VRRP on MikroTik: High Availability for Your Gateway Print

Hello once again! Emmanuel Corels here, from Emmanuel Corels Creatives. We’ve explored dynamic routing (OSPF, BGP), MPLS, and plenty more. But what if you want gateway redundancy—so that if one router fails, another instantly takes over the default gateway IP without breaking a sweat? That’s where VRRP (Virtual Router Redundancy Protocol) shines. It’s a handy feature in MikroTik that ensures your network keeps humming along if your primary router goes belly-up.

What Is VRRP?

VRRP is all about creating a “virtual router” that multiple physical routers share. One router acts as the Master, taking on the virtual IP to handle traffic. Another router (or several) act as Backups. If the Master goes offline, a Backup quickly becomes the new Master, adopting the same IP address and MAC so devices don’t even realize a router change has occurred.

Key Highlights:

• No reconfiguration needed on client devices—they keep the same default gateway IP.
• The switchover is rapid, minimizing downtime.
• You can even do load balancing or traffic splitting if you get creative with priorities.

Basic Concepts

• Virtual Router ID (VRID): A number (0-255) used to identify each VRRP instance on a network segment.
• Priority: Dictates who’s Master and who’s Backup. Higher priority = Master.
• Advert Interval: How often the Master (or potential Masters) send VRRP advertisements to each other.
• VRRP IP: The virtual IP shared by all routers in the VRRP group. This is the IP that clients use as their default gateway.

Setting Up a Simple VRRP on MikroTik

Here’s a typical scenario: You have two MikroTik routers in the same LAN subnet (e.g., 192.168.88.0/24), and you want VRRP to ensure gateway redundancy for that subnet.

Router A (Intended Master)

1. Assign a Real IP to the interface (e.g., ether2):

   /ip address add address=192.168.88.2/24 interface=ether2
   

2. Create a VRRP Interface in WinBox under “Interfaces → VRRP” or via CLI:

   /interface vrrp add interface=ether2 vrid=1 priority=200 authentication=none \
   virtual-addresses=192.168.88.1/24
   

   • vrid=1: A unique ID for this VRRP group.
   • priority=200: Higher than default (100), so Router A becomes Master.
   • virtual-addresses=192.168.88.1/24: The IP your clients will use as gateway.

3. Enable the VRRP Interface:

   /interface vrrp enable [find name=vrrp1]
   

   (Name might differ depending on how you create it.)

4. Check Status:

   /interface vrrp print
   

   Look for “Master” in the “State” column.

Router B (Backup)

1. Assign a Real IP (a different one, say 192.168.88.3/24):

   /ip address add address=192.168.88.3/24 interface=ether2
   

2. Create a VRRP Interface with the same VRID and virtual IP, but lower priority:

   /interface vrrp add interface=ether2 vrid=1 priority=100 authentication=none \
   virtual-addresses=192.168.88.1/24
   

3. Enable VRRP and verify it’s in “Backup” state:

   /interface vrrp enable [find name=vrrp1]
   /interface vrrp print
   

At this point, Router A is Master (advertises every second or so), and Router B is Backup. Clients on the 192.168.88.x network use 192.168.88.1 as their gateway. If Router A fails, Router B notices missed advertisements and becomes Master, taking over 192.168.88.1. Neat and tidy!

VRRP MAC Address

Behind the scenes, VRRP uses a virtual MAC derived from the VRID. The Master router responds to ARP requests for the virtual IP with that virtual MAC. That’s why endpoints can keep sending traffic to the same MAC, even if the physical router changes.

If you look at /interface vrrp print in detail, you’ll see something like MAC Address 00:00:5E:00:01:<VRID> in v2 or a different pattern in v3. Just let VRRP handle that automatically.

Authentication Options

• None: Default, no authentication.
• Simple: A shared password in clear text.
• AH (IPSEC AH): Offers stronger integrity checks.

These days, many people skip or minimize VRRP auth since it’s usually on a trusted LAN. But if you’re paranoid about malicious VRRP advertisements, you can set up authentication.

Example for “Simple”:

/interface vrrp set [find name=vrrp1] authentication=simple password="mySecretPass"

Do the same on both routers or they won’t form a proper VRRP relationship.

VRRP Versions

RouterOS supports VRRP v2 and v3:

• v2: IPv4 only, older but commonly used.
• v3: Can handle IPv4 and IPv6.

Pick the version that matches your needs (e.g., v3 if you plan to run VRRP for IPv6, or if you want the latest spec).

/interface vrrp set [find name=vrrp1] version=3

Just ensure both routers use the same version on the same VRID.

VRRP Failover Testing

A quick test is to unplug Router A’s LAN cable or shut down the interface. Router B should jump to Master state within a few seconds (depending on your advertisement intervals). Ping from a client to 192.168.88.1—if it’s continuous, you’ll likely see just a ping or two drop, then it resumes.

Some folks reduce the advert interval or tweak preemption settings to shorten failover times, but the trade-off is more frequent VRRP chatter on your network.

Advanced Scenarios

1. Multiple VRRP Instances:
   You can create multiple VRRP interfaces for different subnets or VLANs, possibly letting Router A be Master for some, while Router B is Master for others, distributing the load.

2. Scripting:
   RouterOS can react to VRRP state changes. For instance, you can run a script upon “becoming Master” to enable certain NAT rules or disable them when going to “Backup.” This is helpful for specialized failover logic.

3. Load Balancing:
   If you have two subnets or multiple VLANs, you can set Router A as Master for VLAN10, Router B as Master for VLAN20, so each handles some traffic. If either fails, the other picks up all VLANs. This is a form of active-active scenario.

4. VRRP + OSPF/BGP:
   Large networks might combine VRRP (for local LAN gateway redundancy) with dynamic routing for upstream failover. The VRRP router also shares routes with the rest of the network. This ensures both local gateway redundancy and dynamic routing to the WAN or data center.

Common Pitfalls

• Mismatched VRID: If one router uses vrid=1 and the other uses vrid=2, they’ll never talk to each other.
• Different Subnets: VRRP requires that both routers share the same LAN segment. If your IP addresses or netmasks mismatch, they won’t form a VRRP pair.
• Firewall: VRRP uses IP protocol 112 (not TCP or UDP). If your firewall blocks it, adjacency fails.
• Duplicate Priorities: If you want a clear Master, give one router a higher priority. If both have the same priority, the one with the higher interface IP wins by default.

Putting It All Together

VRRP is a simple yet powerful way to bring high availability to your network’s default gateways. Whether you’re a small business wanting minimal downtime or an enterprise that can’t afford any disruptions, VRRP has your back. It’s straightforward to set up—just remember to keep the VRID, version, and authentication consistent on both routers, and decide who’s the Master vs. Backup.

Test it, fine-tune intervals if needed, and you’re set. Combine VRRP with your existing firewall rules, QoS, or VPN configurations to ensure that if your main router goes down, your backup is ready to take the wheel.

If you’re hungry for even more advanced topics, keep an eye out for deeper coverage on RouterOS scripting in VRRP, complex multi-subnet setups, or layering VRRP over bridging, VLAN trunking, or dynamic routing. The possibilities are endless!

Enthusiastically explained by
Emmanuel Corels – Admin, Emmanuel Corels Creatives