Hello I have configured a VRRP on MikroTik CCR-1016 v6.34.4 in my network and I have some problem.
My configuration looks something like this:
I have VLAN10 on VLAN10 I have configured VRRP interface. On interface VLAN10 I have set arp to enabled.
On VRRP-VLAN10 I have set arp to "reply-only". On VRRP interface i have setup dhcp server and set pool to "static-only", and setup to add arp for leases.
What I would like to achieve is that clients cannot get DHCP if not in static lease table, and that clients cannot set static IP, by that I mean that when they do set static IP,
they cannot ccomunicate with defualt gateway (VRRP for VLAN10) and internet.
VRRP works as it should master/slave, clients dont recive DHCP lease if not defined as static lease so far so good.
If I set reply-only directly on VLAN10 interface it works as it should, but if there is VRRP in the game, than I have a problem,...
The strange things start to happen when I set some client static IP inside VLAN10. Sometimes it cannot ping default gateway (VRRP-VLAN10), sometimes it can, than it can ping some WAN IP. Reach some websites, some it cannot.
If I look in the ARP table it get in the arp table on interface VLAN10 and on VRRP-VLAN10 interface. It looks like some communication goes directly throug VLAN10 interface, and some throug VRRP-VLAN10.
Is there something that I`am missing about VRRP protocol ?
I would be really grateful for any help or clue what is going on here. I hope I manage to setup VRRP, otherwise I will try to do some scripting on backup router instead of VRRP.
Re: MikroTik CCR1016, VLAN, VRRP and reply-only problem
Let me ask a bit diffrent, did anybody ever tried arp: reply-only on VLAN VRRP interface ?
Re: MikroTik CCR1016, VLAN, VRRP and reply-only problem
It's late, but maybe help others.
Important is what IP's are assigned to vrrp and what to vlan interface. If you did it by Mikrotik's recommendations: /24 to vlan and /32 to vrrp, same prefix (for example 10.0.1.1/24 and 10.0.1.254/32). Then when router receives packet from client from vrrp interface it replies to it through vlan interface. (Keep it in mind in firewall rules.)
It's because router's routing table where client is reachable not via /32 route (vrrp interface), but via /24 route at vlan interface. Therefore router requests arp of client through vlan interface (controlled by arp setting of vlan interface).
Look on arp table at router and see interface next to client ip/mac.
You can avoid this by setting IP /24 to vlan and /24 to vrrp but differrent networks (for example 10.0.1.1/24 and 10.0.2.1/24).
Ugly (but working) is set /32 to vlan and /24 to vrrp. In case vrrp interface will be in backup state, network will be unreachable.
Important is what IP's are assigned to vrrp and what to vlan interface. If you did it by Mikrotik's recommendations: /24 to vlan and /32 to vrrp, same prefix (for example 10.0.1.1/24 and 10.0.1.254/32). Then when router receives packet from client from vrrp interface it replies to it through vlan interface. (Keep it in mind in firewall rules.)
It's because router's routing table where client is reachable not via /32 route (vrrp interface), but via /24 route at vlan interface. Therefore router requests arp of client through vlan interface (controlled by arp setting of vlan interface).
Look on arp table at router and see interface next to client ip/mac.
You can avoid this by setting IP /24 to vlan and /24 to vrrp but differrent networks (for example 10.0.1.1/24 and 10.0.2.1/24).
Ugly (but working) is set /32 to vlan and /24 to vrrp. In case vrrp interface will be in backup state, network will be unreachable.