VRRP Causing Invalid packets

spike232 · Tue Mar 08, 2016 2:29 pm

I have 2 CCR1036-8G-2S+ running 6.34.2

Both are configured with VRRP on both the WAN and LAN side

The LAN side also has the 2 sfp ports bonded, with Multiple VLANs each vlan with a VRRP interface.

bonded
-vlan400
--vrrp400
-vlan410
--vrrp410

For addresses each VLAN has a /24 address while the VRRP has a /32 eg:
Router1

/ip address
add address=192.168.0.2/24 interface=vlan400 network=192.168.0.0
add address=192.168.0.1 interface=vrrpV400 network=192.168.0.1
add address=192.168.1.2/24 interface=vlan410 network=192.168.1.0
add address=192.168.1.1 interface=vrrpV410 network=192.168.1.1

Router2

/ip address
add address=192.168.0.3/24 interface=vlan400 network=192.168.0.0
add address=192.168.0.1 interface=vrrpV400 network=192.168.0.1
add address=192.168.1.3/24 interface=vlan410 network=192.168.1.0
add address=192.168.1.1 interface=vrrpV410 network=192.168.1.1

If I add the following firewall rule:

add action=drop chain=forward comment="Drop Invalid" connection-state=invalid

I am unable to access any device though the router, it appears that packets enter the vrrpX interface but exit on the vlanX interface then on the way back again enter the vrrpX and exit the vlanX so the firewall sees the packets as invalid.

Is this the normal behaviour?

Also when I get a Destination host unreachable back from the router it comes from the address on the vlan not the shared vrrp address is this how vrrp is supposed to work?