Community discussions

MikroTik App
 
achekalin
just joined
Topic Author
Posts: 7
Joined: Fri Apr 19, 2013 9:42 am

OVPN server on VRRP IP

Wed Oct 15, 2014 11:43 am

Hello,

I face pretty strange behaviour of RouterOS 6.x.

On two routers (namely, 2011UiAS; let's name it R1 and R2) I set up two public IPs (say, 1.1.1.1/24 on R1 and 1.1.1.2/24 on R2) and set up VRRP (let's use 1.1.1.250/32 for our example) out of them (I do that on my own PI network so can afford to do that). This VRRP address works just fine and I can do NAT over it, send traffic outside from it etc. The purpose of VRRP is router redundancy, so as soon as R1 go down R2 should continue.

Now I set up ovpn server. I set OVPN servers on each of 2011UiAS's (there is no binding to any specific address so it listen on both 1.1.1.1 and 1.1.1.250; when R1 become down then I expect OVPN to be accessible at 1.1.1.2 and 1.1.1.250).

The I use another router (2011L, to be specific), and set up OVPN client on it. I set it up to connect to 1.1.1.250 (my OVPN server's virtual IP), and the ovpn connection (tunnel) goes up and works perfectly.

Sometime (after several hours) the ovpn tunnel goes down for no reason. At that time I see VRRP IP won't pingable from outside. The only way to restart it is to down and then up again IP on VRRP interface. Pretty weird as for me. But I set up the same ovpn client to 1.1.1.1 ("real" IP of R1) then tunnel works perfectly and won't get down after some hours.

The question is: how can this be? VRRP is something that should work day by day, as well as OVPN.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: OVPN server on VRRP IP

Wed Oct 15, 2014 12:52 pm

If VRRP ip is not ping-available, OVPN is completely unrelated and you should find out why that VRRP IP goes down. I mean, if the IP is not working OVPN won't work. While having the problem, check the status/logs of the VRRP interface and if you can ping VRRP IP from R1 and R2. Also try no NAT out using VRRP IP.

Besides, you must generate a supout file of R1 and R2 while VRRP IP is not available and send them to Mikrotik support.
 
achekalin
just joined
Topic Author
Posts: 7
Joined: Fri Apr 19, 2013 9:42 am

Re: OVPN server on VRRP IP

Fri Oct 17, 2014 12:12 pm

Thank you for your answer. I did some testing and see that I was wrong: vrrp and ovpn won't affects each other.

Right now I see that white VRRP virtual IP is ping-able and accessable from outside and at the same time client on outside placed Mikrotik wont' connect to virtual IP but easily connects to 'real' IP to R1 and R2.

I really wonder (I can't see that at docs) if it is possible to happen than ovpn server won't work on VRRP virtual ip after a while for some reason? This would explains the situation but again I see no reason for that.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: OVPN server on VRRP IP

Fri Oct 17, 2014 2:23 pm

I have used VRRP + IPSec in the past. Unfortunately I don't have access to those devices anymore to test with OVPN and I have almost no experience with OVPN.

Use IP filter log+accept rules to check if and how packets are reaching your routers. Also, take care with your switch ARP cache (if using any).
 
achekalin
just joined
Topic Author
Posts: 7
Joined: Fri Apr 19, 2013 9:42 am

Re: OVPN server on VRRP IP

Fri Oct 17, 2014 6:07 pm

To do some logging is quite an idea but the problem is the router are under load, so I'll fill up any log storage and eat up the CPU with this.

But while OVPN stop response on virtual IP VRRP itself feel aright, no errors in log etc, the traffic passes it well. OVPN server suddenly won't bind to it. Just out of curiosity, I'd wish to know what's the reason to unbind itself from one of the interfaces (say, vrrn1) while still remain binded to physical interface.

The only idea (well, suspecting) I have is that my vrrps are not over eth itself, but over vlan that's over eth. Some manuals (mostly from 5.x) claims that Mikrotik's VRRP won't work over VLAN but as I tried it it worked well, and I see no reason it may impact OVPN server but other clue for me so far...

Who is online

Users browsing this forum: haianh and 18 guests