13.1. VRRP

You can find the VRRP Settings at General → Virtual IPs.

Virtual IPs

A VRRP IP is an IP that can also be shared with different machines. The master always holds the address, one or more secondary machines will be on standby and get the address if the Master is not online anymore.

All VRRP enabled machines communicate over multicast on the interface they are defined on. If a machine is not receiving multicasts from its neighbors it will assume the master role in order of their configured priority.

A VRRP IP can only be added on top of another IP on the same interface. It is highly recommended to use VRRP only with static IPs, DHCP IPs will work too but not receiving a DHCP IP will trigger an automatic failover.

VRRP uses the following destination IPs:

Note

  • IPv4: 224.0.0.18

  • IPv6: fe02::12

You can configure the Priority on the screen. The highest available number is always the Master.

A password must also be configured. It must match on all machines that share the address.

Default Active is either Primary or Secondary. This options allows for an Active/Active Cluster where part of the VRRP IPs are on the Primary firewall and part are on the Secondary firewall. Clients in the network need to have the different VRRPs as gateway. In a failover case one Firewall will hold all IPs.

Track Interface might be used to override the trackable interface for this VRRP IP. This is useful if you have a VRRP on top of a Bridge interface. The bridge itself only goes offline when all the interfaces are offline. This allows you to pin the failover event to a specific interface. By default it is always pinned to the underlying interface of the settings.

A disk failure will result in a VRRP service failover.

13.2. IP Alias

You can find the Virtual IP Settings at General → Virtual IPs.

An IP Alias is an additional IP on one of the interfaces.

You can define any IP you like. Please make sure to use the correct netmask for your use case. A netmask other than /32 will automatically create an interface route for the network as well.

13.3. Custom VRRP Scripts

You can add custom scripts to trigger a failover for the VRRP IPs. Scripts need to be executable and in the directory /etc/keepalived/scripts.d. The exit code of the script is important, 0 means success and not 0 means failure. If one of the scripts in the folder fails, the entire VRRP daemon changes it’s status to failed.

For example to failover if the bgp default route is not present anymore, you can use the following script.

#!/bin/bash

ip r s | grep default | grep bgp