I recently setup IPv6 first-hop redundancy in my colocated environment using Mikrotik and VRRP. It didn’t work the same way I’d come to expect from using it in IPv4 environments and I set out to figure out why.
My expecations for VRRP and IPv6 were the same as IPv4, that a backup router would take over the default gateway IP address on a subnet and the mac address associated with that gateway within 3s (a reasonable automatic failover time)
When VRRP failed over to a backup router all IPv6 ssh sessions I had open to the LAN segment went dead, and were disconnected eventually. This was not what was expected….
So What Happened?
I logged into several of the linux systems to confirm what their default IPv6 route was set to. It was the public unicast address ending in
::1 for that VLAN. The mac address was the virtual mac address. There was also a 2nd default route with an
Experimentation and Troubleshooting
I experimented with the advertise option back and forth on the VLAN and VRRP interfaces with no effect. Finally looking to tune RA settings I ended up in the
IPv6 -> ND dialog. This seemed to be the right place finally.
What Made Things Work?
What made things work in the end was adding the following to both routers to prevent sending RA advertisements over the VLAN interface (VRRP interface is then included in the default ND policy which allows RA)