VRRP (Virtual Router Redundancy Protocol)

note

The NetFoundry zLAN firewall does not manage VRRP. You must configure and manage this on your own using standard Linux tools. This page covers common operations for sets up and managing VRRP with keepalived.

What is VRRP?

Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides for automatic assignment of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP network.

VRRP is commonly used to:

Provide high availability (HA) for a default gateway.
Ensure seamless failover if the primary router fails.
Maintain a "Virtual IP" (VIP) that always points to the currently active router.

Install keepalived

keepalived is the standard Linux daemon for implementing VRRP and health checking.

Ubuntu/Debian
RedHat/CentOS/Rocky/AlmaLinux

sudo apt update
sudo apt install keepalived

sudo dnf install keepalived

Configure keepalived

Create or edit the keepalived configuration file (usually /etc/keepalived/keepalived.conf):
```
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1234
    }
    virtual_ipaddress {
        192.168.1.1/24
    }
}
```
Key configuration options:
- state: Set to MASTER on the primary router and BACKUP on the secondary.
- interface: The network interface to bind to.
- virtual_router_id: Must be the same on all participating routers in the cluster.
- priority: The router with the highest priority becomes the MASTER.
- virtual_ipaddress: The shared IP address that will float between routers.

Enable and start the service:

sudo systemctl enable keepalived
sudo systemctl start keepalived

Verify the VIP is assigned to the interface:
```
ip addr show eth0
```

Enable VRRP on the firewall interface

warning

The NetFoundry zLAN firewall manages all firewall functions. Do not use ufw or firewall-cmd to open ports. Use the Add/Remove Rule UI in the console to allow traffic.

To allow VRRP traffic between routers, you must Enable VRRP for each interface in the zLAN console.

In the zLAN console, select each desired interface, and enable VRRP.

Summary of commands

Action	Command Example
Install keepalived	`sudo apt install keepalived`
Edit config	`sudo nano /etc/keepalived/keepalived.conf`
Enable service	`sudo systemctl enable keepalived`
Start service	`sudo systemctl start keepalived`
Check status	`sudo systemctl status keepalived`
Check IP assignment	`ip addr show`

Troubleshoot VRRP issues

Check keepalived service logs:
```
sudo journalctl -u keepalived -f
```
Verify if the other router is receiving VRRP advertisements:
```
sudo tcpdump -i eth0 vrrp
```
Confirm that the virtual_router_id and auth_pass match on all nodes.
Ensure that firewall rules are correctly applied on all nodes to allow protocol 112.

References

Keepalived Documentation

What is VRRP?​

Install keepalived​

Configure keepalived​

Enable VRRP on the firewall interface​

Summary of commands​

Troubleshoot VRRP issues​

References​