VRRP - DHCP Entries On All VLANS

Vacadeluna · Fri May 03, 2024 9:34 pm

Hey all, I have not worked VRRP yet, but we trying to use it to have a backup router at any places that may request to have it. I have a weird issue where every single interface shows an IP address on the DHCP server, and then they will drop off and come back repeatedly. I have set up a floating IP on each network where the gateway address is on the VRRP interface and the routers IPs are on the VLAN directly. I have posted some snippets from my routers VRRP/IP addresses below, please let me know if you see anything odd I havent done correctly! I also attached a SS of the DHCP table and what its showing.

Routers
-Model CCR2004
-Code 7.14.3 arm64

RM Router

/ip address
add address=10.110.3.253/23 comment=CCTV-Access interface=CCTV-Access network=10.110.2.0
add address=10.110.5.253/24 comment=Clubhouse-Voice interface=Clubhouse-Voice network=10.110.5.0
add address=10.110.6.253/24 comment=Clubhouse-Office-VRRP interface=Clubhouse-Office network=10.110.6.0
add address=10.110.7.253/24 comment=CATV-Management interface=CATV-Management network=10.110.7.0
add address=10.110.10.253/24 comment=LAN-Management interface=LAN-Management network=10.110.10.0
add address=10.110.15.253/22 comment=WiFi-Management interface=WiFi-Management network=10.110.12.0
add address=10.110.2.1 comment=CCTV-Access-VRRP interface=CCTV-Access-VRRP network=10.110.2.0
add address=10.110.5.1 comment=Clubhouse-Voice-VRRP interface=Clubhouse-Voice-VRRP network=10.110.5.0
add address=10.110.6.1 comment=Clubhouse-Office interface=Clubhouse-Office-VRRP network=10.110.6.0
add address=10.110.7.1 comment=CATV-Management-VRRP interface=CATV-Management-VRRP network=10.110.7.0
add address=10.110.10.1 comment=LAN-Management-VRRP interface=LAN-Management-VRRP network=10.110.10.1
add address=10.110.12.1 comment=WiFi-Management-VRRP interface=WiFi-Management-VRRP network=10.110.12.0

/interface vrrp
add interface=CCTV-Access name=CCTV-Access-VRRP vrid=2
add interface=Clubhouse-Voice name=Clubhouse-Voice-VRRP vrid=5
add interface=Clubhouse-Office name=Clubhouse-Office-VRRP vrid=6
add interface=CATV-Management name=CATV-Management-VRRP vrid=7
add interface=LAN-Management name=LAN-Management-VRRP vrid=10
add interface=WiFi-Management name=WiFi-Management-VRRP vrid=12

B Router

/ip address
add address=10.110.3.254/23 comment=CCTV-Access interface=CCTV-Access network=10.110.2.0
add address=10.110.5.254/24 comment=Clubhouse-Voice interface=Clubhouse-Voice network=10.110.5.0
add address=10.110.6.254/24 comment=Clubhouse-Office interface=Clubhouse-Office network=10.110.6.0
add address=10.110.7.254/24 comment=CATV-Management interface=CATV-Management network=10.110.7.0
add address=10.110.10.254/24 comment=LAN-Management interface=LAN-Management network=10.110.10.0
add address=10.110.15.254/22 comment=WiFi-Management interface=WiFi-Management network=10.110.12.0
add address=10.110.2.1 comment=CCTV-Access interface=CCTV-VRRP network=10.110.2.0
add address=10.110.5.1 comment=Clubhouse-Voice interface=Clubhouse-Voice-VRRP network=10.110.5.0
add address=10.110.6.1 comment=Clubhouse-Office-VRRP interface=Clubhouse-Office-VRRP network=10.110.6.0
add address=10.110.7.1 comment=CATV-Management-VRRP interface=CATV-Management-VRRP network=10.110.7.0
add address=10.110.10.1 comment=LAN-Management-VRRP interface=LAN-Management-VRRP network=10.110.10.0
add address=10.110.12.1 comment=WiFi-Management-VRRP interface=WiFi-Management-VRRP network=10.110.12.0

/interface vrrp
add interface=CCTV-Access name=CCTV-VRRP priority=50 vrid=2
add interface=Clubhouse-Voice name=Clubhouse-Voice-VRRP priority=50 vrid=5
add interface=Clubhouse-Office name=Clubhouse-Office-VRRP priority=50 vrid=6
add interface=CATV-Management name=CATV-Management-VRRP priority=50 vrid=7
add interface=LAN-Management name=LAN-Management-VRRP priority=50 vrid=10
add interface=WiFi-Management name=WiFi-Management-VRRP priority=50 vrid=12

Amm0 · Fri May 03, 2024 9:40 pm

VRRP isn't too hard. But the VRRP address needs to be /32 (which it is). But the VRRP and LAN do need to be in same subnet.
And looks like CCTV-Access has mismatched IPs (likely typo ... but would for sure cause issues):
/ip address
add address=10.110.3.2.253/23 comment=CCTV-Access interface=CCTV-Access network=10.110.2.0
add address=10.110.2.1 comment=CCTV-Access-VRRP interface=CCTV-Access-VRRP network=10.110.2.0

Also make sure the vrrp interfaces are all also in the "LAN" interface list, otherwise default firewall may block.

Vacadeluna · Mon May 06, 2024 5:13 pm

Amm0 thanks for the reply!

I have looked and looked, and I dont see where the IP is missmatched on my config, could you show me where that is a little better? That is a /23 so and I decided to use the last usable addresses which would be 3.253 and 3.254. If I missed something, please let me know!

Amm0 · Mon May 06, 2024 5:23 pm

Fair enough. I didn't notice the /23...assumed /24. Otherwise the VRRP part looks right.

I'd look at your bridge configuration, on why clients are getting address on all. Some VLAN filtering misconfiguration could cause that. e.g. /interface/bridge/vlans vs PVID/frame-type etc....

What interface is the DHCP server listening on? i.e. is it listening on the VRRP interface on BOTH routers, or is DHCP only on one router?

Also, do you have the VRRP interface in the LAN interface list (or whatever /interface/list you may be using for LAN/VLANs in firewall rules)? (AFAIK, that wouldn't cause DHCP issue you're seeing)

Vacadeluna · Mon May 06, 2024 8:16 pm

It is listening directly on the VLAN interface currently. I am moving them both to the vrrp interface instead, as I just tested a single network and it appears that clears it up since it disabled DHCP until needed.

Vacadeluna · Mon May 06, 2024 8:28 pm

Update, I moved both routers to have dhcp listen on the VRRP interface rather than the VLAN directly, and it still seems to be having the same issue.

Amm0 · Mon May 06, 2024 8:45 pm

It has to be the VLAN tagging in the bridge. VRRP doesn't effect broadcast scope for DHCP, but untagged/mistagged PVIDs would...

Can you post the bridge configuration?

Vacadeluna · Mon May 06, 2024 9:04 pm

Our bridge config is pretty simple, not a whole lot to it, and we are actually not doing any type of VLAN filtering on here, we just loaded all of the VLAN up on the BRIDGE-LAN that we created and leave it at that. I am aware of how to set up filtering, so if that is what we need to make it resolve, then I dont mind setting it up.

/interface bridge add comment=BRIDGE-LAN name=BRIDGE-LAN
/interface bridge add comment=BRIDGE-WAN name=BRIDGE-WAN
/interface bridge port add bridge=BRIDGE-WAN horizon=1 interface=sfp-sfpplus1-WAN
/interface bridge port add bridge=BRIDGE-WAN horizon=1 interface=sfp28-1-WAN
/interface bridge port add bridge=BRIDGE-WAN horizon=1 interface=ether1-WAN
/interface bridge port add bridge=BRIDGE-LAN interface=sfp-sfpplus2-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus3-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus4-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus5-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus6-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus7-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus8-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus9-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus10-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus11-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp-sfpplus12-LAN
/interface bridge port add bridge=BRIDGE-LAN horizon=1 interface=sfp28-2-LAN

Vacadeluna · Mon May 06, 2024 9:24 pm

So I tested vlan filtering and it seems to kill everything on both routers when enabled. I added all VLANS to be tagged on the bridge and the physical interfaces on the LAN as well.

Amm0 · Mon May 06, 2024 9:24 pm

Was you VLAN+bridge without filtering working before VRRP? Also, looks like sfpplus-2 is the one with issues, and that's the one with horizon=0 while rest are horizon=1.

Regardless, you should use vlan-filtering=yes on the bridge. See https://help.mikrotik.com/docs/display/ ... VLAN+Table

One important note is you need to make sure the bridge interface itself is marked as tagged= in /interface/bridge/vlan.

Amm0 · Mon May 06, 2024 9:26 pm

FWIW, If you don't want to use vlan-filtering approach. You'd need seperate bridges for each VLAN, which is going to be bigger PITA than figuring out the bridge VLAN table approach....

Vacadeluna · Mon May 06, 2024 10:02 pm

I would love to use VLAN filtering, but the routers seemed to have compeltely killed VRRP now even after disabling it lol. I am going to reboot and see if that helps anything.

Also, I disabled horizon on sfp2 on both routers just in case it caused any p2p issues for vrrp.

Vacadeluna · Mon May 06, 2024 10:04 pm

sorry ,yes, it was working just fine with VRRP and before I added VRRP. I did enable filtering, and then added the vlans to the bridge and tagged them all on all interfaces on the LAN under interface/bridge/vlans

Vacadeluna · Mon May 06, 2024 10:34 pm

OK I figured out what killed it.

So if I enable filtering on the routers with 0 ingress filtering, router 1 stays up, but r2 never brings any IPs up, its kind of odd to be honest that I didnt see the same results between the 2.

Obviously its completely up to you, but I am down to hop on a call of somesort and let you see my config first hand and maybe we can work it out togeher?

Vacadeluna · Tue May 07, 2024 4:49 pm

Amm0, would you mind removing the Solved, because this has not been solved yet.

Amm0 · Tue May 07, 2024 5:14 pm

I'm pretty sure this is a VLAN tagging issue – this is not easy to get right as all the parts have to align... So just enabling vlan-filtering=yes is not the whole story for sure...

Can you post a redacted config of one of the routers, and some description of what VLANs should be tagged/untagged on what port?

Vacadeluna · Tue May 07, 2024 6:48 pm

Sure I can attach them here, and also you will see here I didnt just turn on VLAN filtering, I also created the VLANs for it which are currently disabled. All VLANs should be tagged as we will be trunking them all down stream to a ag core switch that will feed each individual IDF closet throughout any property we deploy to. All of our configs are pretty cookie cutter, so they will end up all mimmicking this for the most part (I did remove a couple of items for security reasons). But the files are below, and I did disable preemption mode and enabled sync connection tracking on both routers as well.

r1.rsc

r2.rsc

Amm0 · Tue May 07, 2024 7:50 pm

Okay, so you want all trunk ports, that make sense.

I still recommend using bridge vlan-filtering=yes. Your issue with that is the BRIDGE-LAN itself needs to be in the tagged= list.
/interface bridge vlan add bridge=BRIDGE-LAN disabled=yes tagged=BRIDGE-LAN,sfp-sfpplus2-LAN vlan-ids=2,5-7,10,12,16-39,101-800,3000

@sindy has an article that describes the WHY tagged=bridge,... is needed, viewtopic.php?t=173692

Also, I'm not sure what you're doing with horizon= on most of the ports. And with split horizons everything gets more complex, see https://help.mikrotik.com/docs/display/ ... rizonusage.

Also noticed you have sync-connection=yes enabled. While not sure what effect it have on DHCP if VRRP isn't failing over... Might disabled that to see if it has an effect.

Vacadeluna · Wed May 08, 2024 3:05 am

I will try this again tomorrow, but I originally did have the bridge in that list as well.

Vacadeluna · Wed May 08, 2024 3:45 am

I will try this again tomorrow, but I originally did have the bridge in that list as well.

Vacadeluna · Wed May 08, 2024 5:17 am

So, I have enabled VLAN filtering on both routers and the aggragate switch and trunked all ports including the LAN bridge, and now it appears to be working, but the connection to the routers doesnt seem as table as before. Also the DHCP table is still flodding. I dont think this is an issue with the VLANS, it appears to be some sort of discovery happening, maybe its a bug?

DHCP.jpg

Amm0 · Wed May 08, 2024 5:34 am

Thanks for indulging in the vlan-filtering=yes. I just know that works with VRRP, and if there was a bug/config-issue/etc here... I figured it block or change the issue. No such luck it seems.

Scanned your config again... I did notice one of the routers was using /ip/dhcp-server/alert & that might cause these entries in all VLANs. See https://help.mikrotik.com/docs/display/ ... HCP-Alerts with the text:

As DHCP replies can be unicast, the rogue DHCP detector may not receive any offer to other DHCP clients at all. To deal with this, the rogue DHCP detector acts as a DHCP client as well - it sends out DHCP discover requests once a minute.

and other carefully worded text.

Perhaps just disable it for now*. And see if those entries come back.

* If that works, try re-enabling and picking the VRRP interface for /ip/dhcp-server/alert – although I don't know how it interoperate with using VRRP – never used /ip/dhcp-server/alert myself, so not sure.

Vacadeluna · Wed May 08, 2024 5:05 pm

Its funny you say that, when I decided to hit it again lastnight, I noticed the alerts as well and thought to myself. I am actually going to try that next, I just want the stupid dynamic leases to stop popping up lol.

Vacadeluna · Wed May 08, 2024 6:21 pm

My man! That was it, I moved them to the VRRP interfaces and it has stopped the flood of DHCP entries. I still wonder why it was causing that, its kind of odd.

dhcp-clean.jpg

Amm0 · Wed May 08, 2024 8:18 pm

Good to hear! Lesson is posting the entire config is helpful... And even then I had to look /ip/dhcp-server/alert docs myself since I didn't know HOW it worked. The yellow box in docs told the whole story however:

I still wonder why it was causing that, its kind of odd.

The docs make it clear that it SEND dhcp discovery requests, to deduce if the config'ed interface in running a dhcp-server on THAT interface. Since if the dhcp-server is on same router as alert, the local router hide/remove/ignore those requests, since it knows alert was enabled... BUT... the other router in VRRP have no clue a dhcp request was from another router's /ip/dhcp-server/alert, so it's just another client so it gets added as lease.

Essentially seems like /ip/dhcp-server/alert is the enterprise version of /interface/detect-internet – where there is hidden dhcp client lurking inside waiting to surprise you.

---
Additional Note: while I've always run dhcp-server on the VRRP interface, and this has long worked for me. It's never been clear if that's a "supported" configuration, since docs are silent on DHCP with in VRRP configurations. I do know that dhcp lease are NOT sync'd when using connection tracking. In my cases, I just don't care what dhcp-server handled the lease, since client re-request same IP typically, and lease-time will eventually get them back on same router after failover. But adding the /ip/dhcp-server/alert on the VRRP, logically should be fine, but FWIW I didn't test it.

Vacadeluna · Thu May 09, 2024 12:10 am

I believe it may be due to that fact that I moved the DHCP servers over to the VRRP interfaces as well. This means all of the alerts we added were going to an interface not bein used the same way I guess. Personally, I didnt even realize that we did use dhcp alerts until I exported the whole dhcp server list to reimport them the way I wanted them. I changed them all to the vrrp interface, and they seem to be functioning properly now!

Thanks again man, I appreciate you sticking with me to find the cause, and for sure next time I will start with a full export!

VRRP - DHCP Entries On All VLANS [SOLVED]

VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS [SOLVED]

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS

Re: VRRP - DHCP Entries On All VLANS