VRRP master without default route. Does it work?

I have a network similar to this:

vrrp-master-without-default-route-current-example2048×753 119 KB

Intranets are routed on L3 switches/routers that have un their upstreams direct connections to other routers, hence this upstream network is OSPF area zero.

VyOS is one of the peers in this network as well as the default gateway, it obtains the public address through an IPoE bridge— That’s sadistic DHCP in Swahili, of course.

The switch in charge of the main intranet’s routing is already setup for VRRP, it used to have a peer but the latter is gone now. It now talks VRRP alone in the subnets. I’d like to make VyOS join its VRIDs.

Inter-VLAN traffic, is constant. Not heavy but “dense” if you will. It makes sense to make the switch become or remain the main internal router; it effortlessly has much greater bandwidth, it’s immediate to the subnets, and does not waste resources on a firewall.

The problem might be — I think — that VyOS would continue being the default gateway out of the network, thus upstream for the switch. But how exactly? I can’t wrap my head around it.

All of the VRRP examples I’ve read always have an upstream interface to route via. I only need VRRP for inter-VLAN routing redundancy. There’s no upstream interface needed on this case because they’re all directly attached. At least for the traffic I’m interested it handling.

For the rest, it would have to go to the firewall (VyOS), normally through that upstream interface but in this case it (the switch) would also connect directly [to the firewall] through 1-to-3 dozen shared VLANs… It kinda sounds like asymmetric routing or a routing loop waiting to happen, best case scenario. I don’t suppose VRRP would ignore the [traffic of a] directly attached network(s) for which it has a valid route unless its peer is dead, will it?? i.e. only pay attention to the address it has in that network if the VRRP peer is not responding.

Maybe picture make more sense. This is more or less how I visualize it with VRRP (with a little bit of OSPF among routers:)

vrrp-master-without-default-route-proposed-example2048×753 119 KB

Since VyOS is virtualized, I’m a little afraid to proceed lest an in-hypervisor network loop is created. There not even a display on it.

This is perhaps a dumb question but if you can easily run OSPF then why are you bothering with VRRP?

My goal with VRRP is make inter-VLAN routing redundant with a bias towards bandwidth, Internet is not a priority especially since the single point of failure is the thing to failover from. As you know, OSPF is only meaningful to routers, hosts have no clue about it and they will still have the same gateway regardless of where this lies. They can’t dynamically track it.

Well, DHCP…but that would have to involve some kind of failover detector that updates DHCP configuration or RADIUS. IDK. Way, LONG way over my skills. Come to think of it, Mikrotik has useful easy [enough] scripting capabilities, it’s not the most straightforward syntax but it could be used to change DHCP “option sets”. CHR (from Mikrotik) is my current DHCP server too. It’s tiny— less than 200MB of memory.

The other way is DHCP option um… 121, 252? It’s a repeated number, the one for classless routes, but it’s not as useful when most of the network is statically addressed. Just listing multiple gateways in DHCP is also doable in some DHCP servers, but I have yet to find a host that goes beyond the first one.

Thank you for bothering with my nonsense though. I think I’ll just give it a rest.

There’s no reason you shouldn’t be able to use VRRP towards your clients for a floating gateway. I have read and re-read your post but I’m really sorry I don’t really follow your question. I would suggest if asking for help to remove the flowing prose and just post the actual technical content of what you’re doing, sans extended prose

You should easily be able to have VRRP between your router and your switch, with only the router having a route to the Internet. You just need to make sure your switch knows how to route to the Internet as well, either by static route or running OSPF with the VyOS instance.

If a packet comes into the VyOS router while the switch is master, that’s should be fine, it’ll hand it over the VRRP (backup) link. The only potential gotcha I can think of is statefulness on the VyOS router.

Why does VyOS have to be within the host VLANs? Why not just make VyOS its own VLAN or direct P2P link? Then you add a P2P 0.0.0.0/0 route pointing from your switches to VyOS and ONLY the non-local traffic will be routed to VyOS.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.