Hi
newbie here, just install 2 rtr, into a ESX VM 2cpu 512Mb 8G hd.
#rtr1
##
/interface ethernet
set 0 speed=1Gbps
set 1 speed=1Gbps
/interface vrrp
add interface=ether1 name=vrrp1 priority=105
/port
set 0 name=serial0
set 1 name=serial1
/ip address
add address=10.172.213.253/24 interface=ether1 network=10.172.213.0
add address=10.172.213.254/32 interface=vrrp1 network=10.172.213.254
/ip route
add comment="added by setup" distance=1 gateway=10.172.213.1
# rtr2
###
/interface ethernet
set 0 speed=1Gbps
set 1 speed=1Gbps
/interface vrrp
add interface=ether1 name=vrrp1
/port
set 0 name=serial0
set 1 name=serial1
/ip address
add address=10.172.213.252/24 comment="added by hand" interface=ether1 network=10.172.213.0
add address=10.172.213.254/32 interface=vrrp1 network=10.172.213.254
/ip route
add comment="added by hand" distance=1 gateway=10.172.213.1
I can't ping the VRRP ip 10.172.213.254 from the slave nor can I ping it from my other machines...
from 10.172.213.1 (cisco switch) I try pinging, I can ping 10.172.213.252 & 10.172.213.253 but not 10.172.213.254
Interestingly I can see the ARP address in the cisco switch arp table assign to 10.172.213.24
So is this a VM issue (I use pacemaker a cluster framework on linux for a floating vip, but it uses the same mac address for the VIP).
if its a VM thing then I would point my finger at MAC address... but I think i have done something similar with other set-ups
Re: VRRP questio
Pretty sure VMWare by default won't let guests transmit traffic for unknown (eg: not assigned by VMWare) MACs. You'll need to change the port security options on your dvswitch.
Sent from my iPhone using Tapatalk - now Free
Sent from my iPhone using Tapatalk - now Free
Re: VRRP questio
exactly right. Though I wouldn't change the dvswitch settings (doesn't matter if author has distributed vSwitch or standard vSwitch - because this will change DEFAULT behavior which influences ALL virtual machines, seems like author of this topic has only one port group for virtual machines there so far).
I would say that much better is to create new Port Group in networking configuration of your vSwitch : this port group will be dedicated to Mikrotik VRRP virtual machines only. You HAVE TO ALLOW "MAC Address Changes" and "Forged Transmits" for this port group and assign both VRRP Virtual machines there instead to default VM Network port group.
Vmware and its absolutely correct default security policy is stopping your VRRP from working. They disable changing MAC address by default and they disable sending packets with different than allocated MAC address from virtual machine.
edit : Alex is right, seems like Promisc Mode has to be enabled, too. I tested now and enabling MAC Address Changes and Forget Transmits is not enough.
I would say that much better is to create new Port Group in networking configuration of your vSwitch : this port group will be dedicated to Mikrotik VRRP virtual machines only. You HAVE TO ALLOW "MAC Address Changes" and "Forged Transmits" for this port group and assign both VRRP Virtual machines there instead to default VM Network port group.
Vmware and its absolutely correct default security policy is stopping your VRRP from working. They disable changing MAC address by default and they disable sending packets with different than allocated MAC address from virtual machine.
edit : Alex is right, seems like Promisc Mode has to be enabled, too. I tested now and enabling MAC Address Changes and Forget Transmits is not enough.
Last edited by mp3turbo on Sun Oct 13, 2013 10:48 am, edited 1 time in total.
Re: VRRP questio
Hi
yes exactly, sorry or the late reply, i didn't have email notification turned on !
Strangely though with MS network load balancing it uses multicast mac's and I didn't have to turn on promisc mode on the vswitch... it just worked with and overload nic with MAC addresses.
Thanks for the replies.
Just for the record, the way I made the change was to allow promisc mode on the vswitch !
I have to investigate limiting to just that set of VM's
A
yes exactly, sorry or the late reply, i didn't have email notification turned on !
Strangely though with MS network load balancing it uses multicast mac's and I didn't have to turn on promisc mode on the vswitch... it just worked with and overload nic with MAC addresses.
Thanks for the replies.
Just for the record, the way I made the change was to allow promisc mode on the vswitch !
I have to investigate limiting to just that set of VM's
A
Re: VRRP questio
Sorry, when I said reconfigure the vswitch - I did mean the port group. Shorthand thinking became shorthand writing - we don't use VMWare without port groups (does anyone?)
Sent from my iPhone using Tapatalk - now Free
Sent from my iPhone using Tapatalk - now Free
Re: VRRP questio
Got another interesting problem from my vrrp setup
So i have
cisco1 rtr01 vlan13 cs3
cisco2 vlan9 rtr02 vlan13 cs4
cisco1 & 2 connect to vlan9 have a hrsp .1 with .2 and .3 making up the real address
rtr1&2 connected to vlan9 have a vrrp .254 and .253 & .252 making up the real address
I also have OSPF between cisco1&2 and rtr1&2 over vlan9
rtr1&2 connect to vlan13 have a VRRP .254 with .253 & .252 underneath
cs3 & cs4 have a HSRP .1 with .2 .3 underneath
now firewall at rtr01&02 with related and connected, but I have static routers in places on rtr1 and rtr2 to send (lets say) 60.60.0.0/24 via cs3&4 hsrp .1
these static routes are redistributed via ospf.
problem is
cs1 has a path to 60.60.0.0/24 via rtr1
cs2 has a path to 60.60.0.0/24 via rtr2
packets from cs1 leave via rtr1
packets cs2 leave via rtr2
but return packets go via the VRRP address which will only be on 1 rtr... so now I have a problem with my connection trackng as the packet coming back doesn't relate to a connection !
what I at i want to do is attach the static routes to the owner of the VRRP ip ..
so (as a newbie), I guess I can write a script to fire when a router becomes a backup ... ie remove the static routes and when it becomes master to install the routes.
as there is no "no command, how do I remove a specific route from the route table... something like remove [ find dst-address=.... ] and do that for each of the 15 addresses
Note I am in the process of getting rid of the static routes, we are going to peer with BGP . but I still run in to the problem of asymetrical paths and connection tracking !!!!
So i have
cisco1 rtr01 vlan13 cs3
cisco2 vlan9 rtr02 vlan13 cs4
cisco1 & 2 connect to vlan9 have a hrsp .1 with .2 and .3 making up the real address
rtr1&2 connected to vlan9 have a vrrp .254 and .253 & .252 making up the real address
I also have OSPF between cisco1&2 and rtr1&2 over vlan9
rtr1&2 connect to vlan13 have a VRRP .254 with .253 & .252 underneath
cs3 & cs4 have a HSRP .1 with .2 .3 underneath
now firewall at rtr01&02 with related and connected, but I have static routers in places on rtr1 and rtr2 to send (lets say) 60.60.0.0/24 via cs3&4 hsrp .1
these static routes are redistributed via ospf.
problem is
cs1 has a path to 60.60.0.0/24 via rtr1
cs2 has a path to 60.60.0.0/24 via rtr2
packets from cs1 leave via rtr1
packets cs2 leave via rtr2
but return packets go via the VRRP address which will only be on 1 rtr... so now I have a problem with my connection trackng as the packet coming back doesn't relate to a connection !
what I at i want to do is attach the static routes to the owner of the VRRP ip ..
so (as a newbie), I guess I can write a script to fire when a router becomes a backup ... ie remove the static routes and when it becomes master to install the routes.
as there is no "no command, how do I remove a specific route from the route table... something like remove [ find dst-address=.... ] and do that for each of the 15 addresses
Note I am in the process of getting rid of the static routes, we are going to peer with BGP . but I still run in to the problem of asymetrical paths and connection tracking !!!!
Re: VRRP questio
You're going to need to do something like change the weight on the announcement from whichever router presently is VRRP master to attract the traffic (or make the VRRP slave withdraw it's announcement), if you need traffic to flow in both directions across the same firewall. I should imagine this is scriptable, somehow.
Sent from my iPhone using Tapatalk - now Free
Sent from my iPhone using Tapatalk - now Free
Re: VRRP questio
(If you end up using iBGP, then it's the MED you'll want to change to influence the traffic in a BGP route selection tie like your network would have)
Sent from my iPhone using Tapatalk - now Free
Sent from my iPhone using Tapatalk - now Free
Re: VRRP questio
Thanks
I am sticking to
eBGP for ext
OSPF for int
saying that, the static route thing is going to be a short problem. But the asymmetrical might not be, coming to terms with it on the firewall, I am dropping the "drop invalid" line and limiting it to dropping SYN packets and allow non SYN tcp... not sure what I am going to do with UDP that I will investigate as needed.
So what I have done in the interim.
1) create 2 scripts, i removes all the static routes, the other adds them back in
2) I have attached onto on-master on backup, these scripts and the event trigger seems to do what I want.
I am sticking to
eBGP for ext
OSPF for int
saying that, the static route thing is going to be a short problem. But the asymmetrical might not be, coming to terms with it on the firewall, I am dropping the "drop invalid" line and limiting it to dropping SYN packets and allow non SYN tcp... not sure what I am going to do with UDP that I will investigate as needed.
So what I have done in the interim.
1) create 2 scripts, i removes all the static routes, the other adds them back in
2) I have attached onto on-master on backup, these scripts and the event trigger seems to do what I want.
Re: VRRP questio
I have revisited this.
So VRRP on a vm on ESX.
I stopped using VRRP, i didn't want to turn on promisc mode for my vswitches and I didn't want to create a seperate port group.....
But I have found that VRRP is going to be handy again, so I went looking, also went looking to see how I can do tagging to the VM as well.
So I found this article http://vmnomad.blogspot.com.au/2011/07/ ... an-id.html
and http://kb.vmware.com/selfservice/micros ... Id=1003806
where it talks about Virtual Guest Tagging (VGT), which gets around the need to have promisc mode !!!!
so I need to test this, as I haven't used a tag interface in routeros, but I presume it works the same as the other ones so .... this is looking real good.
My only concern now is 1 interface for all the vlans
as I am using a E1000 and routeros has no native nic driver I am concerned about performance ...
EDIT
Done some more reading and thinking about it and I think I will not use vlan 4095 as I have too much traffic to be mirrored to but a new port group for RouterOs with promis mode allowed sounds like the way to go
A
So VRRP on a vm on ESX.
I stopped using VRRP, i didn't want to turn on promisc mode for my vswitches and I didn't want to create a seperate port group.....
But I have found that VRRP is going to be handy again, so I went looking, also went looking to see how I can do tagging to the VM as well.
So I found this article http://vmnomad.blogspot.com.au/2011/07/ ... an-id.html
and http://kb.vmware.com/selfservice/micros ... Id=1003806
where it talks about Virtual Guest Tagging (VGT), which gets around the need to have promisc mode !!!!
so I need to test this, as I haven't used a tag interface in routeros, but I presume it works the same as the other ones so .... this is looking real good.
My only concern now is 1 interface for all the vlans
as I am using a E1000 and routeros has no native nic driver I am concerned about performance ...EDIT
Done some more reading and thinking about it and I think I will not use vlan 4095 as I have too much traffic to be mirrored to but a new port group for RouterOs with promis mode allowed sounds like the way to go
A