I am trying to configure VRRP on two virtual routers using 6.43.8

I have v3 and IPv6 selected on the interfaces and the address assigned. I can move the master between the two routers by changing the priorities. but the VIP is not ping-able from other hosts on the network. It is ping-able on the master but not from the slave. Looking at tcpdump from a host on the same network, the neighbour solicitation when pinging from that host never gets a reply.

I do see a packet from the master immediately following the solicitation but believe it to be the normal keep-alive of the VRRP process.

13:45:52.300570 IP6 xxxxxxxxxxxxx > ff02::1:ff51:254: ICMP6, neighbor solicitation, who has xxxx:xxxx:dc:1::251:254, length 32
13:45:52.364394 IP6 fe80::ac1a:71ff:fe12:8a7b > ff02::12: ip-proto-112 40


I found a post which suggested changing the prefix of the VIUP to /128 and turning off advertising. WhenI do this, I still cant ping the VIP and I lose the two global addresses from the parent interfaces as well.

VRRP for IPv4 on the same interfaces is working great but I need IPv6 to work as well.

Suggestion to troubleshoot or work around would be much appreciated.

Hello godzone,

To begin with, I would test basic connectivity before I even thought about neighbor solicitation as the issue.

Make sure both routers have the VRRP interface configured on the same network. Check that the VIP is configured on the VRRP interface. Configure an IP address that is in the same subnet as the VIP on a computer connected to the same logical network, run a continuous ping and force-failover the VRRP to the slave.

If you want some more in-depth help, PM me. If we resolve the issue, I'll post the solution back here for posterity.

Thanks,
Christopher H.

Hi Christopher,

I assume PM is private message ? I am new to this forum, how do I do that.

I am happy to post configs etc. Whilst I admit to not being a Mikrotik expert, I have been using them for many years and have been in IT even longer. As mentioned in the previous post, the IPv4 of this arrangement is working correctly, it is only the v6 that isnt and my research to date has found earlier instances of others with similar issues. They were quite a few years ago so I had hoped that if they were code related the issues had been resolved.

I would appreciate another set of eyes as I really would like to get this resolved.

Glen

Hi Christopher,

To respond to your initial comment.

Basic connectivity is fine, The topology has been in place for years now with both IPv4 and IPv6. I have been using BGP on the DMZ but after a recent review, we decided to simplify by using VRRP inside our border routers instead. The premise being that the firewalls do firewalling and are not so good with dynamic routing and the routers do routing and are not so good on the firewalling.

The DMZ network has ipv6 addresses on the interfaces for all 4 devices, the two firewalls and the two routers. All of the devices can ping6 each others addresses on the DMZ. VRRP on the firewalls is working fine, its IPv6 VIP is pingable from all devices, the IPv6 VIP for the routers is only pingable from the router that is currently the master.

I thought this might be an issue with the current IPv6 firewall on the routers but adding rules for the FORWARD and INPUT chain to accept anything didn't make any difference. Though I will not rule out the Mikrotik firewall yet.

All of the IPv6 addresses including the VIPs are /64 and are advertised.

I have left the BGP dynamic routing in place as the workaround but I'd much rather get VRRP working if possible.

Glen

Hi Glen,

Sorry, this forum doesn't have Private Messaging enabled. You can contact me via Skype instead, my Skype name is "christopher.hawker" (without quotes). More than happy to check over your configs.

Thanks,
Christopher H.

Thanks, I'll be in touch. Just got busy on another project so may be a few days.