I have a question; I have this topology. Is it possible to configure VRRP with a bridge? I've tried many ways, and nothing works. To summarize: when I receive a VLAN, I have to create a bridge to distribute the VLANs, but when I do that, VRRP no longer works. Is there any way to configure VRRP in such a lab setup?

Perhaps post the config you're trying.

The VRRP part is pretty simple:
- Each VLAN needs a VRRP interface, with the VLAN interface being selected (note NOT the bridge).
- Each VRRP interface should have /ip/address ending in .254/32 (note NOT /24, the VLAN IP should be /24, not the VRRP interface).

Where this can go wrong...
- Bridge VLAN Config - Assuming /interface/bridge... vlan-filtering=yes is need, and bridge vlan table need to be configured right (including bridging being marked as tagged=)
- Firewall - VRRP is still an interface, so it needs to be allowed the same access as the VLAN in firewall filter rules. In a simple, case the VRRP should be added as "LAN" interfaces in /interface/list
- DHCP Server - the VRRP address should be gateway in /ip/dhcp-server/netwrok for the two VLANs here

Perhaps post the config you're trying.

The VRRP part is pretty simple:
- Each VLAN needs a VRRP interface, with the VLAN interface being selected (note NOT the bridge).
- Each VRRP interface should have /ip/address ending in .254/32 (note NOT /24, the VLAN IP should be /24, not the VRRP interface).

Where this can go wrong...
- Bridge VLAN Config - Assuming /interface/bridge... vlan-filtering=yes is need, and bridge vlan table need to be configured right (including bridging being marked as tagged=)
- Firewall - VRRP is still an interface, so it needs to be allowed the same access as the VLAN in firewall filter rules. In a simple, case the VRRP should be added as "LAN" interfaces in /interface/list
- DHCP Server - the VRRP address should be gateway in /ip/dhcp-server/netwrok for the two VLANs here

I am attaching the configuration in both graphic and command form. Look, my problem is as follows: I receive the VLANs through the Ether1 interface and, if I request a DHCP client, it provides me with an IP (we could say that I receive both VLANs through that interface, or so I suppose). Now, I want one of those VLANs, which in this case is VLAN 10, to pass through the Ether2 interface and thereby obtain an IP from the range. With that IP from the range, I want to configure VRRP.

My problem is that Ether2 is not taking VLAN 10. The only way for it to take VLAN 10 is by adding it to a bridge, but if I do that, VRRP will not work on Ether2 or on VLAN 10 that is directed to that interface. Is that clear?



# jul/02/2024 13:29:42 by RouterOS 6.47.7
# software id = G353-EXPG
#
#
#
/interface ethernet
set [ find default-name=ether1 ] mac-address=50:7B:93:00:03:00
set [ find default-name=ether2 ] mac-address=50:7B:93:00:03:01
set [ find default-name=ether3 ] mac-address=50:7B:93:00:03:02
set [ find default-name=ether4 ] mac-address=50:7B:93:00:03:03
/interface vrrp
add interface=ether2 name=vrrp1-ether2
/interface vlan
add interface=ether1 name=vlan10-ether1 vlan-id=10
add interface=ether2 name=vlan10-ether2 vlan-id=10
add interface=ether1 name=vlan20-ether1 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=192.168.10.254 interface=vrrp1-ether2 network=192.168.10.254
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=vlan10-ether1
add disabled=no interface=vlan20-ether1
add disabled=no interface=vlan10-ether2
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set vlan10-ether1 disabled=yes display-time=5s
set vrrp1-ether2 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set vlan20-ether1 disabled=yes display-time=5s
set vlan10-ether2 disabled=yes display-time=5s
/tool user-manager database
set db-path=user-manager

The VRRP interface should not listen on ether2, rather it should listen on vlan10-ether2.

The VRRP interface should not listen on ether2, rather it should listen on vlan10-ether2.

Alright, but VLAN 10 on Ether2 doesn't get an IP, and if it doesn't get an IP, VRRP won't activate. Do you understand why? I can't figure it out.

# jul/02/2024 16:01:31 by RouterOS 6.47.7
# software id = G353-EXPG
#
#
#
/interface ethernet
set [ find default-name=ether1 ] mac-address=50:7B:93:00:03:00
set [ find default-name=ether2 ] mac-address=50:7B:93:00:03:01
set [ find default-name=ether3 ] mac-address=50:7B:93:00:03:02
set [ find default-name=ether4 ] mac-address=50:7B:93:00:03:03
/interface vlan
add interface=ether1 name=vlan10-ether1 vlan-id=10
add interface=ether2 name=vlan10-ether2 vlan-id=10
add interface=ether1 name=vlan20-ether1 vlan-id=20
/interface vrrp
add interface=vlan10-ether2 name=vrrp1-ether2-vlan10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=192.168.10.254 interface=vrrp1-ether2-vlan10 network=\
192.168.10.254
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=vlan10-ether1
add disabled=no interface=vlan20-ether1
add disabled=no interface=vlan10-ether2
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set vlan20-ether1 disabled=yes display-time=5s
set vlan10-ether2 disabled=yes display-time=5s
set vlan10-ether1 disabled=yes display-time=5s
set vrrp1-ether2-vlan10 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
/tool user-manager database
set db-path=user-manager

If your VRRP interface is using an IP address in the same subnet as the master interface (192.168.10.0/24), then the network (192.168.10.0) and subnet mask (/24 or 255.255.255.0) has to match.
The network for the IP address 192.168.10.254 should be 192.168.10.0, not 192.168.10.254.

If you were to use an address from a completely different subnet (172.16.25.10), then you could get away with using a /32.

(EDIT: when the network and IP address are the same, that means the netmask is 255.255.255.255 or a /32 (all 32 bits masked). All the rest of your IP settings presume a subnet mask of 255.255.255.0, or /24 (24 bits on).)

If your VRRP interface is using an IP address in the same subnet as the master interface (192.168.0.0/24), then the network (192.168.0.0) and subnet mask (/24 or 255.255.255.0) has to match.
The network for the IP address 192.168.0.254 should be 192.168.0.0, not 192.168.0.254.

If you were to use an address from a completely different subnet (172.16.25.10), then you could get away with a /32.

I don't understand your response

I made a typo and put 192.168.0.x instead of 192.168.10.x (post edited), but my point still stands.

Your vlan10-ether1 interface's IP address is 192.168.1.11x with a network of 192.168.10.0. Your vrrp1-ether2-vlan10 is 192.168.10.254 with a network of 192.168.10.254. The network should match that of vlan10-ether1 and should be 192.168.10.0, not 192.168.10.254. See the second window in the screenshot you sent us (look at IP -> Addresses).

Was this working before you tried VRRP?

One thing I noticed is each router needs BOTH VRRP interface and address. In the config, you should just one. But using Bridge VLAN filtering (or switch chip for vlans if older) is likely better plan here. The criss-crossing VLANs just add unneeded complexity. Add VRRP on top of VLANs isn't the only issue here I suspect.

Also, very old version. Now. it shouldn't matter. But using latest V6 would seem reasonable.

Was this working before you tried VRRP?

One thing I noticed is each router needs BOTH VRRP interface and address. In the config, you should just one. But using Bridge VLAN filtering (or switch chip for vlans if older) is likely better plan here. The criss-crossing VLANs just add unneeded complexity. Add VRRP on top of VLANs isn't the only issue here I suspect.

Also, very old version. Now. it shouldn't matter. But using latest V6 would seem reasonable.

Friend, I have a question. Would it be too much to ask for an example configuration with commands on how it should work? It might be asking a lot, but I think I could understand it by looking at the commands. I hope it's not too much trouble, but thank you anyway for the help so far.

VRRP config be roughly the same across all versions, so it isn't the issue here. But I guess my first advice be to update to version 7.15.2 if the routers are newish (/system/package). Or even if older router, if only for testing, you'd be better off to start with V7. All the docs and bugs focus on version 7 - you have an OLDER version 6. And also upgrade the firmware in /system/routerboard after upgrading the RouterOS version.

I don't have time write a good example right now & my examples be from version 7. I'll add to the queue to write an article on VRRP setup at some point - since most post are about some VRRP config errors.

In most cases, you want to use the /interface/bridge with vlan-filtering=yes. See Mikrotik's docs on bridging and VLANs: https://help.mikrotik.com/docs/display/ ... VLAN+Table
@pcunite has a popular guide - with bridge+VLAN config examples here: viewtopic.php?t=143620. You CANNOT [easily] troubleshoot VRRP issues and VLAN bridging issues at the same time. So get the bridge working first.

Once the VLANs are connected and IPs assigned, etc. Add the 2 VRRP /interfaces (and add /ip/address for each), listen on VLAN. VRRP needs to listen on the /interface/vlan in ALL cases. But it depends on things being bridged correctly. The VRRP part you seem to have/understand. But your method to deal with VLAN trucks/ports is not the "modern" way of doing it, so using new bridge vlan config is easier long-term.

The only subtlety in VRRP is /ip/dhcp-server - since "something" has to provide address when in on BACKUP VRRP router. And what's odd in your photos is you're showing a DHCP client one of the VLAN involved in VRRP. These should be static IP address for each VLAN, on each router - which you show. So I'm not sure where the dhcp-client is coming from since the RouterOS VLAN IP should be static. You show this in the diagram, but then show a screenshot of failed /ip/dhcp-client.

VRRP config be roughly the same across all versions, so it isn't the issue here. But I guess my first advice be to update to version 7.15.2 if the routers are newish (/system/package). Or even if older router, if only for testing, you'd be better off to start with V7. All the docs and bugs focus on version 7 - you have an OLDER version 6. And also upgrade the firmware in /system/routerboard after upgrading the RouterOS version.

I don't have time write a good example right now & my examples be from version 7. I'll add to the queue to write an article on VRRP setup at some point - since most post are about some VRRP config errors.

In most cases, you want to use the /interface/bridge with vlan-filtering=yes. See Mikrotik's docs on bridging and VLANs: https://help.mikrotik.com/docs/display/ ... VLAN+Table
@pcunite has a popular guide - with bridge+VLAN config examples here: viewtopic.php?t=143620. You CANNOT [easily] troubleshoot VRRP issues and VLAN bridging issues at the same time. So get the bridge working first.

Once the VLANs are connected and IPs assigned, etc. Add the 2 VRRP /interfaces (and add /ip/address for each), listen on VLAN. VRRP needs to listen on the /interface/vlan in ALL cases. But it depends on things being bridged correctly. The VRRP part you seem to have/understand. But your method to deal with VLAN trucks/ports is not the "modern" way of doing it, so using new bridge vlan config is easier long-term.

The only subtlety in VRRP is /ip/dhcp-server - since "something" has to provide address when in on BACKUP VRRP router. And what's odd in your photos is you're showing a DHCP client one of the VLAN involved in VRRP. These should be static IP address for each VLAN, on each router - which you show. So I'm not sure where the dhcp-client is coming from since the RouterOS VLAN IP should be static. You show this in the diagram, but then show a screenshot of failed /ip/dhcp-client.

I found this solution, but my main problem now is that I also want to include the ether1 MAIN and BACKUP in the VRRP and I don't see how.

/interface bridge
add name=interfaceBridge
/interface bridge port
add bridge=interfaceBridge interface=ether1
add bridge=interfaceBridge interface=ether2 pvid=10
add bridge=interfaceBridge interface=ether3 pvid=20
/interface bridge vlan
add bridge=interfaceBridge vlan-ids=10 tagged=interfaceBridge,ether1 untagged=ether2
add bridge=interfaceBridge vlan-ids=20 tagged=interfaceBridge,ether1 untagged=ether3
/interface bridge
set [find where name="interfaceBridge"] vlan-filtering=yes
/interface vlan
add interface=interfaceBridge name=interfaceVlan10 vlan-id=10
add interface=interfaceBridge name=interfaceVlan20 vlan-id=20
/interface vrrp
add interface=interfaceVlan10 name=interfaceVlan10Vrrp
add interface=interfaceVlan20 name=interfaceVlan20Vrrp