4

I have 2 routers in a cabinet and would like to setup fail over between the two for our servers sort of like BGP but not BGP :). I need to setup the system to realize gateway 1 is (down) or under attack and route through gateway 2 instead. How is this best done? We are going to use Vyatta or PFsense as our edge routers if you need to know.

Jacob
  • 9,114
  • 4
  • 44
  • 56
  • 1
    Apparently routing redundancy is like Fizzbin. It's called VRRP, or CARP, unless it's a Tuesday, in which case it's called HSRP. Then you have a Royal BGP! – Bart Silverstrim Feb 17 '11 at 14:28

4 Answers4

5

Vyatta supports VRRP, or Virtual Router Redundancy Protocol. This lets two Vyatta routers share a single IP address. To set it up, you assign a priority value to each router. Once enabled, the router with the highest priority claims the shared IP address. If that box drops offline, then the other router determines that it now has top priority, and takes over the IP address.

We've used VRRP with Vyatta in production for a couple of years now, and it's worked very well. We use it for a NAT setup that doesn't have any incoming connections, so it just shares the internal LAN gateway IP (192.168.1.1). If you have incoming connections too, you could share both the LAN IP and the WAN IP.

I don't know that this will help prevent a DoS attack, but it certainly should help avoid problems after typical hardware and software crashes.

There's more information in the High Availability manual on the Vyatta site.

Ryan
  • 251
  • 1
  • 2
2

VRRP is the protocol designed for this purpose.

Note that the same idea is called CARP in the BSD world (so you will only find CARP in pfSense).

jon_d
  • 693
  • 4
  • 7
0

It's called HSRP in the Cisco world.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
0

One problem you're going to need to address on the router config is to make sure that if the outside interface is no longer functional, that router will need to stop advertising its services to the inside network.

This is often accomplished with vrrp and something like "tracking ping" where you configure each vrrp to ping a remote IP and if it can't ping that IP, the router will take itself out of the vrrp cluster. Such things can get very complex to setup if you've got complex requirements, though

chris
  • 11,784
  • 6
  • 41
  • 51