Answer the question
In order to leave comments, you need to log in
How to set up VRRP correctly?
Colleagues, please help with specific advice on the following points.
One Mikrotik RB1100AHx4 is in the works. Standard things are configured on it:
1) VLANs with several subnets;
2) L2TP/IPSec Server;
3) Firewall rules with different prohibitions and permissions for networks and hosts;
4) Mangle marks;
5) Src NAT and Dst NAT;
Two white ips are connected to ether1 (for example, 1.2.3.4 and 5.6.7.8 ) from one specific provider with one patch cord. On the first IP (for example, 1.2.3.4 ) all sorts of Firewall rules hang and L2TP / IPSec Server is configured on it. On the second IP (for example, 5.6.7.8) configured SRS NAT and DST NAT to publish a specific WEB application, as well as Firewall rules.
There is also a dormant third white IP in stock (eg 9.10.11.12 ). Soot-but, nothing is configured on it.
In principle, everything works fine.
The plans are to purchase two Mikrotik RB1100AHx4 Dude Edition and install VRRP there for the purpose of fault tolerance with further replacement of the current Mikrotik RB1100AHx4.
Hence the questions:
1) I plan to export all settings from the current Mikrotik RB1100AHx4 and import them into each of the Dude Edition. Because Since the hardware is almost the same, I think that the import of the settings will work fine. Or do you still need to pay attention to some points? If there are any problems, I can configure both Dudes manually.
2) As far as I understand, for the normal operation of VRRP, it is necessary to have a separate Internet link for each Dude. In this case, I will need to negotiate with the provider to organize a second physical link for the second Dude and assign it an IP address 9.10.11.12 . At the same time, how did I understand that on each of the two Dude Mikrotiks, you need to configure VLANs not on the physical LAN Ethernet port, but on the VRRP interface? The VRRP interface will have a non-local IP subnet to handle service traffic between the two Dudes.
3) How to properly configure in this case the L2TP / IPsec Server on each Mikrotik? Mikrotiki, located in other places, also act as an L2TP client and also have their own white IP addresses.
Is it a working option to set up a separate L2TP/IPsec Server on each Dude? On the first Dude it will be L2TP/IPsec Server with IP 1.2.3.4 , on the second Dude it will be 9.10.11.12 . Next, configure two L2tp connections on each client Mikrotik (let's call them L2TP-out1, which will look at 1.2.3.4 and L2TP-out2, which will look at 9.10.11.12 ). At one point in time, only one connection will work on each client Mikrotik, for example, only L2TP-out1, and if the connection with it is interrupted, the L2TP-out2 connection will be activated. To do this, you will need to write a script that will monitor the status of the L2TP-out1 and L2TP-out2 connections.
It is not clear how to avoid data loss in such cases (various transactions during data transfer from the application, etc.) when the L2TP / IPSec connection is broken.
Or is this approach fundamentally wrong?
4) As for the IP 5.6.7.8 on which the WEB application hangs, how to configure it correctly when switching to VRRP? So that the application is also available to external clients with the same IP 5.6.7.8 , even when switching from one Dude to the second in case of failure.
Answer the question
In order to leave comments, you need to log in
1) it's not worth it, it's better to do everything again with your hands. It is highly likely that you steal the mac addresses, the password will be lost. Not worth it in general
2) You seem to be a bit confused about what VRRP is for. To simplify, you can make them a "default gateway" for local clients, but not externally from the provider. Those. for example:
Router "A" in LAN has ip 10.10.10.10
Router "B" in LAN has ip 10.10.10.11
VRRP between them and "default gateway 0.0.0.0" for LAN clients will be 10.10.10.1, this address will flow between "A" and "B", the same fault tolerance.
From the provider's side, it's purple what you have there, assign to "A" ip 1.2.3.4, and to "B" ip 5.6.7.8
3) See point 2. From the wan side, you will have 2 different ip without any VRRP. Set up your l2tp\ipsec on each tick. Then you can try to do different addressing and raise both links at the same time, or one addressing and make 2 "A" records in DNS, cling to the domain from clients. You can also try other options. I would make 2 links and push ospf.
4) See point 2, you don't have vrrp for externals. At best, you can make "A" in DNS by writing to addresses 1.2.3.4 and 5.6.7.8. Then, in case of failure of one piece of iron, 50/50 clients will climb through another.
You can make a garden for WAN, some kind of vrrp. Roughly speaking, both external ips hang on router "A", in router "B" there is a script that pings router "A" through the LAN, if the pings stop then pull the provider's interface with the script and assign addresses to yourself, if the ping returned (router A came to life) then disable interface.
In general, VRRP is for the inside of your LAN, but not for the outside.
Dmitry Aleksandrov
1) I understand, thank you.
2) "You seem to be a bit confused about what VRRP is for." - the key point here is that I only have one WAN connection available for today. Soo-but, when setting up two Mikrotiks, a separate WAN connection must be supplied to each of them. I know about the scheme of VRRP operation in LAN.
3) As I understand it, my proposed above option makes sense? That is, I raise a separate L2TP / IPSec server on each Mikrotik, on each client Mikrotik I raise two L2TP / IPSec and monitor their status through a script.
4) "So that the application is also available to external clients with the same IP 5.6.7.8, even when switching from one Dude to the second in case of failure." - if you do not strictly adhere to this restriction, then you can do the following.
The WEB application is published by DNS name, of course, and resolves to 5.6.7.8 9.10.11.12. Accordingly, on the second Mikrotik, also make NAT rules for this application.
Is this option also working?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question