Hey @phillipmcmahon here is the relevant bits for VRRP in my setup, hopefully it gives you info to get started.
First my VRRP related firewall groups, primary = .252, backup .254, i only showed one here, but you need this for each VRRP group, if you are applying a different firewall to each interface as I am.
I am using the same group with both/all the required addresses for simplicity otherwise it gets tedious…
Also this allows for much simpler updating between configs on different routers as its all in the same address group.
This config is to be entered on both routers, due to the unique setup with address groups, its copy/paste into both routers once you have the interfaces added into the groups correctly.
set firewall group address-group ag-vrrp-dmz address ‘192.168.67.252’
set firewall group address-group ag-vrrp-dmz address ‘192.168.67.254’
Same as above, per each interface dealing with VRRP
set firewall name dmz-firewall rule 10 action ‘accept’
set firewall name dmz-firewall rule 10 description ‘Allow VRRP’
set firewall name dmz-firewall rule 10 destination group address-group ‘ag-vrrp-dmz’
set firewall name dmz-firewall rule 10 protocol ‘vrrp’
set firewall name dmz-firewall rule 10 source group address-group ‘ag-vrrp-dmz’
set firewall name firewall-dmz rule 10 action ‘accept’
set firewall name firewall-dmz rule 10 description ‘Allow VRRP’
set firewall name firewall-dmz rule 10 destination group address-group ‘ag-vrrp-dmz’
set firewall name firewall-dmz rule 10 protocol ‘vrrp’
set firewall name firewall-dmz rule 10 source group address-group ‘ag-vrrp-dmz’
This is all that I needed as I was using my management network 192.168.7.0 for conntrack sync
This is not required to be repeated
set firewall name firewall-mgmt rule 650 action ‘accept’
set firewall name firewall-mgmt rule 650 description ‘Accept Conntrack Sync’
set firewall name firewall-mgmt rule 650 destination group address-group ‘ag-ct_sync’
set firewall name firewall-mgmt rule 650 destination group port-group ‘pg-ct_sync’
set firewall name firewall-mgmt rule 650 protocol ‘udp’
set firewall name firewall-mgmt rule 650 source group address-group ‘ag-vrrp-mgmt’
set firewall name firewall-mgmt rule 651 action ‘accept’
set firewall name firewall-mgmt rule 651 description ‘Allow IGMP for Conntrack Sync’
set firewall name firewall-mgmt rule 651 destination group address-group ‘ag-igmp’
set firewall name firewall-mgmt rule 651 protocol ‘igmp’
set firewall name firewall-mgmt rule 651 source group address-group ‘ag-vrrp-mgmt’
set firewall name mgmt-firewall rule 650 action ‘accept’
set firewall name mgmt-firewall rule 650 description ‘Accept Conntrack Sync’
set firewall name mgmt-firewall rule 650 destination group address-group ‘ag-ct_sync’
set firewall name mgmt-firewall rule 650 destination group port-group ‘pg-ct_sync’
set firewall name mgmt-firewall rule 650 protocol ‘udp’
set firewall name mgmt-firewall rule 650 source group address-group ‘ag-vrrp-mgmt’
The whole VRRP configuration, here you can see all of my vlans, the only interface I am not VRRP’ing is WAN as I am at home, planning to add a 4G backup connection soon but it will not be via VRRP.
set high-availability vrrp group cam advertise-interval ‘1’
set high-availability vrrp group cam description ‘Cam’
set high-availability vrrp group cam hello-source-address ‘192.168.53.254’
set high-availability vrrp group cam interface ‘eth2.53’
set high-availability vrrp group cam peer-address ‘192.168.53.252’
set high-availability vrrp group cam preempt-delay ‘3’
set high-availability vrrp group cam priority ‘250’
set high-availability vrrp group cam rfc3768-compatibility
set high-availability vrrp group cam virtual-address ‘192.168.53.253/24’
set high-availability vrrp group cam vrid ‘53’
set high-availability vrrp group dmz advertise-interval ‘1’
set high-availability vrrp group dmz description ‘DMZ’
set high-availability vrrp group dmz hello-source-address ‘192.168.67.254’
set high-availability vrrp group dmz interface ‘eth0.67’
set high-availability vrrp group dmz peer-address ‘192.168.67.252’
set high-availability vrrp group dmz preempt-delay ‘3’
set high-availability vrrp group dmz priority ‘250’
set high-availability vrrp group dmz rfc3768-compatibility
set high-availability vrrp group dmz virtual-address ‘192.168.67.253/24’
set high-availability vrrp group dmz vrid ‘67’
set high-availability vrrp group download advertise-interval ‘1’
set high-availability vrrp group download description ‘Download’
set high-availability vrrp group download hello-source-address ‘192.168.79.254’
set high-availability vrrp group download interface ‘eth0.79’
set high-availability vrrp group download peer-address ‘192.168.79.252’
set high-availability vrrp group download preempt-delay ‘3’
set high-availability vrrp group download priority ‘250’
set high-availability vrrp group download rfc3768-compatibility
set high-availability vrrp group download virtual-address ‘192.168.79.253/24’
set high-availability vrrp group download vrid ‘79’
set high-availability vrrp group guest advertise-interval ‘1’
set high-availability vrrp group guest description ‘Guest’
set high-availability vrrp group guest hello-source-address ‘192.168.131.254’
set high-availability vrrp group guest interface ‘eth1.131’
set high-availability vrrp group guest peer-address ‘192.168.131.252’
set high-availability vrrp group guest preempt-delay ‘3’
set high-availability vrrp group guest priority ‘250’
set high-availability vrrp group guest rfc3768-compatibility
set high-availability vrrp group guest virtual-address ‘192.168.131.253/24’
set high-availability vrrp group guest vrid ‘131’
set high-availability vrrp group iot advertise-interval ‘1’
set high-availability vrrp group iot description ‘IOT’
set high-availability vrrp group iot hello-source-address ‘192.168.11.254’
set high-availability vrrp group iot interface ‘eth1.11’
set high-availability vrrp group iot peer-address ‘192.168.11.252’
set high-availability vrrp group iot preempt-delay ‘3’
set high-availability vrrp group iot priority ‘250’
set high-availability vrrp group iot rfc3768-compatibility
set high-availability vrrp group iot virtual-address ‘192.168.11.253/24’
set high-availability vrrp group iot vrid ‘11’
set high-availability vrrp group lan advertise-interval ‘1’
set high-availability vrrp group lan description ‘LAN’
set high-availability vrrp group lan hello-source-address ‘192.168.13.254’
set high-availability vrrp group lan interface ‘eth1.13’
set high-availability vrrp group lan peer-address ‘192.168.13.252’
set high-availability vrrp group lan preempt-delay ‘3’
set high-availability vrrp group lan priority ‘250’
set high-availability vrrp group lan rfc3768-compatibility
set high-availability vrrp group lan virtual-address ‘192.168.13.253/24’
set high-availability vrrp group lan vrid ‘13’
set high-availability vrrp group mgmt advertise-interval ‘1’
set high-availability vrrp group mgmt description ‘Management’
set high-availability vrrp group mgmt hello-source-address ‘192.168.7.254’
set high-availability vrrp group mgmt interface ‘eth2.7’
set high-availability vrrp group mgmt peer-address ‘192.168.7.252’
set high-availability vrrp group mgmt preempt-delay ‘3’
set high-availability vrrp group mgmt priority ‘250’
set high-availability vrrp group mgmt rfc3768-compatibility
set high-availability vrrp group mgmt virtual-address ‘192.168.7.253/24’
set high-availability vrrp group mgmt vrid ‘7’
set high-availability vrrp group public advertise-interval ‘1’
set high-availability vrrp group public description ‘Public’
set high-availability vrrp group public hello-source-address ‘192.168.17.254’
set high-availability vrrp group public interface ‘eth0.17’
set high-availability vrrp group public peer-address ‘192.168.17.252’
set high-availability vrrp group public preempt-delay ‘3’
set high-availability vrrp group public priority ‘250’
set high-availability vrrp group public rfc3768-compatibility
set high-availability vrrp group public virtual-address ‘192.168.17.253/24’
set high-availability vrrp group public vrid ‘17’
set high-availability vrrp sync-group sync member ‘cam’
set high-availability vrrp sync-group sync member ‘guest’
set high-availability vrrp sync-group sync member ‘mgmt’
set high-availability vrrp sync-group sync member ‘lan’
set high-availability vrrp sync-group sync member ‘iot’
set high-availability vrrp sync-group sync member ‘public’
set high-availability vrrp sync-group sync member ‘dmz’
set high-availability vrrp sync-group sync member ‘download’
set high-availability vrrp sync-group sync transition-script backup ‘/config/scripts/vrrp-trans-fail.sh’
set high-availability vrrp sync-group sync transition-script fault ‘/config/scripts/vrrp-trans-fail.sh’
set high-availability vrrp sync-group sync transition-script master ‘/config/scripts/vrrp-trans-master.sh’
set high-availability vrrp sync-group sync transition-script stop ‘/config/scripts/vrrp-trans-fail.sh’
Conntrack sync stuffs
set service conntrack-sync accept-protocol ‘tcp,udp,icmp’
set service conntrack-sync disable-external-cache
set service conntrack-sync event-listen-queue-size ‘16’
set service conntrack-sync failover-mechanism vrrp sync-group ‘sync’
set service conntrack-sync interface eth2.7
set service conntrack-sync listen-address ‘192.168.7.254’
set service conntrack-sync mcast-group ‘224.0.0.50’
set service conntrack-sync sync-queue-size ‘16’
set system conntrack expect-table-size ‘2048’
set system conntrack hash-size ‘32768’
set system conntrack modules gre disable
set system conntrack modules nfs disable
set system conntrack modules pptp disable
set system conntrack modules sip disable
set system conntrack modules sqlnet disable
set system conntrack modules tftp disable
set system conntrack table-size ‘262144’