Hello guys
I'm being asked to add a second mikrotik as gateway to both internal LANs using both VRRP and ISP failover as per network diagram below. Any hints how to implement this?
Thanks for any help.
Mauricio
The Segregation of Traffic over two separate ISP link, as "nothing" to do with VRRP.would that achieve the objective of having each subnet using a separate ISP link?
Dear ConnyMercier,I recommend to configure Router A ( RB3011) and Router B (RB450)
before even starting with the VRRP-Setting.
Step 1: Configure Basic LAN-Network (IP-Address)
Router A: ether10 --> 172.16.15.251/20
Router B: ether5 --> 172.16.15.252/20
Step 2: Configure Main-ISP
Configure Router A and Cable-ISP
Configure Router B and Fiber-ISP
*like you would normally do ...
Step 3: Configure Backup-ISP
Configure Router A with Router B as Backup-ISP
Config-Exemple: /ip route add distance=100 gateway=172.16.15.252
Configure Router B with Router A as Backup-ISP
Config-Exemple: /ip route add distance=100 gateway=172.16.15.251
Step 4: Test ISP-Backup
Check if Failover works!
Exemple:
Ping 8.8.8.8 via Router A
Disconnect Cable-ISP from Router A
If should switch over to Router B
(some Ping's may fail during the failover)
Step 5: VRRP
Router A:
/interface vrrp add interface=ether10 name=vrrp1 priority=200 vrid=55
/ip address add address=172.16.15.254 interface=vrrp1 network=172.16.15.254
Router B:
/interface vrrp add interface=ether5 name=vrrp1 priority=100 vrid=55
/ip address add address=172.16.15.254 interface=vrrp1 network=172.16.15.254
Résumé:
Router A is always the Main VRRP-Router
When Router A is active (vrrp) Cable-ISP is primary and Fiber-ISP is failover
When Router B is active (vrrp) Fiber-ISP is primary and Cable-ISP is failover
After everything works , simply repeat the process for every LAN-Network
/ip firewall filter add action=drop chain=forward connection-state=invalid
I dare to answer although I'm obviously not @ConnyMercierAny idea what causes this?
In the meantime I gave it a try too, running 7.13.4 on a pair of CHRs, and got the same results (plus, like months before, the router acting as VRRP master goes to 100 % of CPU usage). So there is still an issue with this feature - if you want to use it in production, open a support case with Mikrotik and follow their instruction (providing supout.rif from both machines will be their first requirement). Discussing it further on the forum will not help resolve it.I enabled connection tracking on RTR1's VRRP1 interface.
Same thing happens as before
Yes, for the reasons and with the drawbacks explained earlier. I'm afraid there is no workaround that would not lower the protecion against TCP spoofing attacks, which is the sole purpose of the "drop invalid" rule.If I disable the drop INVALID rule on RTR1 traffic flows as it should.