Hello,

I have a CCR2004 running 1 WAN and 3 VLANs using bridge VLAN filtering method. There are no trunk ports, only access ports. VLANs are running by the bellow:

ether2 is VLAN10 access port
ether3 is VLAN20 access port
ether4 is VLAN30 access port

Ether2,3&4 are connected to an individual unmanged Switch each.

I want to add a second CCR2004 for High availability and redundancy, for example when router 1 is updating or rebooting, I want all clients and PCs run automatically from router 2,

Is it possible to have VRRP between 2 CCR2004 using the same configuration at VLANs and when the master router is down, all the traffic and VLANs continue working from Backup router?

I am adding a diagram for more explanation

The simple answer is yes; a more in-depth answer must take into account whether you use or not a stateful firewall and if you do, whether it is an issue if some existing client sessions get dropped when the traffic fails over to another router. Synchronization of connection tracking state between two routers is quite a fresh feature in RouterOS, so surprises are possible.

Other than that, just attach an /interface vrrp to each /interface vlan on the LAN side. As you don't state anything regarding the WAN side (if there is any), it is not possible to suggest anything.

The simple answer is yes; a more in-depth answer must take into account whether you use or not a stateful firewall and if you do, whether it is an issue if some existing client sessions get dropped when the traffic fails over to another router. Synchronization of connection tracking state between two routers is quite a fresh feature in RouterOS, so surprises are possible.

Other than that, just attach an /interface vrrp to each /interface vlan on the LAN side. As you don't state anything regarding the WAN side (if there is any), it is not possible to suggest anything.

the WAN is one and same at both routers.

is it possible to setup VRRP at "device" level and not at each interface? for example when router 1 is turned off, all the traffic and services continue working from router 2?

I would recommend looking on how VRRP works: https://wiki.mikrotik.com/wiki/Manual:I ... RFC%205798.

The gist of it is that you need to hook the routers up together so they can become aware when the other is online and offline, what you end up doing is setting up a Point to point or a /32 'range' between them so they can talk to each other and then you end up giving them both the same IP address.
What happens is that while both devices are running you will have a main and a secondary, a couple seconds after the main is unreachable the secondary will take over by now using the duplicate /24 address that you gave it.

This is why my fellow forum users brought up the connection tracking since when the main router goes down all the traffic will go to the second without being aware of much other than a mac address change in their arp table. Without syncing the connection tracking (if you are using a stateful firewall) when the traffic fails over the router will have no clue of any existing connections the client was trying to use and it all goes pear shaped.

the WAN is one and same at both routers.

is it possible to setup VRRP at "device" level and not at each interface? for example when router 1 is turned off, all the traffic and services continue working from router 2?

It is not possible to have a "centralized" VRRP, but you can use one VRRP as a controlling one for all the other ones by means of scripts associated to state changes that change the priority of the other ones. Or even a more complex setup (if any of the interfaces that should be in backup mode when everything works changes state to master, it adjusts the priorities of all the other ones to become masters as well) is possible, but it is very easy to get lost. So it is much better to have an interconnection network between the routers so that the VRRP state at WAN side could be independent from the VRRP state at LAN side. But a lot depends on the physical topology of your network, in many networks there are multiple LANs and routing among them needs to be provided too. E.g. in your case, the Wireguard client subnet is effectively another LAN.

So when I do this type of setup, I use /32 addresses in an auxiliary subnet for the VRRP protocol itself, and assign the virtual address with a shorter mask, so the connected subnet is only active at the router that is a VRRP master, and propagated from there using OSPF to the other router. The wireguard interface, however, stays up all the time no matter how many clients are connected to it, so you'd have to use the script attached to the VRRP WAN interface to enable and disable the wireguard interface in order to let it be propagated only from the router that is a VRRP master on WAN.

There is also the completely different approach where VRRP is only used as a means to let both routers know about each other's state.