VRRP Causing Invalid packets
Posted: Tue Mar 08, 2016 2:29 pm
I have 2 CCR1036-8G-2S+ running 6.34.2
Both are configured with VRRP on both the WAN and LAN side
The LAN side also has the 2 sfp ports bonded, with Multiple VLANs each vlan with a VRRP interface.
For addresses each VLAN has a /24 address while the VRRP has a /32 eg:
Router1
Router2
If I add the following firewall rule:
I am unable to access any device though the router, it appears that packets enter the vrrpX interface but exit on the vlanX interface then on the way back again enter the vrrpX and exit the vlanX so the firewall sees the packets as invalid.
Is this the normal behaviour?
Also when I get a Destination host unreachable back from the router it comes from the address on the vlan not the shared vrrp address is this how vrrp is supposed to work?
Both are configured with VRRP on both the WAN and LAN side
The LAN side also has the 2 sfp ports bonded, with Multiple VLANs each vlan with a VRRP interface.
Code: Select all
bonded
-vlan400
--vrrp400
-vlan410
--vrrp410Router1
Code: Select all
/ip address
add address=192.168.0.2/24 interface=vlan400 network=192.168.0.0
add address=192.168.0.1 interface=vrrpV400 network=192.168.0.1
add address=192.168.1.2/24 interface=vlan410 network=192.168.1.0
add address=192.168.1.1 interface=vrrpV410 network=192.168.1.1
Code: Select all
/ip address
add address=192.168.0.3/24 interface=vlan400 network=192.168.0.0
add address=192.168.0.1 interface=vrrpV400 network=192.168.0.1
add address=192.168.1.3/24 interface=vlan410 network=192.168.1.0
add address=192.168.1.1 interface=vrrpV410 network=192.168.1.1
If I add the following firewall rule:
Code: Select all
add action=drop chain=forward comment="Drop Invalid" connection-state=invalidIs this the normal behaviour?
Also when I get a Destination host unreachable back from the router it comes from the address on the vlan not the shared vrrp address is this how vrrp is supposed to work?