Gateway/Router High Availability with Firehol/Keepalived

Опубликовано: 23 Март 2025
на канале: BPFire

232

Demo of Gateway/Router high availability with Firehol and Keepalived

firehol config to allow VRRP HA message
need to custom define the vrrp for firehol:

server_vrrp_ports="vrrp/any"
client_vrrp_ports="any"

allow vrrp in firehol

interface4 es1101 home
policy reject
server "http ssh icmp vrrp" accept
client "icmp vrrp" accept

keepalived.conf

global_defs {
router_id fw-1604
}

vrrp_instance FW {
state MASTER # always MASTER with high priority number
interface es1101 # the interface the VRRP message is transmitted
virtual_router_id 51

use_vmac # without vmac_xmit_base, advert will be blocked by firehol even firehol has accept policy on interface es1101

vmac_xmit_base # with vmac_xmit_base, the GARP is transmitted on es1101 with source MAC of es1101

advert_int 1 # vrrp message interval

priority 101 # higher number is higher priority

unicast_src_ip 10.1.72.198 # src ip for VRRP message
unicast_peer {
10.1.72.117 # dst ip for VRRP message
}
virtual_ipaddress {
10.1.72.118 dev es1101 # Gateway VIP, GARP transmitted with MAC of es1101 interface

}
}