Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 11815 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VRRP between two bridged interfaces

DavidBASQUIN

Hi everyone,

I'm trying to make our ISP routers' VRRP work.

Both routers are connected to physical interfaces on a SG330 cluster like this:
RTR1 <> FW1/eth6
RTR1 <> FW2/eth6
RTR2 <> FW1/eth7
RTR2 <> FW2/eth7

I expected the bridging of my eth6 and eth7 would be sufficient for the VRRP to work but the ISP tells us that both routers act as masters (ie. can't communicate)

As a result, I only have one interface to work with (br0) and can't figure out what's wrong and/or what must be done :
- Creating a firewall policy to allow VRRP protocol (IP/112) from/to my br0 interface seems pointless
- There might be something to do with Multicast Routing, but to be honest, I don't quite understand the point if only one interface (br0) is involved

Any help would be much appreciated

Thanks, david



This thread was automatically locked due to age.
  • 0

    Hi, David, and welcome to the UTM Community!

    VRRP is not available on the UTM, but you can achieve what you want.  I doubt that this includes bridging, but it's not clear from your post what problem you're addressing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob and thanks for your reply,

    Actually, VRRP is only used by the routers of my ISP to provide a redundant MPLS gateway to our firewall.
    Both routers use their LAN interface to communicate with each other and negociate the master/slave role.
    As we don't have a "WAN switch" to link them together, I've used two interfaces available on our SG330 boxes (eth6 and eth7, that I bridged)

    Here's a basic schema (ignoring the Sophos cluster and other WAN, DMZ, WiFi interfaces to simplify)

                                        (eth6) ----MPLS-RTR1
                                          /      
    LAN--- (eth1) ----SG330
                                          \      
                                        (eth7) ----MPLS-RTR2


    Despite the fact that the IP packets are forwarded between the two physical interfaces (default behavior), the routers are unable to negociate their role according to the VRRP Protocol.

  • 0 in reply to BAlfson

    In the meantime, I've studied the rfc3768 (detailing VRRP) and here's what caught my attention: 

    - To minimize network traffic, only the Master for each virtual router sends periodic VRRP Advertisement messages.

    A TCPdump from the Sophos box showed that both routers actually sent advertisement messages :
    11:25:28.153966 IP 172.16.1.253 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 5, prio 100, authtype none, intvl 1s, length 20
    11:25:28.541777 IP 172.16.1.252 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 5, prio 110, authtype none, intvl 1s, length 20
    11:25:29.154006 IP 172.16.1.253 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 5, prio 100, authtype none, intvl 1s, length 20
    11:25:29.541791 IP 172.16.1.252 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 5, prio 110, authtype none, intvl 1s, length 20

    - VRRP packets are sent encapsulated in IP packets. They are sent to the IPv4 multicast address assigned to VRRP.

    I created a firewall policy to allow VRRP packets (IP/112) from my bridge interface to the multicast address vrrp.mcast.net.

    That might have done the trick, there's only one router advertising now :
    11:35:20.527173 IP 172.16.1.252 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 5, prio 110, authtype none, intvl 1s, length 20
    11:35:21.527202 IP 172.16.1.252 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 5, prio 110, authtype none, intvl 1s, length 20
    11:35:22.527190 IP 172.16.1.252 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 5, prio 110, authtype none, intvl 1s, length 20
    11:35:23.527204 IP 172.16.1.252 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 5, prio 110, authtype none, intvl 1s, length 20

     
    I'm waiting for my ISP to update the status of their router cluster to confirm the problem is solved.

    Thanks again, david

  • 0 in reply to DavidBASQUIN

    Dear all,

    I was facing exactly the same trouble here.

    I was facing that firewall logs :

    09:53:51     Default DROP     VRRP          

    publicIP.21                →     224.0.0.18                     
    len=40     ttl=255     tos=0x00     srcmac=00:00:5e:00:01:01     dstmac=00:1a:8c:f0:09:61

    09:53:51     Default DROP     VRRP           
    publicIP.20                →     224.0.0.18           
    len=40     ttl=255     tos=0x00     srcmac=00:00:5e:00:01:01     dstmac=00:1a:8c:f0:09:61

    09:53:52     Default DROP     VRRP           
    publicIP.21                →     224.0.0.18                     
    len=40     ttl=255     tos=0x00     srcmac=00:00:5e:00:01:01     dstmac=00:1a:8c:f0:09:61


    09:53:53     Default DROP     VRRP           
    publicIP.20                →     224.0.0.18                     
    len=40     ttl=255     tos=0x00     srcmac=00:00:5e:00:01:01     dstmac=00:1a:8c:f0:09:61

    I made this rule :

    Sources :
        PROVIDER_RTR1_IP
        PROVIDER_RTR2_IP

    Services :
        IP-112

    Destination :
        224.0.0.18
        
    Action :
        ALLOW

    No firewall logs after this rule activated.

    Thanks for your suggestion.

    Thomas

Unfiltered HTML