I have been trying to get async routing working for some time now, and at one point i thought I had a Eureka moment when I found that turning off the external cache in conntrackd allowed two routers to function in active/active ECMP status.
For sometime it was working however last February I updated to see if some other issues improved and it’s never been the same since, even when interfaces are in the same zone. The network works just fine when only one router is on, however I’m constantly seeing high packet loss or host unreachable alerts in my zabbix session.
Turning one router off solves the issues for as long as the router is off, and this does not matter which router is off at a time. Allowing “invalid” state packets also solves the issue, but reduces security.
Can I get a definitive answer if ECMP networks are expected to work with the firewall/zone policy enabled, or is this not a considered usecase with Vyos’s configuration?
Current build: 1.4-rolling-202206080217
Put simply: asymmetric routing and firewalling do not mix well. This applies to most routers & firewalls not just VyOS. Without a diagram and config, it is difficult for anyone to comment. Allowing “invalid” state packets would seem a bad idea, as you observe.
My personal approach would be to use 4 routers: two outside & two inside. Put a single transit transit in between all four. Put the firewalling on the inside pair. Try to avoid any firewalling on the outside pair except “local” rules to protect the routers themselves. Use VRRP on the inside routers to control outbound traffic, and a dynamic routing protocol (eg ospf) on all four routers to control the inbound traffic.
Depending on the diagram/config, this approach may, of course, be irrelevant/useless.
Is there a way to configure a VRRP IP in ipv6 router advertisements? The main reason I have this issue is because I use SLAAC configuration, and setting the route preference on router A to high and medium on router B, doesn’t always make hosts use router A exclusively unless router B is turned off.