Here is a quick summary of this topic and topology configuration:
Two Remaining Problems:
- DHCPv6 Compatibility with HA on VyOS 1.4:
- DHCPv6 is not currently supported with High Availability (HA) on VyOS 1.4. The proposed solution involves replacing ISC DHCP with Kia. Using 1.4 as-is introduces potential complications when one router is down, especially if a lease expires during that period. The inclusion of this fix in VyOS 1.4 remains uncertain. We highly anticipate implementing this feature; it looks like it is planned only in 1.5.
- Conntrack-Sync Limitations with VRRP in VyOS:
- VRRP with Conntrack-sync in VyOS does not support multiple instances and only Primary-Backup setup. In contrast, the native Debian8 conntrackd supports a Multiprimary setup. Current configurations in an active/active router setup with a stateful firewall only offer a unidirectional synchronization solution, leading to potential issues if the master node fails. The lack of awareness about this limitation prompted the creation of a feature request. We are eager to see this enhancement in VyOS, that looks like planned only for 1.5.
Additional Feature Request:
- Dynamic IP Network List Download for Firewall Configuration:
- Dynamically download a list of IP networks from an online file to add to the firewall. For us, this feature, categorized as a “nice-to-have,” is uncertain for inclusion even in VyOS 1.5. Meanwhile, we accept Python script workaround that can be periodically executed on VyOS. Hence, there is a workaround in place, and we can wait for a potential future implementation.