MikroTik

Community discussions
https://forum.mikrotik.com/

VRRP, VLAN and firewall rules

https://forum.mikrotik.com/viewtopic.php?t=181323

Page 1 of 1

VRRP, VLAN and firewall rules

Posted: Wed Dec 15, 2021 6:33 pm
by Paradox
Hello,
I'm running 2 VRRP routers, that have some VLANS configured. See the interfaces:
mikro-interfaces.png
But now I've got a problem when setting up firewall rules.
In the forward chain I'm trying to match against the output interface (which actually should be vrrp62), but I've noticed that some packets are using vlan62 and others are using vrrp62 as output interface.

I wonder how this happens? This way I'd need to setup all rules twice.

Re: VRRP, VLAN and firewall rules

Posted: Wed Dec 15, 2021 6:46 pm
by Paradox
I guess this is caused because the route list has a dynamic route entry for each interface: vlan62 and vrrp62 which cannot be deactivated nor deleted.

A possible workaround:
Use the mangle rules to add a mark to all packets matching vlan62 and vrrp62. On the filter table use this mark instead of the output interface to match packets. But that doesn't feel like a real solution to me, more like a dirty workaround :(

Re: VRRP, VLAN and firewall rules

Posted: Wed Dec 15, 2021 6:57 pm
by Sob
Did you by any chance miss this?
Note: address on VRRP interface must have /32 netmask if address configured on VRRP is from the same subnet as on router's any other interface.

Re: VRRP, VLAN and firewall rules

Posted: Wed Dec 15, 2021 10:46 pm
by Paradox
I've indeed missed this... :oops: And it makes so much sense! Thanks!
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/