Mikrotik

How to set up VRRP correctly?

Colleagues, please help with specific advice on the following points.

One Mikrotik RB1100AHx4 is in the works. Standard things are configured on it:

1) VLANs with several subnets;
2) L2TP/IPSec Server;
3) Firewall rules with different prohibitions and permissions for networks and hosts;
4) Mangle marks;
5) Src NAT and Dst NAT;

Two white ips are connected to ether1 (for example, 1.2.3.4 and 5.6.7.8 ) from one specific provider with one patch cord. On the first IP (for example, 1.2.3.4 ) all sorts of Firewall rules hang and L2TP / IPSec Server is configured on it. On the second IP (for example, 5.6.7.8) configured SRS NAT and DST NAT to publish a specific WEB application, as well as Firewall rules.
There is also a dormant third white IP in stock (eg 9.10.11.12 ). Soot-but, nothing is configured on it.

In principle, everything works fine.
The plans are to purchase two Mikrotik RB1100AHx4 Dude Edition and install VRRP there for the purpose of fault tolerance with further replacement of the current Mikrotik RB1100AHx4.

Hence the questions:

1) I plan to export all settings from the current Mikrotik RB1100AHx4 and import them into each of the Dude Edition. Because Since the hardware is almost the same, I think that the import of the settings will work fine. Or do you still need to pay attention to some points? If there are any problems, I can configure both Dudes manually.

2) As far as I understand, for the normal operation of VRRP, it is necessary to have a separate Internet link for each Dude. In this case, I will need to negotiate with the provider to organize a second physical link for the second Dude and assign it an IP address 9.10.11.12 . At the same time, how did I understand that on each of the two Dude Mikrotiks, you need to configure VLANs not on the physical LAN Ethernet port, but on the VRRP interface? The VRRP interface will have a non-local IP subnet to handle service traffic between the two Dudes.

3) How to properly configure in this case the L2TP / IPsec Server on each Mikrotik? Mikrotiki, located in other places, also act as an L2TP client and also have their own white IP addresses.

Is it a working option to set up a separate L2TP/IPsec Server on each Dude? On the first Dude it will be L2TP/IPsec Server with IP 1.2.3.4 , on the second Dude it will be 9.10.11.12 . Next, configure two L2tp connections on each client Mikrotik (let's call them L2TP-out1, which will look at 1.2.3.4 and L2TP-out2, which will look at 9.10.11.12 ). At one point in time, only one connection will work on each client Mikrotik, for example, only L2TP-out1, and if the connection with it is interrupted, the L2TP-out2 connection will be activated. To do this, you will need to write a script that will monitor the status of the L2TP-out1 and L2TP-out2 connections.
It is not clear how to avoid data loss in such cases (various transactions during data transfer from the application, etc.) when the L2TP / IPSec connection is broken.

Or is this approach fundamentally wrong?

4) As for the IP 5.6.7.8 on which the WEB application hangs, how to configure it correctly when switching to VRRP? So that the application is also available to external clients with the same IP 5.6.7.8 , even when switching from one Dude to the second in case of failure.