Looking at setting up something like below and wanted to see if this is possible. Currently have two separate firewall types for the internet circuits. would like to have it so all the systems have the same default gateway and i can reboot/upgrade a firewall and access to the internet would still be possible. Also if i lost an ISP’s connect, the vrrp ip would use the backup firewall automatically and would not loose internet. The vrrp would let me upgrade and reboot the router with out loosing internet access.
There’s a handy guide for high availability here .
We have a dual isp set up at my work and we have two /29 so we use an IP as the vrrp that fail between firewalls/routers and have a wan-load-balance script that changes the static route to the vrrp on the primary firewall and the primary route on the backup to point to the primary.
We also set the backup ISP as default static route but with a higher weight eg
set protocols static route 0.0.0.0/0 next-hop { isp1-ip } distance 1
set protocols static route 0.0.0.0/0 next-hop { isp2-ip } distance 5
Our solution isn’t 100% foolproof as if a router fails we do have a blip in internet connectivity, but hope this helps get you started.
VRRP would not be run on the firewall interfaces since it does not support dhcp and the firewalls are separate. VRRP would only be on the inside interfaces coming from internal host. The firewalls would just connect to each individual router and figured the router would realize if a firewall was unavailable and not send the traffic to that host but to the other. I missed a line, but it would be a link between both routers, so they could route traffic between themselves.
Ok, so the routers are these VyOS? If so then you could set up wan-load-balance so it pings the WAN gateway to see if it’s up or not , in the script if it’s not active change the default route to point to the other router.
As for vrrp this could be just any IP that floats between the routers incase of a router going offline, then you point your switch default route to point to the vrrp IP address.