Basic VRRP configuration compliant with RFC-3768

VRRP (Virtual Router Redundancy Protocol) provides active and backup redundancy for routers. Every VRRP router has a physical IP address and a virtual address. On startup, routers elect the master, and the router with the highest priority becomes the master and assigns the virtual address to its interface. The other routers with lower priorities become backup routers. The master then starts sending keep-alive packets to notify other routers that it is available. If the master fails and stops sending keep-alive packets, the router with the next highest priority becomes the new master and takes over the virtual address.First of all, we need to create a VRRP group and setup its vrid (Virtual Router IDentifier), interface and virtual address.

If you setup multiple groups on the same interface, their VRIDs must be unique, but it's possible (although not recommended for readability reasons) to use duplicate VRIDs on different interfaces.

VRRP groups are created with the set high-availability vrrp group $GROUP_NAME commands. Having a virtual ID helps because you don't need to create multiple interfaces on the destination device this way.

set high-availability vrrp group Test vrid 10
set high-availability vrrp group Test interface eth1
set high-availability vrrp group Test virtual-address 10.10.10.1/24

Now let's indicate priority. Priority here means which router is main and which one is backup. The lower the number, the higher the priority.

set high-availability vrrp group Test priority 100

There needs to be a firewall rule to allow connection between both VRRP routers.

set firewall name internal rule 120 action 'accept'
set firewall name internal rule 120 description 'Allow VRRP over LAN'
set firewall name internal rule 120 protocol 'vrrp'
set firewall name internal rule 120 source address '10.10.10.3'

Finally, it would be great to enable RFC 3768 compatibility. When the rfc3768-compatibility option is set, a new VRRP interface is created, to which the MAC address and the virtual IP address are automatically assigned and you will not lose even a single packet of data. This is because the destination device will assume it is connected a single source at all times, even across reconnections.

set high-availability vrrp group Test rfc3768-compatibility

Scripting

The VRRP functionality can be extended with scripts. VyOS supports two kinds of scripts: health check scripts and transition scripts. Health check scripts execute custom checks in addition to the master router reachability. Transition scripts are executed when VRRP state changes from master to backup or fault and vice versa, and can be used to enable or disable certain services, for example.

Health check scripts

This setup will make the VRRP process execute the /config/scripts/vrrp-check.sh script every 60 seconds, and transition the group to the fault state if it fails (i.e. exits with a non-zero status) three times:

set high-availability vrrp group Foo health-check script /config/scripts/vrrp-check.sh
set high-availability vrrp group Foo health-check interval 60
set high-availability vrrp group Foo health-check failure-count 3

Transition scripts

Transition scripts can help you implement various fix-ups, such as starting and stopping services, or even modifying the VyOS config on VRRP transition. This setup will make the VRRP process execute the /config/scripts/vrrp-fail.sh with the argument Foo when VRRP fails, and the /config/scripts/vrrp-master.sh when the router becomes the master:

set high-availability vrrp group Foo transition-script backup "/config/scripts/vrrp-fail.sh Foo"
set high-availability vrrp group Foo transition-script fault "/config/scripts/vrrp-fail.sh Foo"
set high-availability vrrp group Foo transition-script master "/config/scripts/vrrp-master.sh Foo"