VRRP Configuration


#1

Hello all,

I’ve been using Vyos for a little while, we have a few running on the network and I recently setup our first bridged networks using Vyos.

Anyway, I’ve been attempting to get our Vyos routers running in some sort of HA configuration. I’ve created a cluster and that seems to run ok, but I’ve been attempting to get vrrp to work and keep coming up short.

How do I do this? I’ve read a bunch of items and it mostly makes sense, but I seem to be missing something.

I guess I’m looking for some understanding of how to configure the interfaces, like the interface that houses the vrrp stuff, do I assign an IP to that, can it be on the same network?
I’ve seen the virtual interface get created, and can ping it on a vyos device, but cannot ping it from a Windows machine, although I can see the fake mac address that is created.

I have a dedicated test environment, so I can try anything without problems

Sorry for the long winded question, and thank you in advance.


#2

The easiest setup would be two separate VyOS routers each with VRRP running on a single interface. Put those interfaces on the same subnet as eachother (and same VLAN if applicable). Allow those interfaces to send/receive multicast (by default) traffic (or just the VRRP multicast address 224.0.0.18). The “floating” or “virtual” IP address must be an IP address on the same subnet as the underlying interface. The underlying interface could be a simple interface, or a VIF vlan tagged interface, or a bonded interface, or a bonded+vif interface, but for testing just a simple flat interface will work. Give that a try, and see if it works, you can always paste your config for someone to look at…


#3

Awesome, thank you for the quick reply. I’ll setup a couple of new test routers and give this a try.


#4

I’ve created 2 new Vyos routers with very simple configuration. I can ping both routers and see the mac address of them, but I cannot ping the virtual IP, I can see the mac address of the virtual IP. what am I missing???

I’ve attached the files rather than post them on the message.
Thank you.


#5

I tested your configs on a single linux machine with virtualbox. I had to turn off the rfc3768 compatibility to get it to work. It looked like the rfc3768 was creating a new interface called eth0v1@eth0. It would respond correctly to ARP, but trying to reach that mac address/interface from the other guest VyOS and the host machine would not work. Without the rfc3768 there is no new interface created, and the virtual-address uses the regular eth0, so now the guest and host can reach the VRRP virtual-address just fine.


#6

Interesting. That does work, and seems to work well, except that we have to rely on the mac address to be broadcast out quickly when a fail over happens.
I understood the rfc3768 compatibility would give the Vyos a way to present a shared mac address using a virtual interface, but I guess this doesn’t quite work right? or am I not understanding this function? Do you happen to know anthing about it?
Otherwise, removing the rfc compatibility definitely gets it working, thank you!


#7

http://vyos.net/wiki/VRRP or use vif vrrp group .


#8

I’ve read that page and reviewed the configuration examples, which work well as is, but as soon as you add the rfc comparability, I can no longer ping the virtual IP
What I thought the RFC3798 did was create a virtual (floating) mac, but I think it does a little more than just that or attempts to and is either not working or I have no idea how to use it correctly (very possible).
If you create a new router and enter the simple configuration, you’ll see that it work without the rfc3768 command, but it will not have a floating mac nor will it have a virtual interface.
I’ll still be able to use it, but I was hoping for a floating mac to ease failover transitions. thanks for the link, it’s a good link with examples for anyone just starting with VRRP.


#9

How are you running your routers, virtual (which hypervisor) or physical?


#10

Virtual on ESXi 5.5


#11

To get the VRRP working you have to change the security settings on your port groups. Depending on which type of Vswitch you are using the settings are located in different places, The settings are Promiscuous Mode, MAC Address Changes and Forged Transmits.


#12

Sorry for the delay, I’ve been out of the office for a while.

I looked at the settings in vmware, sure enough, Promiscuous mode is off, I’ll enable that and see if it makes a difference, I suspect it will.

thank you.