I know there isn’t many Mikrotik people here but desperate time…
I currently have a pair of OPNSense firewall configured in HA. The firewall has 2 sfp+ ports. 1 is used for the WAN interface and the other asd LAN interface.
At the moment, each firewall are only connected to one switches unlike the servers…
I was told that with non Mikrotik switches, with the existing configuration, the servers are being told they can go to either switch to reach the default gateway, but the active firewall is only present on one of them, requiring traffic that hits the wrong switch to traverse an extra hop to the active firewall. Is this also true for Mikrotik switches in MLAG configuration? From what I understand from ready the MLAG configuration guide, is that the traffic is managed via the MLAG peer link and therefore shouldn’t end up in the non active firewall. Is my understanding correct
If I don’t change the existing wiring how much of a performance impact do I have when the traffic that hits the wrong switch has when it has to traverse an extra hop?
Do I need to setup some Spanning Tree Protocol (STP) between the 2 switches
Whether this is a Mikrotik, Cisco, or other vendor setup doesn’t matter. What matters is that the server thinks it is making an LACP connection to a single switch, and therefore will use a hashing algorithm to allocate traffic to the two interfaces. The most common default with LACP is layer2+layer3. I don’t remember the exact specifics (whether the combination is via concatenation, addition, or bitwise or, for example) but the point is that the source and destination MACs and IPs are combined together and the result is divided by the number of links in the LACP group. The remainder is used to select which link the packet will use.
(src MAC + dest MAC + src IP + dest IP)%(number of links) = link to use
So, depending on the IPs being communicated with, the links will trend towards equal utilization. It isn’t possible for the switches to tell the server that the router’s IP or MAC is on one side of the LACP and not the other.
What part of the documentation on MLAG made you think “the traffic is managed via the MLAG peer link”? The peer link only transfers the synchronization data (ICCP) and shuttles around packets that got lost.
@brwainer so the peer port is closed he equivalent to what pfsync is in pfSense? I think that I’ll better do best practice from Day 1 and follow your advice and set the wan on the 1G port and bond the 2x 10g ports and plugin one to each switch. Just to be clear, with the 2 switch connected to both firewall, will the traffic go through the backup firewall if it is not the active firewall? I’m struggling to see how the traffic will flow better this way.
Sorry if these are stupid question but I’m really trying to understand.
Its not a stupid question, but if my explanations thus far haven’t worked, then my next step is to make a flow diagram (your connection diagram but with colored arrows for traffic) and that feels like work that I don’t want to do.
Having both firewalls using an LACP to the switches just like the servers do will not cause traffic to go to the backup firewall. The backup firewall isn’t responding to ARP requests for the default gateway IP, nor is it sending out traffic using that IP, so the switches don’t learn the virtual MAC on its connection.
