MikroTik

Posted: **Sat Mar 20, 2010 4:30 pm**

Hi!

I'd like to get some help from you.
I'm running for one of my clients VRRP.
From the master router i got one OVPN connection to my central MT.

But since i set the VRRP i am not able to ping from Dude to the backup router.

Here is my config for master router:

Interfaces:
 #     NAME                             TYPE             MTU   L2MTU
 0  X  l2tp-out-etis-dial              l2tp-out        
 1  R  bridge1                           ether            1500  1600 
 3  R  wan1                             ether            1500  1600 
 4     wan2                              ether            1500  1600 
 5  R  wlan1                             wlan             1500  2290 
 6     wlan2                              wlan             1500  2290 
 7  R  vrrp1                               vrrp             1500 
 8  X  l2tp-out-etis-gts              l2tp-out        
 9  R  ;;; ovpn-etis-dial
       ovpn-out-etis-dial            ovpn-out         1500 
10  X  ;;; ovpn-etis-gts
       ovpn-out-etis-gts             ovpn-out        

VRRP interface:
 0   RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=bridge1 vrid=49 priority=255 interval=1 
        preemption-mode=yes authentication=none password="" on-backup="" on-master="" 

IP addresses:
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                      
 0   193.85.242.80/27   193.85.242.64   193.85.242.95   wan1                                                                           
 1   192.168.18.1/24    192.168.18.0    192.168.18.255  wlan1                                                                          
 2 X 193.85.242.82/27   193.85.242.64   193.85.242.95   wan1                                                                           
 3   192.168.16.2/24    192.168.16.0    192.168.16.255  lan1                                                                           
 4   192.168.16.1/24    192.168.16.0    192.168.16.255  vrrp1                                                                          
 5 D 192.168.65.170/32  192.168.65.171  0.0.0.0         ovpn-out-etis-dial                                                             

Route list:
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          193.85.242.65      1       
 1 X S  ;;; www.outdoor-outlet.cz
        81.91.82.42/32                     l2tp-out-etis-dial 1       
 2 ADC  192.168.16.0/24    192.168.16.2    bridge1            0       
                                           vrrp1             
 3 ADC  192.168.18.0/24    192.168.18.1    wlan1              0       
 4 A S  192.168.21.0/24                    192.168.16.3       1       
 5 A S  192.168.64.0/24                    ovpn-out-etis-dial 1       
 6   S  192.168.64.0/24                    ovpn-out-etis-gts  1       
 7 X S  192.168.64.0/24                    l2tp-out-etis-gts  1       
 8 X S  192.168.64.0/24                    l2tp-out-etis-dial 1       
 9 ADS  192.168.65.0/24                    192.168.65.171     0       
10 ADC  192.168.65.171/32  192.168.65.170  ovpn-out-etis-dial 0       
11 ADC  193.85.242.64/27   193.85.242.80   wan1               0

Backup router config:

[admin@holan-pva-gw2-lan] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                       TYPE             MTU   L2MTU
 0  R  wlan2                        wlan             1500  2290 
 1  R  lan1                         ether            1500  1526 
 2  R  wan1                       ether            1500  1522 
 3     wan2                         ether            1500  1522 
 4  X  l2tp-out-Etis              l2tp-out        
 5  R  bridge1                      bridge           1500  1526 
 6  R  wlan1                        wlan             1500  2290 
 7     ;;; vrrp-backup
       vrrp1                          vrrp             1500 
 8  X  ;;; ovpn-etis-dial
       ovpn-out-etis-dial         ovpn-out        
 9  X  ;;; ovpn-etis-gts
       ovpn-out-etis-gts         ovpn-out        
10 DR  wds1                        wds              1500  2290 
[admin@holan-pva-gw2-lan] > interface vrrp print 
Flags: X - disabled, I - invalid, R - running, M - master, B - backup 
 0    B ;;; vrrp-backup
        name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=bridge1 vrid=49 priority=1 interval=1 preemption-mode=no authentication=none password="" 
        on-backup=/ip dhcp-server disable 1\r\n/interface disable [/find comment=ovpn-etis-dial]\r\n/interface disable [/find comment=ovpn-etis-gts]\r\n/ip route disable [/find comment=ovpn-etis-dial]\r\n/ip route disable [/find comment=ovpn-etis-gts]\r\n/ip route enable [/find comment=holan-pva-gw1-lan] 
        on-master=/ip dhcp-server enable 1\r\n/ip route disable [/find comment=holan-pva-gw1-lan]\r\n/ip route enable [/find comment=ovpn-etis-dial]\r\n/interface enable [/find comment=ovpn-etis-dial]\r\n 
[admin@holan-pva-gw2-lan] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                                                                
 0   192.168.21.1/24    192.168.21.0    192.168.21.255 wlan1                                                                                                                    
 1   193.85.242.81/27   193.85.242.64   193.85.242.95   wan1                                                                                                                     
 2   192.168.16.3/24    192.168.16.0    192.168.16.255  lan1                                                                                                                     
 3   192.168.16.1/24    192.168.16.0    192.168.16.255  vrrp1                                                                                                                    
[admin@holan-pva-gw2-lan] > ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          193.85.242.65      1       
 1 X S  ;;; www.outdoor-outlet.cz
        81.91.82.42/32                     l2tp-out-Etis      1       
 2 ADC  192.168.16.0/24    192.168.16.3    bridge1            0       
                                           vrrp1             
 3 A S  192.168.18.0/24                    192.168.16.2       1       
 4 ADC  192.168.21.0/24    192.168.21.1    wlan1              0       
 5 A S  ;;; holan-pva-gw1-lan
        192.168.64.0/24                    lan1               1       
 6 X S  192.168.64.0/24                    l2tp-out-Etis      1       
 7 X S  ;;; ovpn-etis-dial
        192.168.64.0/24                    ovpn-out-etis-dial 1       
 8 X S  ;;; ovpn-etis-gts
        192.168.64.0/24                    ovpn-out-etis-gts  1       
 9 ADC  193.85.242.64/27   193.85.242.81   wan1               0

Posted: **Mon Mar 22, 2010 8:10 am**

You should be able to ping 192.168.16.3 address, as this address is used also by VRRP to determine if master is up or down.

Posted: **Tue Mar 23, 2010 12:47 pm**

theoreticaly I should be able,but unfortunatelly I can't.
I can ping only from the inner 16th segment(192.168.16.0/24).
when disabled the vrrp interface on the backup router I was able to ping to 192.168.16.3

Found out that the error is in the route list.
Master router is connected with vpn to the 64th segment. but the packet is not able to get to the master router.
this route should get the packet to the master router:

6 A S  ;;; holan-pva-gw1-lan
        dst-address=192.168.64.0/24 gateway=192.168.16.2 
        gateway-status=192.168.16.2 reachable vrrp1 distance=1 scope=30 
        target-scope=10

But as you can see ROS is trying to send the packet trough the inactive vrrp interface, altough the defined gw is the master router's IP address.

Can you help to solve this ?!

Thank you!

Posted: **Sat Mar 27, 2010 11:47 am**

anyone ?

MikroTik

VRRP + VPN + ping

VRRP + VPN + ping

Re: VRRP + VPN + ping

Re: VRRP + VPN + ping

Re: VRRP + VPN + ping