Community discussions

MikroTik App
 
CR24
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Wed Dec 04, 2013 10:32 pm

VRRP on WAN

Tue May 16, 2023 1:10 am

Hello!

I have VRRP working great on my LAN, but is VRRP possible on WAN connections?

R1
/ip address
add address=192.168.50.2 interface=WAN-VRRP network=192.168.50.2
add address=192.168.50.3 interface=WAN-VRRP network=192.168.50.3
add address=192.168.50.4 interface=WAN-VRRP network=192.168.50.4
add address=192.168.50.5/29 interface=WAN network=192.168.50.0

R2
/ip address
add address=192.168.50.2 interface=WAN-VRRP network=192.168.50.2
add address=192.168.50.3 interface=WAN-VRRP network=192.168.50.3
add address=192.168.50.4 interface=WAN-VRRP network=192.168.50.4
add address=192.168.50.6/29 interface=WAN network=192.168.50.0

/interface vrrp
interface=WAN name=WAN-VRRP version=2 vrid=2

I tried this setup, but I could not route to my ISP utilizing the IPs on the VRRP interface.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: VRRP on WAN

Tue May 16, 2023 2:49 am

I'm not sure why have 3 addresses for VRRP. So what are you trying to do?

Assuming you have one ISP with a /29... In theory, each router gets one public, and the VRRP WAN get one... so 3 publics needed. And you need a src-nat rule to use VRRP address as src-address.

Basically something like this:
:global "vrrp-public-IP-address" 2.2.2.2

/ip firewall nat
add action=src-nat chain=srcnat comment="enabled if master" disabled=yes out-ipsec-policy=out,none interface=ether1 to-addresses=$"vrrp-public-IP-address"
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/interface vrrp add interface=ether1 name=vrrp-wan \
    on-backup="/ip firewall nat disable [find comment~\"if master\"] " \
    on-master="/ip firewall nat enable [find comment~\"if master\"] " 
(In theory you should be able to use pref-src= on an IP route but that doesn't work for a /32 VRRP address for some unknown reasons... but even if it did...you need a script on the VRRP interface to change routing if not master.)

Something to consider is you might be able to use VRRP connection tracking sync... In that case, you'd need a route to the "brother" router's WAN IP with a higher distance= and disable the /ip/route to the WAN gateway on the /29 in the VRRP on-backup/on-master script as well (e.g. so WAN traffic flows out the router that's the VRRP WAN master, thus connections sync'ed will continue to work. But like to understand the use case before getting the more complex connection syncing...

Also if you're doing VRRP on WAN, you likely should also do on the LAN/VLAN side, so that they can actually take advantage of the multiple routers.
 
CR24
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Wed Dec 04, 2013 10:32 pm

Re: VRRP on WAN

Tue May 16, 2023 2:57 am

Yes, it's a single ISP with a /29 handoff. I have 3 IPs on VRRP because I have each IP dedicated to an app on my LAN, and I have dst nat rules on each of those IPs as well. Is it not possible to utilize multiple IPs?

I am using these masq rules.

/ip firewall nat
add action=masquerade chain=srcnat comment="VRRP-NAT" out-interface=WAN-VRRP
add action=masquerade chain=srcnat comment="NAT" out-interface=WAN

The first rule is not "working" as the counter is not increasing.
Last edited by CR24 on Tue May 16, 2023 3:09 am, edited 1 time in total.
 
CR24
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Wed Dec 04, 2013 10:32 pm

Re: VRRP on WAN

Tue May 16, 2023 3:08 am

I added this rule, and its now routing out with the VRRP IP.

/ip firewall nat
add action=src-nat chain=srcnat comment="VRRP SRC NAT" out-interface-list=WAN-LIST to-addresses=192.168.50.2

Do I just need to src nat for each of the IPs?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: VRRP on WAN

Tue May 16, 2023 3:09 am

Yup.

Same deal, you need to handle the app-specific usage of the public IP in a multiple/different "/ip/firewall/nat action=src-nat to-address=<vrrp-ip-to-use> comment="if master"..." (e.g. with NAT rule having filters based on outbound IP/port to determine the VRRP address to use – otherwise the first will win if all same).

The other approach be use routing rules/tables with a /ip/route/... pref-src=<vrrp> in different route tables — but I'm pretty sure pref-src is broken in V7. So the NAT approach is like the best right now.

Also...VRRP may support multiple homing IP address...But I think you need three VRRP interfaces (each with different ID) and set the "group master" on two of the VRRP interface so the same one (that has none as the group master).
 
CR24
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Wed Dec 04, 2013 10:32 pm

Re: VRRP on WAN

Tue May 16, 2023 3:12 am

Awesome, I will try the 3 Interfaces and see if that works any better.

Thanks for your help.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: VRRP on WAN

Tue May 16, 2023 3:18 am

Good luck. Basic trick is to src-nat to the VRRP address and disable via the on-master/on-backup VRRP scripts. With 3, it's have to be the destination that determines which of the 3 WAN VRRP addresses to use – otherwise you can't create a matching filter in /ip/firewall/nat...

If you have multiple IP on one VRRP, that very well may work...but if you run into trouble, create one vrrp interface per IP as suggested above.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: VRRP on WAN

Tue May 16, 2023 3:31 am

FWIW, this doesn't work since traffic doesn't actually use the WAN-VRRP interface, it going out the /29 WAN interface (e.g. parent of the VRRP interface). The gateway isn't in the VRRP /32 ;)...
/ip firewall nat
add action=masquerade chain=srcnat comment="VRRP-NAT" out-interface=WAN-VRRP

The first rule is not "working" as the counter is not increasing.

Who is online

Users browsing this forum: Amazon [Bot], BinaryTB, raphaps, rplant and 73 guests