I have two identical routers. Both are running VyOS. They are both configured like this:
router1:
high-availability {
vrrp {
group wan {
address 94.<redacted>.1/29 {
}
hello-source-address 10.0.200.1
interface eth0
priority 200
rfc3768-compatibility
vrid 200
}
group lan {
address 192.168.0.1/24 {
}
hello-source-address 10.0.201.1
interface eth1
priority 200
rfc3768-compatibility
vrid 201
}
sync-group MAIN {
member wan
member lan
}
}
}
interfaces {
ethernet eth0 {
address 10.0.200.1/24
}
ethernet eth1 {
address 10.0.201.1/24
}
}
router2:
high-availability {
vrrp {
group wan {
address 94.<redacted>.1/29 {
}
hello-source-address 10.0.200.2
interface eth0
priority 100
rfc3768-compatibility
vrid 200
}
group lan {
address 192.168.0.1/24 {
}
hello-source-address 10.0.201.2
interface eth1
priority 100
rfc3768-compatibility
vrid 201
}
sync-group MAIN {
member wan
member lan
}
}
}
interfaces {
ethernet eth0 {
address 10.0.200.2/24
}
ethernet eth1 {
address 10.0.201.2/24
}
}
I have a single managed switch. The cabling and vlan configuration is like this:
Port 0: WAN uplink connection (vlan 10)
Port 1: To LAN (vlan 20)
Port 3: router1 eth0 (WAN) (vlan 10)
Port 4: router1 eth1 (LAN) (vlan 20)
Port 5: router2 eth0 (WAN) (vlan 10)
Port 6: router2 eth1 (LAN) (vlan 20)
When everything is connected. All is working as expected. router1 becomes the vrrp MASTER and router2 is vrrp BACKUP.
When I disconnect either eth0 or eth1 (or both) from router1, router2 becomes the vrrp master, and everything keeps working as expected.
The problem I have is that when I fake 100% packet-loss on ONE interface of the master, the backup is refusing to become the vrrp master.
For example:
If I move eth0 of router1 to an unused vlan (on the switch), router2 is not becoming the master. If I move both eth0 and eth1 to an unused vlan, then router2 is becoming master.
So the problem is happening when only one of the interfaces on router1 is experiencing 100% packet loss.
As far as I can tell, the VRRP protocol is rather basic and the backup router cannot tell/ask/force the master router to give up it's master state. The backup router is not becoming master, probably because it still sees VRRP packets from router1 on the other interface (eth1).
If it were to do a failover it would introduce an IP conflict on eth1, because router1 still is active on eth1 too. So I suppose it is behaving exactly as it should?
I thought VRRP was meant to build redundant routers but apparently it's not supposed to be done like I'm doing here?
I hope anyone here can point out to me how I can effectively make router2 take over if there's an issue on any interface of router1.
Thanks
