I have set up keepalived on two Debian machines for high availability, but I've run into the maximum number of virtual IP's I can assign to my vrrp_instance
. How would I go about configuring and failing over 20+ virtual IP's?
This is the, very simple, setup:
LB01: 10.200.85.1
LB02: 10.200.85.2
Virtual IPs: 10.200.85.100 - 10.200.85.200
Each machine is also running Apache (later Nginx) binding on the virtual IPs for SSL client certificate termination and proxying to backend webservers. The reason I need so many VIP's is the inability to use VirtualHost on HTTPS.
This is my keepalived.conf:
vrrp_script chk_apache2 {
script "killall -0 apache2"
interval 2
weight 2
}
vrrp_instance VI_1 {
interface eth0
state MASTER
virtual_router_id 51
priority 101
virtual_ipaddress {
10.200.85.100
.
. all the way to
.
10.200.85.200
}
An identical configuration is on the BACKUP machine, and it's working fine, but only up to the 20th IP.
I have found a HOWTO discussing this problem. Basically, they suggest having just one VIP and routing all traffic "via" this one IP, and "all will be well". Is this a good approach? I'm running pfSense firewalls in front of the machines.
Quote from the above link:
ip route add $VNET/N via $VIP
or
route add $VNET netmask w.x.y.z gw $VIP
Thanks in advance.
EDIT:
@David Schwartz said it would make sense to add a route, so I tried adding a static route to the pfSense firewall, but that didn't work as I expected it would.
pfSense route:
Interface: LAN
Destination network: 10.200.85.200/32 (virtual IP)
Gateway: 10.200.85.100 (floating virtual IP)
Description: Route to VIP .100
I also made sure I had packet forwarding enabled on my hosts:
$ cat /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.ip_nonlocal_bind=1
Am I doing this wrong? I also removed all VIPs from the keepalived.conf so it only fails over 10.200.85.100.