It is essential for routers that implement the Virtual Router Redundancy Protocol to be able to communicate with each other.
As the protocol defines, the master router needs to send multicast packets to the whole subnet and of course, the rest of the backup routers need to receive this announcements otherwise they will think that the master router is dead and will initiate an election of a master router.
If no router is able to receive this “multicasted” announcements they all will eventually think that they are the only ones alive and thus become master. All of them master. That brings networking issues.
This page covers how to define the rule(s) under shorewall firewall in order to allow this VRRP announcements pass-through.
VRRP’s announcement multicast packets have the following characteristics:
- They are sent to the following multicast IP address: 220.127.116.11
- They use the protocol vrrp
- They source IP address is a virtual router
Thus, a rule that allows all the incoming VRRP traffic would look like this:
ACCEPT net fw:18.104.22.168 vrrp
A rule that allows VRRP packets from a specific router would look like this:
ACCEPT net:OTHER_VIRTUAL_ROUTER_IP fw:22.214.171.124 vrrp
Let’s imagine we have two routers implementing VRRP (using keepalived, for example). Their IPs are: 10.20.30.40 and 10.20.30.41. Their shorewall rules should include the following:
ACCEPT net:10.20.30.41 fw:126.96.36.199 vrrp
ACCEPT net:10.20.30.40 fw:188.8.131.52 vrrp