Community discussions

MikroTik App
 
cabaye
just joined
Topic Author
Posts: 1
Joined: Tue Jan 10, 2023 11:23 pm

Routerboard replies to DNS requests to VRRP IP with local IP, not VRRP IP

Thu Jan 12, 2023 3:33 am

Hi,

I have two RB5009s configured essentially per https://wiki.mikrotik.com/wiki/Manual:V ... asic_Setup except that there are two VRRP interfaces, each preferring one of the routers:
R1:
/ip address add address=192.168.1.3/24 interface=bridge
/interface vrrp add interface=bridge vrid=1 priority=254 name=vrrp1
/ip address add address=192.168.1.1/32 interface=vrrp1
/interface vrrp add interface=bridge vrid=2 priority=154 name=vrrp2
/ip address add address=192.168.1.2/32 interface=vrrp2

R2:
/ip address add address=192.168.1.4/24 interface=bridge
/interface vrrp add interface=bridge vrid=1 priority=154 name=vrrp1
/ip address add address=192.168.1.1/32 interface=vrrp1
/interface vrrp add interface=bridge vrid=2 priority=254 name=vrrp2
/ip address add address=192.168.1.2/32 interface=vrrp2
I can ping the VRRP IPs just fine on both routers from various hosts on the same LAN. However, I cannot successfully request DNS resolution from the VRRP IPs from those same hosts. When I point DNS at a VRRP IP, tcpdump shows the replies coming from the router's local IP and not the VRRP IP.

I found a similar thread from back in 2016 with respect to SNMP against VRRP IPs in viewtopic.php?p=628352#p605812 .

However, the solution appears incomplete and does not work for me. I was able to add the new-connection-mark rules but not the new-routing-mark rules described in that topic. When I try to add the new-routing-mark rules, the router complains: input does not match any value of new-routing-mark
/ip/firewall/mangle/add chain=input action=mark-connection new-connection-mark=to_vrrp1 passthrough=yes dst-address=192.168.1.1
/ip/firewall/mangle/add chain=input action=mark-connection new-connection-mark=to_vrrp2 passthrough=yes dst-address=192.168.1.2
I have not found anything else on the forums or elsewhere on Internet and have tried creating routing tables which avoided the complaint but still did not work.

Any help would be greatly appreciated!
 
hyprativa
just joined
Posts: 1
Joined: Fri Aug 04, 2023 8:27 pm

Re: Routerboard replies to DNS requests to VRRP IP with local IP, not VRRP IP

Fri Aug 04, 2023 8:38 pm

Hi,

I had the same problem, where VRRP is working and becoming MASTER, but no response on DNS requests.
I fixed it by creating a simple input chain rule accepting traffic from the VRRP-interface to the router.
add action=accept chain=input in-interface=vrrp_interface 
Good luck!

Who is online

Users browsing this forum: Semrush [Bot] and 19 guests