I'd really like to see an implementation of CARP (Common Address Redundancy Protocol) or a CARP-like feature.

• CARP is a free, non patent-encumbered alternative to VRRP/HSRP/GLBP
• Unlike VRRP it's protocol-independent. It's usable with IPv4 and IPv6.
• Unlike VRRP it can provide load balancing functions
• All communication between the nodes is encrypted with SHA-1 respectively HMAC

Hi pylon,

I have already requested via support that Mikrotik implement true "High Availability" ala FortiGate's.

CARP could be a base for this, but I think they should forget any idea of inter-vendor compatibility and extend CARP to allow for full replication of all settings and states, and allow single point firmware upgrade for a cluster.

Janis replied to say that it is a feature they will consider once they have finished current projects.

Hi pylon,

I have already requested via support that Mikrotik implement true "High Availability" ala FortiGate's.

CARP could be a base for this, but I think they should forget any idea of inter-vendor compatibility and extend CARP to allow for full replication of all settings and states, and allow single point firmware upgrade for a cluster.

Janis replied to say that it is a feature they will consider once they have finished current projects.

That would be fantastic. Stateful failover (firewall, PPP, hotspot) would be a great feature for RouterOS to get. Hell, even if connections die but user state (logged in) and configuration sync that would be a huge step.

CARP could be a base for this, but I think they should forget any idea of inter-vendor compatibility and extend CARP to allow for full replication of all settings and states, and allow single point firmware upgrade for a cluster.

CARP is really just for IP failover / redundancy. OpenBSD's PF uses pfsync to synchronize firewall states, and sasyncd to synchronize IPSec connections.

Being that MikroTik utilizes Linux netfilter, the closest thing for state failover would be conntrackd from conntrack-tools. I've never utilized this and don't know how it compares to pfsync.

State synchronization would be a nice start, then they could build on that to add the other requested HA features.

I think as a starting point, they should implement config synchronization and an active-passive failover mechanism, even if it drops the states it would be a start. replicating states can be added later as long as it has been designed into the original spec.

The FortiGate HA is the best I have seen, it allows you to set interfaces to "monitor" if the link state of one of the monitored interfaces changes to down, the HA will fail over to the other unit. (you can even monitor status of LACP/bonded links) It also allows you to specify heartbeat interfaces which it sends out the heartbeat broadcasts on.
It also allows you to create clusters of firewalls, that share all configuration, states and elect a master based on a specified unit priority. All management is done via the cluster IP addresses, and when you update the firmware it updates and reboots all the "slave" units first then it fails the active unit over to one of the updated slaves before updating the master without dropping any connections.

Bump. This feature may help to provide HA routers. MT team, please add CARP support in ros 7.

I would be nice to have CARP in RouterOS but there is few problems like iptables is archaic, slow and don't have many future that is implemented to OpenBSD PF (witch is now replacing Solaris firewall in new realase).
Someone trying (still) port CARP to linux but as i know have facet many trouble (project is now probably drop) and now they try use conntrack to replace pfsync but as i know is slow and light year behind OpenBSD.

Other option is change system kernel from linux to BSD then most of future like CARP and many other PF future will be implemented but i think they wont do this

news about pfsync like feature?