First time setting up VRRP on a LAN network and have a question. Here is my basic setup:
Mikrotik 1
WAN 1.1.1.1
LAN_interface: 192.168.1.2/24
VRRP_interface: 192.168.1.1/24
Mikrotik 2
WAN 2.2.2.2
LAN_interface: 192.168.1.3/24
VRRP_interface: 192.168.1.1/24
The master/slave transfer works perfectly. But I can not reach the LAN 192.168.1.0/24 from the router that is the SLAVE, not even the VRRP IP or the other mikrotiks lan ip. Is this behavior normal or could I modify some settings to make it work?
To explain a bit more what my goal is, I want to have redundancy also for the case where a WAN would fail. I have VPNs on both mikrotiks, and want to reach the LAN devices if I VPN into either of them. At the moment, if Mikrotik 1 is master, but its WAN goes down, I can not reach the LAN from Mikrotik 2 (and vice versa...). Right now, the only idea I have is to manually change the priority of the vrrp interface after I would VPN into the router with the working wan connection so it takes the master role...
Thanks
Re: VRRP access network also from slave?
Your VRRP addresses need to be /32.
Preemption mode will cause a router to return to master once it's back online (still based on priority). LAN connections will drop when VRRP flips since you have two routes to internet. Client connections should get reestablished but VRRP failover will be noticeable to clients but all should recover in less than a minute (e.g. connections have to timeout, so it how long that takes that effects recovery time).
You have two WAN IPs, so assuming firewall/config are right on each router, your should be VPN to either. Irrespective of VRRP. VPNs should be independent of VRRP.
I'd fix the VRRP address on each router to use a /32 & then see what works.
Preemption mode will cause a router to return to master once it's back online (still based on priority). LAN connections will drop when VRRP flips since you have two routes to internet. Client connections should get reestablished but VRRP failover will be noticeable to clients but all should recover in less than a minute (e.g. connections have to timeout, so it how long that takes that effects recovery time).
You have two WAN IPs, so assuming firewall/config are right on each router, your should be VPN to either. Irrespective of VRRP. VPNs should be independent of VRRP.
I'd fix the VRRP address on each router to use a /32 & then see what works.
Re: VRRP access network also from slave?
I tried setting it to /32 but there is no difference. Only the master has access to the LAN. On the slave it timeouts to anything on 192.168.1.0/24.Your VRRP addresses need to be /32.
Preemption mode will cause a router to return to master once it's back online (still based on priority). LAN connections will drop when VRRP flips since you have two routes to internet. Client connections should get reestablished but VRRP failover will be noticeable to clients but all should recover in less than a minute (e.g. connections have to timeout, so it how long that takes that effects recovery time).
You have two WAN IPs, so assuming firewall/config are right on each router, your should be VPN to either. Irrespective of VRRP. VPNs should be independent of VRRP.
I'd fix the VRRP address on each router to use a /32 & then see what works.
Regarding the VPN, maybe I wrote it a bit confused. VPN works, I just cant access the LAN from the SLAVE router when connected to it via VPN. The devices on the LAN do not require internet, since it is more of a management network. The important thing is that I can access them from outside from either the master or the slave. But at the moment, when I VPN to the slave router I can not access the LAN (or even just try to ping any address on LAN from winbox on the slave router).
Even if we forget the VPN and just imagine I am connected to the slave, in this example lets say 192.168.1.3 and open the ping tool in winbox, I can not ping device on the lan with the ip 192.168.1.10. If I change the priority so 192.168.1.3 becomes master, then I can ping 192.168.1.10.
I hope this is a more clear explanation of what I am trying to achieve...
Re: VRRP access network also from slave?
Hi,
Please show us your "/interface/export" and "/ip/export" outputs of both VRRP master and backup devices.
Please show us your "/interface/export" and "/ip/export" outputs of both VRRP master and backup devices.
Re: VRRP access network also from slave?
This is the export for the vrrp lan:Hi,
Please show us your "/interface/export" and "/ip/export" outputs of both VRRP master and backup devices.
Code: Select all
Mikrotik 1
/interface ethernet
set [ find default-name=ether3 ] comment=cisco-Gi0/24
/interface vlan
add comment="LAN1" interface=ether3 name=\
vlan671 vlan-id=671
/interface vrrp
add interface=vlan671 name=vrrp_vlan_671
/ip address
add address=192.168.1.2/24 comment="LAN1" interface=\
vlan671 network=192.168.1.0
add address=192.168.1.1 comment="LAN1 - VRRP" interface=\
vrrp_vlan_671 network=192.168.1.0
Mikrotik 2
/interface ethernet
set [ find default-name=ether2 ] comment=hp-eth8
/interface vlan
add comment="LAN1" interface=ether2 name=\
vlan671 vlan-id=671
/interface vrrp
add interface=vlan671 name=vrrp_vlan_671
/ip address
add address=192.168.1.3/24 comment="LAN1" interface=vlan671 \
network=192.168.1.0
add address=192.168.1.1 comment="LAN1 - VRRP" interface=\
vrrp_vlan_671 network=192.168.1.0
In the meantime, I was trying my luck with ChatGPT
There was quite some talk about arp settings, it was suggested to set proxy-arp on the vrrp. Tried that but made no difference.Can anyone confirm, if this is normal behavior maybe? I have too little experience with vrrp, maybe it is normal that the slave router can't reach the lan??
Re: VRRP access network also from slave?
Well, the VRRP part looks right to me. I wouldn't mess with proxy-arp, that shouldn't be needed.
Perhaps add the VRRP interface to the LAN interface-list? And/or check your firewall isn't block something.
Also, what's exactly happening and not working (e.g. is one VRRP working, in that one one is a master and one is a slave?). e.g. You saying you can't reach the other router...but from where & what state is VRRP showing when you try?
Perhaps add the VRRP interface to the LAN interface-list? And/or check your firewall isn't block something.
Also, what's exactly happening and not working (e.g. is one VRRP working, in that one one is a master and one is a slave?). e.g. You saying you can't reach the other router...but from where & what state is VRRP showing when you try?
Re: VRRP access network also from slave?
Technically everything works ok form the LAN clients perspective, If one router fails the other takes over and everything is good.Well, the VRRP part looks right to me. I wouldn't mess with proxy-arp, that shouldn't be needed.
Perhaps add the VRRP interface to the LAN interface-list? And/or check your firewall isn't block something.
Also, what's exactly happening and not working (e.g. is one VRRP working, in that one one is a master and one is a slave?). e.g. You saying you can't reach the other router...but from where & what state is VRRP showing when you try?
My question is, can I somehow reach the LAN from the slave.
Example:
1. We have a client device on the network 192.168.1.10
1. Master is working normally, if I SSH to the MASTER and ping 192.168.1.10 it works normally.
2. If I SSH to the SLAVE router and try to ping 192.168.1.10 - it doesnt work.
So my main question is, is there a way for the slave to still reach the lan devices?
Who is online
Users browsing this forum: riviere and 28 guests