Answering my own question :D Seems I’ve always setup VRRP on V4 incorrectly ;) Any VRRP IP’s on v4 should be /32 netmasks, not the same prefix size as the parent interface. This is actually mentioned on the Mikrotik IP/VRRP Wiki page. Applying the same to V6 (i.e. /128 on the IP) works perfectly! This unfortunately is not mentioned on the V6 section of the same wiki page. Cheers, DG On Thu, 9 May 2019 at 6:18 pm, Damien Gardner Jnr <rendrag@rendrag.net> wrote:
Hi All,
Having a bit of a weird one. Managed to score a couple of RB1100AHx4's cheap on eBay (Oh my lord they are fast!), so am using them for EOIP between sites for my personal colo, as well as BGP redundancy between the sites. v4 BGP is coming along nicely, but v6 is driving me nuts.
Ideally I'd have VRRP between the two 1100's on the public VLAN facing my VM's, for the gateway IP, but still have an IP in the subnet on each router for reachability (aka a pretty standard setup..). That works as expected for IPv4.
For IPv6, it's a whole other kettle of fish..
Here's a config chunk as example:
/interface vlan add interface=bond_bridge mtu=9100 name=vlan39_PUBLIC vlan-id=39 /interface vrrp add interface=vlan39_PUBLIC mtu=9100 name=vlan39_vrrp v3-protocol=ipv6 vrid=39 /ipv6 address add address=2406:c500:fff3::1 advertise=no interface=vlan39_vrrp add address=2406:c500:fff3::2 advertise=no disabled=yes interface=vlan39_PUBLIC /ipv6 route add distance=1 gateway=2400:d400:b97:3c8f::1 add distance=1 gateway=2400:d400:b97:1c8f::1 add check-gateway=ping distance=1 dst-address=2406:c500:fff3:ff00::/56 gateway=2406:c500:fff3::29
Now, while that ::2 IP is disabled, everything works fine. I can ping hosts on the local /64, and on the routed /56.
But if I enable the ::2 IP on the parent interface, I can still ping hosts on the local /64, but stop being able to ping hosts on the routed /56, until I remove the IP again:
SEQ HOST SIZE TTL TIME STATUS 0 2400:d400:b97:3c8f::2 104 64 2ms hop limit exceeded 1 2400:d400:b97:3c8f::2 104 64 1ms hop limit exceeded 2 2400:d400:b97:3c8f::2 104 64 1ms hop limit exceeded
disabled ::2 IP 3 2406:c500:fff3:ffe1::2 56 63 1ms echo reply 4 2406:c500:fff3:ffe1::2 56 63 0ms echo reply
The v6 routing table for the local LAN with the ::2 IP disabled:
5 ADC dst-address=2406:c500:fff3::/64 gateway=vlan39_vrrp gateway-status=vlan39_vrrp reachable distance=0 scope=10 6 A S dst-address=2406:c500:fff3:ff00::/56 gateway=2406:c500:fff3::29 gateway-status=2406:c500:fff3::29 reachable via vlan39_vrrp check-gateway=ping distance=1 scope=30 target-scope=10
And same with the :2 IP enabled:
5 ADC dst-address=2406:c500:fff3::/64 gateway=vlan39_vrrp,vlan39_PUBLIC gateway-status=vlan39_vrrp reachable,vlan39_PUBLIC reachable distance=0 scope=10
6 S dst-address=2406:c500:fff3:ff00::/56 gateway=2406:c500:fff3::29 gateway-status=2406:c500:fff3::29 unreachable check-gateway=ping distance=1 scope=30 target-scope=10
Is anyone using VRRP on IPv6 successfully, and have any pointers? I 'could' up and down the spare IP in scripts on the VRRP interface, but that seems problematic...
And the static route on V6 doesn't let me add %vlan39_PUBLIC or the like in the gateway field to force it out the parent interface..
Thanks,
Damien
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder