on the router through which the connection has been initially established is aware of that connection. So if the traffic starts flowing through the other router, the packets are not recognized as belonging to an existing connection on that router. In case of UDP, which contains no information regarding connection state in the protocol headers in the packet itself, a packet not belonging to any existing connection is treated as an initial packet of a new connection and handled accordingly; in case of TCP, the TCP headers in the packet contain information that allows to determine the role of the packet in the connection. Only a packet that carries a SYN flag and does not carry an ACK one is able to create a new tracked connection in the firewall (at least that's the case if strict TCP header checking is enabled); other TCP packets that do not belong to any existing tracked connection are labelled with connection-state invalid.

So by disabling that rule, you allow existing TCP sessions to survive a VRRP failover, but at the same time you open the way for some TCP attacks (I assume the same to happen for SCTP but that one is used quite rarely on the internet).

Hence the first question is whether you run RouterOS 7 on both your physical routers and if yes, whether connection tracking synchronisation from active to standby is enabled.
 
alexv305
just joined
Posts: 2
Joined: Fri Feb 09, 2024 11:35 pm

Re: VRRP and ISP failover?

Sat Feb 10, 2024 7:53 pm

I enabled connection tracking on RTR1's VRRP1 interface.
Same thing happens as before, when RTR1's default route fails to the secondary route (which is RTR2), the drop INVALID rule on RTR1 is blocking the traffic to RTR2.
If I disable the drop INVALID rule on RTR1 traffic flows as it should.
Last edited by holvoetn on Sun Feb 11, 2024 12:46 pm, edited 2 times in total.
Reason: No need to quote complete preceding post
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRRP and ISP failover?

Tue Feb 13, 2024 9:33 am

I enabled connection tracking on RTR1's VRRP1 interface.
Same thing happens as before
In the meantime I gave it a try too, running 7.13.4 on a pair of CHRs, and got the same results (plus, like months before, the router acting as VRRP master goes to 100 % of CPU usage). So there is still an issue with this feature - if you want to use it in production, open a support case with Mikrotik and follow their instruction (providing supout.rif from both machines will be their first requirement). Discussing it further on the forum will not help resolve it.

If I disable the drop INVALID rule on RTR1 traffic flows as it should.
Yes, for the reasons and with the drawbacks explained earlier. I'm afraid there is no workaround that would not lower the protecion against TCP spoofing attacks, which is the sole purpose of the "drop invalid" rule.

Who is online

Users browsing this forum: sid5632 and 21 guests