Thu Nov 03, 2022 9:50 am
First, there is a vernacular issue. "connection tracking" in the Linux and Mikrotik environment is a key part of stateful firewall implementation, allowing to identify packets belonging to previously seen TCP sessions, bi-directional UDP flows and alike. Your use of that term suggests that you have in mind monitoring of uplink availability (reachability of the external network via that uplink).
In the VRRP configuration, the configuration item sync-connection-tracking allows the current master router to continuously update the connection tracking table on the backup one, so that the established connections would be deemed established also by the backup one once it eventually becomes a master. This has nothing to do with the uplink availability monitoring.
You can use /tool netwatch to monitor uplink availability by pinging a single IP address with a configurable periodicity and execute a script on state change to "up" and on state change to "down". However, a single canary address may give false alarms (I've even seen Google DNS to stop responding for minutes in multiple countries some weeks ago), and there is a specific handling of privileges for netwatch, hence it is better to use a scheduled script to evaluate the state of multiple netwatch instances and manipulate the VRRP priority accordingly. But once you use a scheduled script, you can use it also to implement your own strategy of pinging (like pinging the canary addresses one by one until the first response rather than pinging all of them all the time) or you can even use a recursive next-hop search rather than netwatch to take care of the uplink availability monitoring, and let the scheduled script monitor only the resulting state of the recursive route. The periodicity of the pings is hardcoded to 10s for the check-gateway process of the recursive routes.
Without synchronized connection tracking, established connections may stop working once the backup router becomes a master; with synchronized connection tracking (not your case), other problems may arise from connections not being removed if there is NAT on the uplink (UDP connections updated from the LAN side keep being src-nated to the dead WAN IP address and thus either the packets sent by your LAN hosts get dropped further in the internet for having an unexpected source IP, or the responses to these packets never reach your router because they are routed via the dead uplink).