VRRP Guide in MikroTik
Currently, MikroTik has no stackable solutions or protocols for hardware synchronization and switching devices. Even solutions with multiple power lines are not so many. Therefore, if you have a task to make hardware backups, then MikroTik has very, very few options (and they will not work as they want), one of them is vrrp.
What does it mean about VRRP
VRRP (Virtual Router Redundancy Protocol) is an open standard for combining a group of routers into one virtual router in order to increase availability. Wikipedia says about the “default gateway”, but in reality it can be absolutely any router.
MikroTik supports two versions of the vrrp protocol (v2 and v3), in version 3 there is support for IPv6, but authentication does not work (at least it is written on wiki).
When creating a vrrp interface, you must specify the ID for the virtual router (VRID), it can take the values 0-255. A single real router can be part of several virtual VRRP routers.
Each router in the VRID must be prioritized. The router with the highest priority will be selected as the master and will become the holder of the virtual ip (the address at which other devices on the network will communicate with the router).
The master router once a second (can be changed) sends messages about its activity to the multicast address 224.0.0.18 (IPv6: FF02: 0: 0: 0: 0: 0: 0: 12) 00: 00: 5E is specified as the recipient mac: 00: 01: XX (IPv6: 00: 00: 5E: 00: 02: XX), where XX is the hexadecimal representation of the VRID.
Virtual IP - address of the virtual router, is configured on the vrrp interface.
As part of a virtual router, there may be more than two routers, while the standard is open and, in theory, you can use equipment from different vendors.
Another couple of comments
VRRP is not responsible for synchronizing the configuration or the state of the connections. Moreover, MikroTik does not have built-in tools for such functionality. You can catch changes to master via log, create a file with modified sections, use fetch to send files to a backup, which will check for files with a timer. Either use a third-party diff server that will compare the configuration once a day and upload the changes to the backup, but all this goes beyond vrrp.
The main scheme of application of the schemes described below is the use of two (or more) routers powered from different (independent) power lines with seamless switching for problems on one of the lines.
Scheme 1. Reservations with the participation of two providers
Preliminary config of MikrotTik master:
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2-vrrp
/ip address
add address=1.1.1.2/30interface=eth1-wan
/ip route
add distance=1 gateway=1.1.1.1
/systemidentitysetname=vrrp-master
Pre-config Mikrotik Backup:
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2-vrrp
/ip address
add address=2.2.2.2/30interface=eth1-wan
/ip route
add distance=1 gateway=2.2.2.1
/systemidentitysetname=vrrp-backup
Adding vrrp to vrrp-master:
[Interfaces] -> [VRRP] -> [+]
name: vrrp100 (can be any)
interface: eth2-lan
VRID: 100
Priority: 150
Auth: ah
Pass: testvrrp
Version: 2
VRRP works on the local network interface, so it makes sense to put authentication to protect against sabotage.
Adding service ip:
[IP] -> [Address] -> [+]
interface: eth2-vrrp
address: 10.10.10.1/32
In this configuration, it is not necessary to use / 32 addresses. The working subnet address and the vrrp service addresses do not overlap. When using addresses from a working subnet (for example, 192.168.100.251 - master; 192.168.100.252 - backup) using / 32 is mandatory, otherwise you may have an ECMP route to the lan subnet and everything will work very badly.
If the service and real addresses match, there is another feature. A router whose virtual interface will be configured with virtual ip, regardless of the priority, is considered to be master.
Adding a working ip:
Virtual IP in VRRP terminology.
[IP] -> [Address] -> [+]
interface: vrrp100-lan
address: 192.168.100.1/24
Console option:
/interfacevrrpaddauthentication=ah interface=eth2-vrrp name=vrrp100-lan password=testvrrp priority=150 version=2 vrid=100
/ip address
add address=10.10.10.1/32interface=eth2-vrrp
add address=192.168.100.1/24interface=vrrp100-lan
Adding vrrp to vrrp-backup:
[Interfaces] -> [VRRP] -> [+]
name: vrrp100-lan
interface: eth2-vrrp
VRID: 100
Priority: 100 (lower than the master)
Preemption mode: off
Auth: ah
Pass: testvrrp
Version: 2
Preemption mode - setting for backup router. If enabled, the router will not return control to the router with a higher priority when it appears on the network.
Add service ip:
[IP] -> [Address] -> [+]
interface: eth2-vrrp
address: 10.10.10.2/32
Adding a working ip:
[IP] -> [Address] -> [+]
interface: vrrp100-lan
address: 192.168.100.1/24
Console option:
/interfacevrrpaddauthentication=ah interface=eth2-vrrp name=vrrp100-lan password=testvrrp priority=100 version=2 vrid=100 preemption-mode=no
/ip address
add address=10.10.10.2/32interface=eth2-vrrp
add address=192.168.100.1/24interface=vrrp100-lan
After configuration, the negotiation will occur - the routers will exchange hello and decide whose priority is higher.
Vrrp-master state ([R] unning, [M] aster)
Vrrp-backup state ([B] ackup)
Above, I tried to name interfaces as vividly as possible so that there was no confusion when adding firewall rules, etc. The vrrp100-lan interface is responsible for the local network. for technical traffic vrrp interface eth2-vrrp is responsible. If vlan is used on the LAN interface, then it must be configured on the vrrp interface.
Scheme 2. Reservation and balancing with the participation of two providers
The previous scheme works well, but one of the providers hangs in the air and is almost never used, you can correct the situation using several default routes in the network. You can distribute various default router to users by means of dhcp or by hammering statics. In any case, the configuration is not flexible. But this example well shows the operation of the router in several virtual routers vrrp.
We take the previous scheme as a basis and add an additional vrrp interface.
On the vrrp-master:
Console option:
/interfacevrrpaddauthentication=ah interface=eth2-vrrp name=vrrp200-lan password=testvrrp priority=100 version=2 vrid=200 preemption-mode=no
/ip address
add address=192.168.100.2/24interface=vrrp200-lan
On vrrp-backup:
Console option:
/interfacevrrpaddauthentication=ah interface=eth2-vrrp name=vrrp200-lan password=testvrrp priority=150 version=2 vrid=200
/ip address
add address=192.168.100.2/24interface=vrrp200-lan
It is not entirely appropriate to use the terminology of master / backup because Now both routers are both at the same time in relation to different vrid.
Result for vrrp-master:
Result for vrrp-backup:
Scheme 3. Reservations with the participation of one provider
Pre-config MikroTik Master:
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2-vrrp
/ip address
add address=1.1.1.2/30interface=eth1-wan
/ip route
add distance=1 gateway=1.1.1.1
/systemidentitysetname=vrrp-master
Pre-config Mikrotik Backup:
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan disabled=yes
set [ find default-name=ether2 ] name=eth2-vrrp
/ip address
add address=1.1.1.2/30interface=eth1-wan
/ip route
add distance=1 gateway=1.1.1.1
/systemidentitysetname=vrrp-backup
Important: on the mikrotik vrrp-backup, the eth1-wan interface is disabled by default.
The basic VRRP configuration is similar to the case with two providers.
Configure vrrp-master:
With vrrp everything is similar.
But an additional script appears in [System] -> [Schedulers], which, when loaded for a few seconds, disables the wan interface. This allows you to avoid collisions (if the Mac is replaced with a backup) or a ban on the operator’s switch.
Console option:
/interface vrrp
add authentication=ah interface=eth2-vrrp name=vrrp100-lan password=testvrrp priority=150 version=2 vrid=100
/ip address
add address=10.10.10.1 interface=eth2-vrrp
add address=192.168.100.1/24 interface=vrrp100-lan
/system scheduler
addname=wan-offon-event="/interface set eth1-wan disabled=yes\r\
\n:delay 3\r\
\n/interface set eth1-wan disabled=no" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
Configure vrrp-backup:
Everything is the same, but actions appear in the vrrp scripts to switch the state of eth1-wan.
And add a sheduller, which disables eth1-wan when booting (if needed vrrp will enable it itself).
Console option:
/interface vrrp
add authentication=ah interface=eth2-vrrp name=vrrp100-lan on-backup="/interface set eth1-wan disabled=yes\r\
\n"on-master="/interface set eth1-wan disabled=no"password=testvrrp preemption-mode=noversion=2 vrid=100
/ip address
add address=10.10.10.2interface=eth2-vrrp
add address=192.168.100.1/24interface=vrrp100-lan
/system scheduler
addname=wan-offon-event="/interface set eth1-wan disabled=yes"policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
If the provider restricts access by mac, then do not forget to change it on the backup interface of the router.
In this scheme, we have a weak point - a switch before wan interfaces. It is possible to agree with the provider that he will lead you two wires and they will be connected to different segments of his network with forwarding vlan, etc. Or ... put a passive tee , yes it is terrible pornography and at the start of any of the routers there will be a couple of collisions, but it works (if you do not include eth1-wan on the backup router).
And of course, you can use vrrp on the wan interface (if the settings are static), but then installing an additional switch or negotiating with a provider cannot be avoided.
Scheme 4. Reservations with the participation of one WISP provider
It may seem to you that vrrp is a strange misunderstanding, which cannot be devised to be used outside the laboratory without crutches. In fact, there is one scheme, it is very similar to the previous one, but it is built on wireless bridges.
From the provider side there is an ap-bridge (preferably with a wide coverage area). On the client side, there are two plates (for example, SXT with one ether) separated by different masts (or corners of the building), which are powered by different power lines, but provide Internet access for one subnet.
The settings are completely analogous to the previous scheme, only the wan interface will become wlan1, and the lan interface ether1. Plates can be configured as static as possible, and all traffic can be controlled on an additional device behind them. This is quite a working anti-vandal scheme, without additional interaction with the provider.