In the meantime I gave it a try too, running 7.13.4 on a pair of CHRs, and got the same results (plus, like months before, the router acting as VRRP master goes to 100 % of CPU usage). So there is still an issue with this feature - if you want to use it in production, open a support case with Mikrotik and follow their instruction (providing supout.rif from both machines will be their first requirement). Discussing it further on the forum will not help resolve it.I enabled connection tracking on RTR1's VRRP1 interface.
Same thing happens as before
Yes, for the reasons and with the drawbacks explained earlier. I'm afraid there is no workaround that would not lower the protecion against TCP spoofing attacks, which is the sole purpose of the "drop invalid" rule.If I disable the drop INVALID rule on RTR1 traffic flows as it should.
Statistics: Posted by sindy — Tue Feb 13, 2024 9:33 am