Categories


Authors

Mikrotik VRRP

Need help securing your MikroTik routers? A printable copy of our MikroTik Router Hardening Guide complete with a checklist, links to STIGs, and more in-depth discussions of best practices than will fit in a blog post are featured in the MikroTik Router Hardening Guide. Click here to find out more.

Mikrotik VRRP (Virtual Router Redundancy Protocol) gives us the opportunity to introduce some resiliency into our routing infrastructure. A common VRRP implementation is to have redundant gateways for larger networks, whether in enterprise or service provider environments. With VRRP two gateways can be installed, one active and one standby. When one router drops because of power loss, hardware failure, etc the other takes over, assigning itself the gateway address and routing traffic. Very minimal traffic loss occurs during the switch, but there is some loss nonetheless.

We'll implement the dual-gateway solution, and see what happens when we shut one of the LAN interfaces down. Here is the topology we're working with in Boston - one LAN with two gateways, each with a connection to the service provider.

Mikrotik VRRP Topology

Each of the routers has its own static WAN IP, each with a route pointing to the service provider gateway - both routers are perfectly capable of shuttling packets in and out of the network. Each router is also NAT'ing 192.168.70.0/24 traffic out its respective ether1 WAN interface. Both routers each have their own LAN address as well. However, Windows, Mac, and other clients can only accept one gateway by default, so we need one LAN address that both routers can share.  The routers will share the VRRP address, and we'll give that VRRP address out to clients on the LAN for use as the gateway. When one router dies the other will apply that VRRP address and take over as the gateway, and LAN clients should see no real interruption in connectivity.

First, we'll assign local addresses on ether2 interfaces, because they need to be part of the network before VRRP can happen.

On Boston:

/ip address add address=192.168.70.2/24 interface=ether2 network=192.168.70.0

On Boston Standby:

/ip address add address=192.168.70.3/24 interface=ether2 network=192.168.70.0

Now both routers are part of the network, and they can communicate to each other and exchange VRRP traffic. This is everything we need to start configuring VRRP. Next, we'll create the VRRP virtual interfaces, and link them to the physical ether2 interfaces.

On both routers:

/interface vrrp add interface=ether2 name="LAN Gateway"

With the virtual VRRP interfaces created we can now assign that 192.168.70.1/24 gateway address that both of the routers are going to share, and hand-off between each other should one fail.

On both routers:

/ip address add address=192.168.70.1/24 interface="LAN Gateway" network=192.168.70.0

That's the whole of the configuration - both routers are now running VRRP, and one of them has been elected the master and assigned 192.168.70.1. We'll start a constant ping from the workstation on the Boston LAN to a static IP assigned to the Seattle router (165.95.23.1), and disconnect the LAN interface of one of the routers to force the VRRP transition.

Here's the ping:

VRRP Ping Failover Test

Mikrotik FastTrack Firewall Rules

Master Port Configuration