My core switch is connected to my 2 different Vmware box through 2 separate WAN cable where i created 2 vyos firewall work for vrrp
Now on both virtual vyos firewall i have 2 interfaces that is eth1, eth2 .
eth1 is virtual WAN interface and eth2 is my LAN interface.
I have configured VRRP like below :-
VYOS = 1 ( Vrrp Master )
Interface IP Address S/L Description
eth1 192.168.196.1/24 u/u RED Public Network
43.224.250.205/24
eth2 10.10.0.2/16 u/u GREEN Lan Network
10.10.0.1/16
VYOS = 2 ( Vrrp backup )
Interface IP Address S/L Description
eth1 192.168.196.2/24 u/u RED Public Network
eth2 10.10.0.3/16 u/u GREEN Lan Network
set high-availability vrrp group Green_interface interface ‘eth2’
set high-availability vrrp group Green_interface priority ‘100’
set high-availability vrrp group Green_interface virtual-address ‘10.10.0.1/16’
set high-availability vrrp group Green_interface vrid ‘196’
set high-availability vrrp group Red_interface interface ‘eth1’
set high-availability vrrp group Red_interface priority ‘100’
set high-availability vrrp group Red_interface virtual-address ‘43.224.250.205/24’
set high-availability vrrp group Red_interface vrid ‘196’
set high-availability vrrp sync-group VRRP_GROUP_196 member ‘Green_interface’
set high-availability vrrp sync-group VRRP_GROUP_196 member ‘Red_interface’
The Problem is suppose one my physical WAN interface which is connected to my 2 Vmware Box from core switch is disconnected then why VRRP is not getting live on another Vmware box vyos firewall
can we track physical interface ???
can we do something like DPD or anything else ??
VRRP become live to other firewall is only work when the Master virtual vyos firewall is rebooted or shutdown not work in case of physical WAN interface is down .
WAN1 ↔ VM1 ↔ Core-switch (lets say int1)
WAN2 ↔ VM2 ↔ Core-switch (lets say int2)
Where each VM-server have one VyOS running which is configured like:
VyOS1
eth1: 192.168.196.2/24
eth2: 10.10.0.2/24
VyOS2
eth1: 192.168.196.3/24
eth2: 10.10.0.3/24
Where the VRRP configured for each interface is:
eth1-vip: 192.168.196.1/24
eth2-vip: 10.10.0.1/24
Is the above correct?
Where does the 43.224.250.205/24 come from and its purpose?
Generally speaking I would recommend to setup 2 VRF:s one named for example MGMT and one named for example PROD.
This way from the VyOS point of view you would have lets say eth0 as MGMT-interface vrf MGMT, eth1 as WAN-interface vrf PROD and eth2 as LAN-interface vrf PROD.
you can see Iam just using 192.168.196.2 and 192.168.196.3 on eth1 interface on both Vyos firewall . this IP actually use for VRRP heartbeat only . Actually the eth1 is my virtual WAN interface where i configured 43.224.250.205/24 to get internet on vyos and when my master vyos is down then both virtual IP of eth1 and eth2 is reflected on my backup firewall which is configured on vrrp.
When i disable any interface( eth1 or eth2 ) of master vyos or when my master is shutdown, the virtual is reflected on backup firewall which means the backup become the master firewall and in this my VRRP is working fine
Now my exact question or concern is if one of my physical WAN port or cable is down which is come from core switch to my 2 different Vmware box then in this case my VRRP is not reflecting to backup firewall.
Why ???
This is my concern . can we track physical interface or port which is come from core switch to my Vmware box where exactly virtual vyos is created .
Why don’t your draw a network topology with draw.io. It will be more easy to debug.
at the same time paste your configure of the 2 vyos servers which stript sensitive data