Hello,

The company I work for bought two CCR2004 routers to be used in a small deployment of servers at a colocation center. I have been tasked to set them up, and have managed to get most things to work as we want. So far I am quite impressed with the routers and routeros software, even if it requires quite some knowledge some of the time to get right.

A brief overview of the setup is that we have 3 external ips, router-01 is on ext.2, router 2 is on ext.3 and they have VRRP on ext.1. Internally we have a VLAN with a similar setup, router-01 is on 192.168.1.2, router-02 is on 192.168.1.3 and they have VRRP on 192.168.1.1. There is also a second VLAN internally with a similar setup.

Each router is also running a OpenVPN server which can be accessed by connecting to its external IP. Router-01 has a OpenVPN ip at 192.168.101.1/24 and a pool for clients on the same subnet. This is mirrored on router-02, but the network used is 192.168.102.0/24. To allow packets to reach back to the vpn clients from the main VLAN, I have put a route on each router, router-01 routes 192.168.102.0/24 to 192.168.1.3, i.e. router-02 and router-02 routes 192.168.101.0/24 to 192.168.1.2, i.e. router-01. All corresponding to which router the vpn client would be on.

This works fine when I am connected to the router that is currently VRRP master on the internal network. However, when I connect to the one that is currently backup, the packages do not find their way back to me. If router-01 is master, I connect over OpenVPN to router-02, and ping something on 192.168.1.123, the ping reply gets stuck on router-01 and dropped as invalid. Looking at the package log I can see that it had vlan2 (i.e. the one that has no route for vpn) as out-interface.

My questions are; Is this a sound setup overall? Am I doing something wrong in terms of having two routers with VRRP but also running OpenVPN on each of them? How can I get routing to work such that both OpenVPN servers work? Let me know if I should supply more information, I am a bit new to all this, so not completely sure which part of information to include.

Best regards, Jon

Is this a sound setup overall?

On pure routers (i.e. ones not acting as a firewall), the setup you describe would work fine - both routers have an individual address in 192.168.1.0/24 so both can send packets to any host in that subnet, and since router-01 has a route to 192.168.102.0/24, if that host in 192.168.1.0/24 sends a response via the virtual gateway which is currently up on router-01, router-01 can forward that response to router-02. However, since firewalls are active there, and the ping response is the first packet of that "connection" that router-01 has seen (because the ping request has bypassed it), the firewall will not permit the response to pass.

You have multiple possibilities how to deal with this - you can

• add a couple of rules to the firewalls, permitting this response traffic (basically permitting anything from 192.168.1.0/24 to 192.168.101.0/24 or 192.168.102.0/24)
• activate synchronization of connection tracking data between the two routers. This functionality is only available in RouterOS 7 and some fixes to it have been added recently - ROS 7.5 if I remember correctly. You have to activate connection tracking data synchronization at just one of the VRRP interfaces on each router (the "same" one at both routers).
• choose yet another approach to avoid upgrading to ROS 7 if you are lucky enough to be able to run RouterOS 6 on the 2004s. Instead of having individual addresses from 192.168.1.0/24 on the "physical" interfaces, and the virtual one (192.168.1.1) attached to the VRRP interfaces as a /32 one, you can attach individual IP addresses from some other subnet, even /32 ones, to the physical interfaces, and attach 192.168.1.1 as a /24 one to the VRRP interfaces. This way, only the router on which the VRRP interface is currently up will have an active route to 192.168.1.0/24; if you combine that with OSPF, that router will advertise that subnet to the other one. So if the OpenVPN client of router-02 sends something to a destination in 192.168.1.0/24 while the VRRP interface is active on router-01, router-02 will have to send it via router-01, so both router-02 and router-01 will see both the request and the response. For OSPF, you need the interconnection network between the routers to be a /30 or larger one. I'd suggest to use a dedicated VLAN to host that interconnection subnet rather than reusing the one to which the VRRP interface for 192.1681.1/24 is attached, as that way you will also avoid the redirection that would take place otherwise (if a router finds out that it forwards the packet out through the same interface though which it came in, it informs the sender that there is a better gateway accessible through the same interface, which sometimes causes issues if the IP address of the "better gateway" is outside the source subnet of the packet - which would be the case if you would have two subnets attached to the same interface).