High Availability with VRRP

High Availability with VRRP

RouterOS Version: 7.x+ Difficulty: Intermediate Estimated Time: 30 minutes

TL;DR (Quick Start)

For the impatient: here’s the 30-second version.

# Router A (Master): priority 254
/interface vrrp add name=vrrp1 interface=ether2 vrid=1 priority=254
/ip address add address=10.0.0.1/32 interface=vrrp1

# Router B (Backup): priority 100
/interface vrrp add name=vrrp1 interface=ether2 vrid=1 priority=100
/ip address add address=10.0.0.1/32 interface=vrrp1

Overview

Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in static default gateway configurations. Instead of relying on a single router, VRRP creates a virtual router that can seamlessly fail over between multiple physical devices, ensuring continuous network connectivity even when individual routers fail.

This guide explains VRRP concepts, implementation strategies, and the critical design decisions that determine whether your high availability setup provides genuine redundancy or becomes a source of network instability.

The Gateway Problem

In traditional networks, hosts are configured with a static default gateway:

The problem: If the router fails, all hosts lose internet connectivity, even if backup routers exist on the network.

Traditional solutions and their limitations:

• Multiple static routes: Requires manual intervention during failures
• Dynamic routing protocols: Too complex for simple LANs, adds overhead
• Router redundancy without VRRP: Requires host reconfiguration during failures

VRRP: The Virtual Router Solution

VRRP solves this by creating a virtual router with its own IP and MAC address. Multiple physical routers participate in this virtual router, but only one is active (Master) at any time:

Key benefits:

• Transparent failover: Hosts never need reconfiguration
• Sub-second detection: Failure detection within 3 seconds
• Automatic recovery: Higher priority routers automatically resume Master role
• Load balancing: Multiple virtual routers can distribute traffic

VRRP Protocol Fundamentals

Virtual Router Anatomy

A Virtual Router (VR) consists of:

1. Virtual Router ID (VRID): Unique identifier (1-255) for the virtual router
2. Virtual IP Address: The gateway IP that hosts use
3. Virtual MAC Address: Automatically generated as 00:00:5E:00:01:XX (where XX is VRID in hex)
4. Master Router: The currently active router handling traffic
5. Backup Routers: Standby routers monitoring the Master

State Machine

Each VRRP router operates in one of three states:

INIT State:

• Initial state during startup
• Router determines its role based on priority
• Transitions to BACKUP or MASTER

BACKUP State:

• Monitors Master’s advertisement packets
• Does not respond to ARP requests for virtual IP
• Does not forward traffic for virtual IP
• Becomes Master if advertisements stop or higher priority

MASTER State:

• Sends periodic advertisement packets (default: 1 second)
• Responds to ARP requests with virtual MAC
• Forwards traffic for virtual IP addresses
• Steps down if higher priority router appears (unless preemption disabled)

Advertisement Protocol

VRRP uses IP protocol 112 with these characteristics:

• IPv4 Multicast: 224.0.0.18
• IPv6 Multicast: FF02::12
• TTL: Always 255 (prevents forwarding)
• Source: Router’s primary interface IP
• Authentication: Optional (deprecated in VRRPv3)

Advertisement packet contains:

• VRID and priority
• Advertisement interval
• List of associated IP addresses
• Authentication data (if enabled)

Master Election Process

Priority-Based Election

The router with the highest priority becomes Master:

• Priority range: 1-254 (255 reserved for IP address owner)
• Default priority: 100
• Owner priority: 255 (router that owns the virtual IP)

Election scenarios:

1. Initial startup: Highest priority router becomes Master
2. Master failure: Highest priority Backup becomes Master
3. Higher priority appears: Master steps down (if preemption enabled)
4. Equal priority: Router with highest IP address wins

Preemption Behavior

Preemption enabled (default):

Time: 0s    10s    20s    30s
R1:   M  →   B  →   M      (Priority 254)
R2:   B  →   M  →   B      (Priority 100)
      ↑      ↑      ↑
    Start  R1 fails R1 returns

Preemption disabled:

Time: 0s    10s    20s    30s
R1:   M  →   B  →   B      (Priority 254)
R2:   B  →   M  →   M      (Priority 100)
      ↑      ↑      ↑
    Start  R1 fails R1 returns (stays Backup)

When to disable preemption:

• Prevent unnecessary failovers during maintenance
• Avoid disruption from flapping routers
• Maintain stable Master during brief outages

IPv4 vs IPv6 Implementation

IPv4 VRRP (VRRPv2/v3)

Address Resolution:

• Master responds to ARP requests with virtual MAC
• Backup routers ignore ARP requests for virtual IP
• Gratuitous ARP sent during Master transition

Configuration example:

/interface vrrp add interface=ether2 vrid=1 priority=254
/ip address add address=10.0.0.1/32 interface=vrrp1

IPv6 VRRP (VRRPv3 only)

Neighbor Discovery:

• Uses link-local addresses for communication
• Master sends unsolicited Neighbor Advertisements
• Router Advertisement messages for virtual addresses

Configuration example:

/interface vrrp add interface=ether2 vrid=1 version=3 v3-protocol=ipv6
/ipv6 address add address=2001:db8::1/64 interface=vrrp1 advertise=yes

Key differences:

• IPv6 requires VRRPv3 (version=3 v3-protocol=ipv6)
• No additional IPv6 address needed on physical interface
• Automatic link-local address handling

Connection Tracking Synchronization

RouterOS v7 supports connection tracking synchronization between VRRP routers, ensuring stateful connections survive failovers.

How It Works

Synchronization behavior:

• Only Master → Backup synchronization
• Connections synchronized before priority changes
• UDP port 8275 used for sync traffic
• Requires connection tracking enabled

Configuration:

/ip firewall connection tracking set enabled=yes
/interface vrrp set vrrp1 sync-connection-tracking=yes

Active-Active Mode

For load balancing scenarios with multiple VRRP groups:

# Router 1 - Master for VRID 1, Backup for VRID 2
/interface vrrp add name=vrrp1 vrid=1 priority=254 connection-tracking-mode=active-active connection-tracking-port=8275
/interface vrrp add name=vrrp2 vrid=2 priority=100 connection-tracking-mode=active-active connection-tracking-port=8276

# Router 2 - Backup for VRID 1, Master for VRID 2
/interface vrrp add name=vrrp1 vrid=1 priority=100 connection-tracking-mode=active-active connection-tracking-port=8275
/interface vrrp add name=vrrp2 vrid=2 priority=254 connection-tracking-mode=active-active connection-tracking-port=8276

Important: Each VRRP group must use a unique connection-tracking-port.

Load Balancing with Multiple Virtual Routers

Instead of having one router idle, create multiple virtual routers to distribute load:

Virtual Router Configuration:

• VR1: 10.0.0.1 (Router A=Master, Router B=Backup)
• VR2: 10.0.0.4 (Router B=Master, Router A=Backup)

Client Configuration:

• 50% of clients use 10.0.0.1 as gateway
• 50% of clients use 10.0.0.4 as gateway

Benefits:

• Both routers actively handle traffic
• Automatic failover for both groups
• Better resource utilization
• Scalable to more routers/groups

Router A configuration:

/interface vrrp add name=vrrp1 interface=ether2 vrid=1 priority=254
/interface vrrp add name=vrrp2 interface=ether2 vrid=2 priority=100
/ip address add address=10.0.0.1/32 interface=vrrp1
/ip address add address=10.0.0.4/32 interface=vrrp2

Router B configuration:

/interface vrrp add name=vrrp1 interface=ether2 vrid=1 priority=100
/interface vrrp add name=vrrp2 interface=ether2 vrid=2 priority=254
/ip address add address=10.0.0.1/32 interface=vrrp1
/ip address add address=10.0.0.4/32 interface=vrrp2

Group Authority (Multi-Interface VRRP)

When running VRRP on multiple interfaces (e.g., LAN and WAN), use group authority to ensure consistent state:

Problem without group authority:

• Router A: WAN=Master, LAN=Backup
• Router B: WAN=Backup, LAN=Master
• Result: Broken routing, NAT failures

Solution with group authority:

/interface vrrp add name=vrrp-wan interface=ether1 vrid=1 priority=254
/interface vrrp add name=vrrp-lan interface=ether2 vrid=2 priority=254 group-authority=vrrp-lan
/interface vrrp set vrrp-wan group-authority=vrrp-lan

Group authority ensures:

• All VRRP instances in group have same state
• Only group authority sends control traffic
• Consistent Master/Backup across interfaces

Security Considerations

Authentication Methods

VRRPv2 supports:

• none: No authentication (default)
• simple: Plain-text password
• ah: HMAC-MD5 authentication

VRRPv3:

• Authentication deprecated per RFC 5798
• Rely on network-level security (IPsec, VLANs)

Configuration example:

/interface vrrp add interface=ether2 vrid=1 authentication=ah password=SecurePassword123

Network Isolation

Best practices:

1. Dedicated VLAN: Run VRRP on management VLAN
2. Access control: Restrict VRRP multicast traffic
3. Monitoring: Log VRRP state changes
4. Physical security: Secure router console access

Preventing Attacks

VRRP vulnerabilities:

• Priority manipulation: Attacker claims Master role
• Advertisement flooding: DoS via excessive packets
• MAC spoofing: Impersonate virtual MAC

Mitigation strategies:

# Enable authentication
/interface vrrp set [find] authentication=ah password=StrongPassword

# Monitor state changes
/system logging add topics=vrrp action=memory

# Restrict multicast access
/ip firewall filter add chain=input protocol=vrrp src-address=!10.0.0.0/24 action=drop

Configuration Steps

This section provides a minimal testable configuration demonstrating basic VRRP failover.

Step 1: Create VRRP Interface

Create a VRRP interface on the LAN-facing port:

/interface vrrp add name=vrrp1 interface=ether2 vrid=1 priority=254

Step 2: Assign Virtual IP Address

Configure the virtual IP that clients will use as their gateway:

/ip address add address=10.0.0.1/32 interface=vrrp1

Note: Use /32 netmask for virtual IP when the physical interface has an IP in the same subnet.

Verification

Confirm VRRP interface is created and in Master state:

/interface vrrp print detail where name=vrrp1

Expected Output:

 0  RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled
       interface=ether2 vrid=1 priority=254 interval=1 preemption-mode=yes
       authentication=none version=3 v3-protocol=ipv4

Check that the virtual IP is assigned:

/ip address print where interface=vrrp1

Expected Output:

 0   10.0.0.1/32    vrrp1

Troubleshooting

”VRRP interface shows ‘B’ flag instead of ‘M’”

The router is in Backup state instead of Master. Check:

1. Priority configuration: Ensure this router has highest priority
2. Network connectivity: Verify another Master isn’t already active
3. VRID conflicts: Confirm VRID is unique on the network segment
4. Advertisement reception: Check if receiving advertisements from higher priority router

# Check for other VRRP routers
/tool sniffer quick interface=ether2 protocol=vrrp duration=10

”Clients can’t reach virtual IP”

Verify ARP resolution:

# From client, check ARP table
arp -a | grep 10.0.0.1

# Should show virtual MAC: 00:00:5e:00:01:XX

Check VRRP state:

/interface vrrp monitor vrrp1

Common causes:

• VRRP interface not in Master state
• Virtual IP not properly assigned
• Firewall blocking VRRP traffic
• Physical interface down

”Failover takes too long”

Adjust advertisement interval:

/interface vrrp set vrrp1 interval=100ms

Enable fast failure detection:

• Use shorter intervals (minimum 10ms)
• Monitor physical link state
• Implement BFD for faster detection

”Split-brain scenario”

Two routers both think they’re Master:

Causes:

• Network partition between routers
• Firewall blocking VRRP multicast
• Different advertisement intervals

Diagnosis:

# Check VRRP logs
/log print where topics~"vrrp"

# Monitor VRRP traffic
/tool sniffer quick interface=ether2 protocol=vrrp

Resolution:

1. Verify network connectivity between routers
2. Check firewall rules for protocol 112
3. Ensure identical advertisement intervals
4. Verify multicast routing if routers on different subnets

”Connection tracking sync not working”

Prerequisites check:

# Verify connection tracking is enabled
/ip firewall connection tracking print

# Check sync configuration
/interface vrrp print detail where sync-connection-tracking=yes

Common issues:

• Connection tracking disabled
• UDP port 8275 blocked by firewall
• Incorrect remote-address configuration
• Version mismatch between routers

Advanced Scenarios

VRRP with NAT

When using VRRP on WAN interfaces with NAT:

# WAN VRRP interface
/interface vrrp add name=vrrp-wan interface=ether1 vrid=10 priority=254

# Virtual WAN IP
/ip address add address=203.0.113.1/32 interface=vrrp-wan

# NAT rule using virtual interface
/ip firewall nat add chain=srcnat out-interface=vrrp-wan action=masquerade

VRRP with DHCP

Ensure DHCP server binds to virtual interface:

# DHCP server on VRRP interface
/ip dhcp-server add name=dhcp-vrrp interface=vrrp1 address-pool=lan-pool

# DHCP network with virtual gateway
/ip dhcp-server network add address=10.0.0.0/24 gateway=10.0.0.1 dns-server=10.0.0.1

Monitoring and Alerting

Script for VRRP state monitoring:

# Create script to check VRRP state
/system script add name=vrrp-monitor source={
    :local vrrpState [/interface vrrp get vrrp1 running]
    :if ($vrrpState = false) do={
        /log warning "VRRP interface vrrp1 is down"
        # Add notification logic here
    }
}

# Schedule regular checks
/system scheduler add name=vrrp-check interval=30s on-event=vrrp-monitor

SNMP monitoring:

• OID 1.3.6.1.2.1.68.1.3.1.4 (vrrpOperState)
• Values: 1=initialize, 2=backup, 3=master

Related Topics

Prerequisites

• IP Address Configuration - VRRP requires virtual IP addresses
• Static Routes - clients use VRRP VIP as gateway

Related High Availability

• Bonding/LACP - link-level redundancy
• OSPF - dynamic routing with redundant paths
• BGP - multi-homed redundancy

Monitoring

• Netwatch - monitor VRRP peer health
• Scheduler - VRRP state monitoring scripts
• Logging - VRRP state change alerts

Security

• Firewall Basics - allow VRRP protocol (112)

References

• MikroTik VRRP Documentation
• RFC 3768 - Virtual Router Redundancy Protocol (VRRP)
• RFC 5798 - Virtual Router Redundancy Protocol (VRRP) Version 3
• MikroTik High Availability Solutions