Mikrotik Redundancy

Creating Redundant Configuration with Mikrotik

This is my experiment in creating router redundancy for my home network. The routers that I use are Mikrotik routers. I have one hardware router (MikroTik CRS309-1G-8S+IN), and I have configured a Mikrotik software router as a backup

Since this is a home network I only have a single ISP, so the redundancy is limited to the routers (I plan to cover ISP redundancy later with a cell phone). But it does allow me to perfrom maintenance on the routers without impacting my network.

The cable modem is connected to a switch, and both routers connected to the switch (I refer to that connection on the router side as ‘wan’) Obviously both the cable modem and the switch constitute a single point of failure.

My ISP is providing a single public internet IP address using the DHCP protocol. That means both routers cannot be active on the wan interface at the same time.

The idea is to configure VRRP within the local LAN subnets and create a script on the vrrp configuration that brings the wan interface up and down according to the vrrp status.

So, let’s get started.

In the following example I have an interface called ‘wan’ connected to the cable modem, and an interface called ‘trunk’, on which I can configure VLANs for my local networks.

Create a VLAN interfaces on both routers

# mikrotik-1
/interface vlan add interface=trunk name=vlan22 vlan-id=22

# mikrotik-2
/interface vlan add interface=trunk name=vlan22 vlan-id=22

Create VRRP interfaces

Note that mikrotik-1 has a higher VRRP priority, so it always becomes the master when available

# mikrotik-1
/interface vrrp add interface=vlan22 name=vrrp22  priority=110 vrid=22

# mikrotik-2
/interface vrrp add interface=vlan22 name=vrrp22 priority=90 vrid=22

Create IP addresses

I will need two individual IP addresses and one common IP address. In this example I use 192.168.22.0/24 as the subnet and assign .2 to mikrotik-1, .3 to mikrotik-2 and .1 as shared IP. Note that the individual IP is assigned to the vlan interface, and the shared IP is assigned to the vrrp interface Also note that the recommendation is to use /32 subnet for vrrp interface

# mikrotik-1
/ip address add address=192.168.22.2/24 interface=vlan22
/ip address add address=192.168.22.1/32 interface=vrrp22

# mikrotik-2
/ip address add address=192.168.22.3/24 interface=vlan22
/ip address add address=192.168.22.1/32 interface=vrrp22

At this stage if everything is configured correctly and once the negotiations complete you should see the following status

The vrrp interface status on the primary router should be RM (running and master)

[admin@mikrotik-1] > /interface vrrp print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
 #     NAME                            INTERFACE                            MAC-ADDRESS       VRID PRIORITY INTERVAL             VERSION V3-PROTOCOL
 0  RM vrrp22                          vlan22                               00:00:5E:00:01:16   22      110 1s                   3       ipv4

The ip address on the vrrp interface is active

[admin@mikrotik-1] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.22.2/24    192.168.22.0    vlan22
 1   192.168.22.1/32    192.168.22.0    vrrp22

On the secondary router note B as flag meaning it is backup vrrp interface:

[admin@mikrotik-2] > /interface vrrp print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
 #     NAME                            INTERFACE                            MAC-ADDRESS       VRID PRIORITY INTERVAL             VERSION V3-PROTOCOL
 0   B vrrp22                          vlan22                               00:00:5E:00:01:16   22       80 1s                   3       ipv4

The vrrp IP address on secondary router is marked with I (invalid)

[mfedotov@mikrotik-2] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.22.3/24    192.168.22.0    vlan22
 1 I 192.168.22.1/32    192.168.22.0    vrrp22

Configure DHCP on the local subnet

I want the Mikrotik routers to serve IP addresses to the clients and do that in a redundant way. For that I am going to configure the DHCP server on the vrrp interface, so that it automatically activates/disactivates with the vrrp interface This is not a 100% error-proof configuration, and I expect certain sequence of events could result in changed IPs on the clients. I don’t expect to have the duplicate IP since Mikrotik DHCP server does the IP conflict checks. Anyway, I am OK with this for my home network. You will need to configure the same settings on both servers (including the reservations)

# On both mikrotik-1 and mikrotik-2
/ip pool add name=dhcp_pool_22 ranges=192.168.22.20-192.168.22.250
/ip dhcp-server add address-pool=dhcp_pool_22 interface=vrrp22 name=dhcp22
/ip dhcp-server network add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1
/ip dhcp-server enable dhcp22

Configuring WAN connection

Now, let configure the WAN connection. I will use the vrrp interface on-master and on-backup script functionality to enable/disable wan interface when the vrrp status changes. I am not sure how the cable modem dhcp server reacts to the client IP address changes, so I am changing the wan interface MAC addresses when activating/deactivating the interface

I am using MAC address FE:E1:27:A5:72:11, which I just took from the mac address my virtualization assigned to one of my old VMs

# On both mikrotik-1 and mikrotik-2
/int vrrp set on-master=\
    "/interface ethernet set [/interface ethernet find name=wan] mac-address FE:E1:27:A5:72:11\
   \n/interface ethernet enable [/interface ethernet find name=wan]" vrrp22
/int vrrp set on-backup=\
    "/interface ethernet reset-mac-address [/interface ethernet find name=wan]\
   \n/interface ethernet disable [/interface ethernet find name=wan]" vrrp22

Confirm that wan interface is only active on the primary router, and its IP is the one that is manually assigned

min@mikrotik-1] > /int eth print
Flags: X - disabled, R - running, S - slave
 #    NAME                                      MTU MAC-ADDRESS       ARP
 0 RS ether3                                   1500 5E:58:B2:0C:21:8E enabled
 1 RS ether4                                   1500 E2:EB:54:FE:69:72 enabled
 2 R  trunk                                    9000 72:94:56:47:35:A9 enabled
 3 R  wan                                      9000 FE:E1:27:A5:72:11 enabled

On the secondary router the wan interface is disabled.

[admin@mikrotik-2] > /int ethernet print
Flags: X - disabled, R - running, S - slave
 #    NAME                                               MTU MAC-ADDRESS       ARP
 0 R  trunk                                             1500 06:6B:D7:6A:7E:2F enabled
 1 X  wan                                               1500 3A:88:65:25:7B:31 enabled

Testing failover

Change the VRRP priority on the secondary router to become higher than the primary. That should trigger change of state of vrrp interface, and activate on-master script on the new primary (old secondary) router and on-backup script on the old primary (new secondary) router

# On mikrotik-2 (secondary router to become the primary)
/interface vrrp set priority=150 vrrp22

Extra settings

The following extra settings are required: Enable local DNS caching server on the router: /ip dns set allow-remote-requests=yes

If input firewall are used the following entries might need to be added to enable local DNS caching server and VRRP operations

/ip firewall filter add action=accept chain=input comment="Accept VRRP Packets" dst-address=224.0.0.0/24
/ip firewall filter add action=accept chain=input comment="Accept DNS over UDP" dst-port=53 protocol=udp
/ip firewall filter add action=accept chain=input comment="Accept DNS over TCP" dst-port=53 protocol=tcp

Table of Contents