Hello, i plan to implement VRRP for customer redundancy but have problem with free IP's in customer subnet.
Is there way to implement this without 2 additional real/free IP's from customer subnet?
I tested following configuration:
Master: ROS 5.11, RB450G
Backup: ROS 5.11, RB750G
Master - RouterA:
[admin@RouterA] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-uplink ether 1500 1520 1520
1 R ether2-downlink ether 1500 1520 1520
2 ether3-local ether 1500 1520 1520
3 ether4-local ether 1500 1520 1520
4 ether5-local ether 1500 1520 1520
5 R vrrp1-uplink vrrp 1500
6 R vrrp2-donwlink vrrp 1500
[admin@RouterA] >
[admin@RouterA] > /interface vrrp print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
# NAME INTERFACE MAC-ADDRESS VRID PRIORITY INTERVAL VERSION V3-PROTOCOL
0 RM vrrp1-uplink ether1-uplink 00:00:5E:00:01:01 1 250 1s 3 ipv4
1 RM vrrp2-donwlink ether2-downlink 00:00:5E:00:01:02 2 250 1s 3 ipv4
[admin@RouterA] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; WAN VRRP Address
192.168.1.2/24 192.168.1.0 vrrp1-uplink
1 ;;; WAN Blind REAL
1.1.1.2/24 1.1.1.0 ether1-uplink
2 ;;; LAN VRRP
192.168.88.1/24 192.168.88.0 vrrp2-donwlink
3 ;;; WAN Blind VRRP
1.1.1.1/32 1.1.1.1 vrrp1-uplink
4 ;;; LAN Blind REAL
2.2.2.2/24 2.2.2.0 ether2-downlink
5 ;;; LAN Blind VRRP
2.2.2.1/32 2.2.2.1 vrrp2-donwlink
[admin@RouterA] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=192.168.1.2 src-address=192.168.88.0/24 out-interface=vrrp1-uplink
Backup - RouterB:
[admin@RouterB] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-uplink ether 1500 1520 1520
1 R ether2-downlink ether 1500 1520 1520
2 ether3-slave-local ether 1500 1520 1520
3 ether4-slave-local ether 1500 1520 1520
4 ether5-slave-local ether 1500 1520 1520
5 vrrp1-uplink vrrp 1500
6 vrrp2-downlink vrrp 1500
[admin@RouterB] /interface vrrp> print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
# NAME INTERFACE MAC-ADDRESS VRID PRIORITY INTERVAL VERSION V3-PROTOCOL
0 B vrrp1-uplink ether1-uplink 00:00:5E:00:01:01 1 100 1s 3 ipv4
1 B vrrp2-downlink ether2-downlink 00:00:5E:00:01:02 2 100 1s 3 ipv4
[admin@RouterB] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; WAN Blind REAL
1.1.1.3/24 1.1.1.0 ether1-uplink
1 ;;; WAN VRRP
192.168.1.2/24 192.168.1.0 vrrp1-uplink
2 ;;; LAN VRRP
192.168.88.1/24 192.168.88.0 vrrp2-downlink
3 ;;; WAN Blind VRRP
1.1.1.1/32 1.1.1.1 vrrp1-uplink
4 ;;; LAN Blind REAL
2.2.2.3/24 2.2.2.0 ether2-downlink
5 ;;; LAN Blind VRRP
2.2.2.1/32 2.2.2.1 vrrp2-downlink
[admin@RouterB] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=192.168.1.2 src-address=192.168.88.0/24 out-interface=vrrp1-uplink
This seems working. So my question is, must be real ip from same subnet as virtual ip? Can someone test this? Thanks.
Re: VRRP with only virtual IP
I was just working on this myself. In my lab setup I've got a pair of routers doing VRRP on the ether2 interface while the ether1 interfaces on both connect back into an OSPF mesh. I set up ether2 with the addresses of 10.10.10.1/30 and 10.10.10.2/30 and gave the VRRP interface the address of 10.100.100.1/24. From all the testing I've done they work as they should, including the router in the backup state not advertising the route for the virtual IP network into OSPF unless it becomes the master.
When I was looking through all of the documentation I noticed that all of the examples always show the 3 IPs involved as being in the same subnet. Nowhere, however, does it say you CAN'T have the virtual IP in a different subnet from the interface IPs. I just wonder if its something that will bite me if I deploy it live - can anyone comment? The (eventual) router pair I want to deploy this on serves multiple colocation customers and so like Lukas I really don't want to have to burn that many non-rfc1918 addresses - especially since most of these customers only have /29 or /28 block assigned to them and can't spare the IPs themselves (and I certainly don't want to readdress them into bigger blocks if I can avoid it).
On that note has anyone ever come across any routing platforms that do something like VRRP or CARP but only on a layer2 level? i.e. using ethernet broadcasts instead of multicast for the heartbeat and not using layer 3 at all except for floating the IP? I'd love to see that and something like pfsync in RouterOS.
When I was looking through all of the documentation I noticed that all of the examples always show the 3 IPs involved as being in the same subnet. Nowhere, however, does it say you CAN'T have the virtual IP in a different subnet from the interface IPs. I just wonder if its something that will bite me if I deploy it live - can anyone comment? The (eventual) router pair I want to deploy this on serves multiple colocation customers and so like Lukas I really don't want to have to burn that many non-rfc1918 addresses - especially since most of these customers only have /29 or /28 block assigned to them and can't spare the IPs themselves (and I certainly don't want to readdress them into bigger blocks if I can avoid it).
On that note has anyone ever come across any routing platforms that do something like VRRP or CARP but only on a layer2 level? i.e. using ethernet broadcasts instead of multicast for the heartbeat and not using layer 3 at all except for floating the IP? I'd love to see that and something like pfsync in RouterOS.
Re: VRRP with only virtual IP
Bump.
Can anyone confirm (now at RouterOS 5.22) that the setup proposed by jvr is "correct"? That is, that not only does it seem to work for jvr, but that it isn't conflicting in some way with the standards and likely to break, either if the "wrong" kind of other network gear is connected on the same layer 2 segment, or with some future MikroTik RouterOS update/upgrade?
I have that same problem, and I imagine many others do too - I have only one IP address from one of my Internet providers, so I simply cannot give each physical router an IP address in the same subnet as the one (only) virtual router IP address which I want to share between the two physical MikroTik routers.
Thanks,
Can anyone confirm (now at RouterOS 5.22) that the setup proposed by jvr is "correct"? That is, that not only does it seem to work for jvr, but that it isn't conflicting in some way with the standards and likely to break, either if the "wrong" kind of other network gear is connected on the same layer 2 segment, or with some future MikroTik RouterOS update/upgrade?
I have that same problem, and I imagine many others do too - I have only one IP address from one of my Internet providers, so I simply cannot give each physical router an IP address in the same subnet as the one (only) virtual router IP address which I want to share between the two physical MikroTik routers.
Thanks,
Re: VRRP with only virtual IP
Hi libove,
I tested such a setup in a live network last night using RouterOS 5.22 and two RB1100AHx2 boards. I only tested IPv4 and VRRP version 3. Both routers got IP addresses from another subnet as the virtual IP address. All of them were public IP addresses.
Having only one virtual IP address at the VRRP interface everything worked quite well, but adding (one) more virtual IP addresses to the VRRP interfaces on both routers lead to no traffic forwarding at all. No one of the routers was responding to any of the virtual IPs. Also enabling/disabling VRRP interfaces didn't make it work. The only solution was to remove the additional virtual IP addresses.
Maybe this issue is concerned with the recommendation to have real and virtual IP addresses from the same subnet. I think I will do an additional test in one of the next nights with virtual and real IP adresses from the same subnet.
Robert.
I tested such a setup in a live network last night using RouterOS 5.22 and two RB1100AHx2 boards. I only tested IPv4 and VRRP version 3. Both routers got IP addresses from another subnet as the virtual IP address. All of them were public IP addresses.
Having only one virtual IP address at the VRRP interface everything worked quite well, but adding (one) more virtual IP addresses to the VRRP interfaces on both routers lead to no traffic forwarding at all. No one of the routers was responding to any of the virtual IPs. Also enabling/disabling VRRP interfaces didn't make it work. The only solution was to remove the additional virtual IP addresses.
Maybe this issue is concerned with the recommendation to have real and virtual IP addresses from the same subnet. I think I will do an additional test in one of the next nights with virtual and real IP adresses from the same subnet.
Robert.
-
-
asgnetwork
just joined
- Posts: 2
- Joined:
Re: VRRP with only virtual IP
Hi,
I've reached the goal in a deployment that requires VRRP with only two public IP, like in Cisco configurations.
The configuration on Master router is this one:
on the Slave router (that can be also a Cisco or other vendor)
With this one everything works like in a Cisco deployment with VRRP with only two IP
Best Regards,
ASG.Network
I've reached the goal in a deployment that requires VRRP with only two public IP, like in Cisco configurations.
The configuration on Master router is this one:
Code: Select all
/interface vrrp
add authentication=simple interface=VLAN_INTERNET name=VRRP_INTERNET priority=250 version=2 vrid=100
/ip address
add address=169.254.169.254 comment=IP_Non_Routable interface=VLAN_INTERNET network=169.254.169.254
add address=X.X.X.X/29 comment=IP_Network_Internet interface=VRRP_INTERNET network=X.X.X.X
Code: Select all
add authentication=simple interface=VLAN_INTERNET name=VRRP_INTERNET priority=100 version=2 vrid=100
/ip address
add address=X.X.X.Y/29 comment=IP_Secondary_Router interface=VLAN_INTERNET network=X.X.X.X
add address=X.X.X.X comment=IP_Network_Internet interface=VRRP_INTERNET network=X.X.X.X
Best Regards,
ASG.Network