Static routing with VRRP

darkhelmet · June 29, 2020, 9:50am

So had one VyOS 1.2 device and just replaced it with 2 VyOS 1.2.5 devices, sharing an IP over VRRP. Works great, with one exception: I added a static route to access another site via a VPN box, and I can ping things at the other site from VyOS itself, but not across it / not from any machine it’s connected to.
Any help would be very much appreciated! Thanks!!

ocosa · July 1, 2020, 1:58am

Hi darkhelmet,

From the side you cannot reach what does the routing table look like? Can you share configs?

darkhelmet · July 2, 2020, 9:06am

Hi Ocosa - thanks for your reply. Here is the config:

vyos@vyos:~$ show config
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN-LOCAL {
default-action accept
}
name LAN-WAN {
default-action accept
}
name LOCAL-LAN {
default-action accept
}
name LOCAL-WAN {
default-action accept
}
name WAN-LAN {
default-action drop
rule 5 {
action accept
description “Allow EST/Related Traffic”
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
}
name WAN-LOCAL {
default-action drop
rule 5 {
action accept
description “Allow EST/Related Traffic”
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
high-availability {
vrrp {
group LAN {
interface eth3
priority 2
virtual-address 10.x.x.x/24
vrid 100
}
group WAN1 {
interface eth4
priority 2
virtual-address [wan1 address]/24
vrid 101
}
group WAN2 {
interface eth2
priority 2
virtual-address [wan2 address]/29
vrid 102
}
sync-group MAIN {
member LAN
member WAN1
member WAN2
}
}
}
interfaces {
ethernet eth2 {
address [wan2 address]/29
description WAN2
duplex auto
hw-id [mac address]
smp-affinity auto
speed auto
}
ethernet eth3 {
address 10.x.x.x/24
description LAN
hw-id [mac address]
}
ethernet eth4 {
address [wan1 address]/24
description WAN
hw-id [mac address]
}
loopback lo {
}
}
load-balancing {
wan {
flush-connections
interface-health eth2 {
nexthop [wan2 gateway]
}
interface-health eth4 {
nexthop [wan1 gateway]
}
rule 1 {
failover
inbound-interface eth3
interface eth2 {
}
interface eth4 {
}
}
sticky-connections {
inbound
}
}
}
nat {
source {
rule 100 {
outbound-interface eth4
source {
address 10.0.0.0/16
}
translation {
address masquerade
}
}
rule 101 {
outbound-interface eth2
source {
address 10.0.0.0/16
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop [wan2 gateway] {
}
next-hop [wan1 gateway] {
}
}
route 10.0.x.0/24 {
next-hop 10.0.x.x {
}
}
route 10.0.x.0/24 {
next-hop 10.0.x.x {
}
}
route 10.0.x.0/24 {
next-hop 10.0.x.x {
}
}
route 10.0.x.0/24 {
next-hop 10.0.x.x {
}
}
route 10.x.x.0/24 {
next-hop 10.0.x.x {
}
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 9600
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 10.0.x.x
ntp {
server x {
}
server x {
}
server x {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
zone-policy {
zone LAN {
default-action drop
from LOCAL {
firewall {
name LOCAL-LAN
}
}
from WAN {
firewall {
name WAN-LAN
}
}
interface eth0
interface eth3
}
zone LOCAL {
default-action drop
from LAN {
firewall {
name LAN-LOCAL
}
}
from WAN {
firewall {
name WAN-LOCAL
}
}
local-zone
}
zone WAN {
default-action drop
from LAN {
firewall {
name LAN-WAN
}
}
from LOCAL {
firewall {
name LOCAL-WAN
}
}
interface eth1
interface eth2
interface eth4
}
}