Keepalived on static IP address?

I’d like to setup two routers to be able to failover. My question is about the Red/WAN interface. The shared (virtual) address is a static IP so the individual routers can’t have an address on the same subnet as the shared address. Can this work if the boxes have a private IP range 10.x.x.x but the shared address is public?

Thanks in advance for any thoughts.

The usual setup is to use three IP addresses. Technically they don’t have to be from the same subnet, but they usually are to ensure that each of the firewalls is still able to have internet access, even if it is not holding the primary IP address.

VRRP is what would be used in Linux.

2 Likes

Yes because the VRRP virtual ip does not have a subnet address. So its not going to network anywhere.

But keep in mind you should use authentication in this process like in the example below.

Sample of code in the master router:

vrrp_instance VI_1 {
    interface eth0
    state MASTER
    virtual_router_id 51
    priority 101

    authentication {
        auth_type AH
        auth_pass monkey
    }

    virtual_ipaddress {
        10.0.1.140
    }
}

Sample code of Slave router:

vrrp_instance VI_1 {
    interface eth0
    state BACKUP
    virtual_router_id 51
    priority 100

    authentication {
        auth_type AH
        auth_pass monkey
    }

    virtual_ipaddress {
        10.0.1.140
    }
}

Thank you for the feedback. I got a similar setup working with OpenBSD but we had three static IP addresses. Having the slave machine locked out of the internet isn’t ideal but I’m trying to avoid having to get more static IP.

I’d have to ask my ISP if multiple dynamic IP are a choice.

you have to provide more info in what you are doing and what you need to accomplish.

Because splitting WAN into two routers with one ip is just sticking a router in front of them. Regardless if this is a physical or virtual appliance.

Keepalived is more for inside the network use and I wouldn’t use it on the WAN side due to it being susceptible to attack by ARP poisoning.

My goal was to have a redundant setup so if one router dies then the network can continue to function. It’s not an absolute requirement, more of a cost/benefit tradeoff. Having a cold spare might be a more practical solution. Being out for several days while I got a new router going was too much down time so I got a second box.

Its a little odd for routers to go out. I would definitely review your installation and select things appropriate for extreme environments.
cold or warm spare would be easier to implement and not as a security risk as hot spare with active software.

Warm spare is done out of band normally with relay control, but since the hardware wouldn’t be present to do this at the installation, you would wire the redundant in and manually unplug the malfunctioning router and plug in the spare. What you end up at a warm spare setup is an unmanaged switch for the WAN interfaces and one for each of the LAN networks (green,blue,orange if using ipfire on both).