I just spent an hour debugging why my firewall rules were not working and not matching my specified interfaces.
I have configured VRRP for many interfaces and it turns out, instead of, e.g. vlan3, I need to use vrrp3 in the firewall rules.
I thought VRRP interface is just a virtual interface for the virtual router … shouldn’t all traffic still come in from the actual interface, vlan3?
And if not, do I need to match on both or can I just match on the vrrp interface, once vrrp is defined?
In the Unix-like world, VRRP works on top of MACVLAN driver (which is an extended topic) and yes, you are right, it’s a virtual interface based on link layer address (MAC). (from “man 8 ip-link”)
Packets always goes throught the physical interface but with different mac address (or this is how it’s supposed to work) - for a router is like having two physical interface conected.
When a client is requesting the MAC ADDRESS for the router VIP it must respond with the VMAC interface MAC ADDRESS.
When the router receives the packets destinated to the VMAC interface MAC ADDRESS, the kernel will handle them.
In theory, a client/node can always send packets to the physical interface so it’s up to you how to handle this situation.
You can try the reverse thing: create a single VRRP, create VLANs on top of VRRP. This should work, if it’s ok that a single VRRP handles all VLANs at once.
You’re spot on with the explanation! VRRP essentially uses MACVLAN as a way to create a virtual MAC address, which allows the router to manage traffic for the virtual IP (VIP) without altering the underlying physical interface. The idea of having the router respond with the VMAC when the client requests the MAC for the VIP makes sense, as it ensures that packets destined for the VIP are handled correctly by the kernel.
I also agree that managing packets sent directly to the physical interface is a bit of a grey area—it definitely depends on how you choose to configure your network. Thanks for sharing the insights! Macy’s Insite
Thank you!
Understood.
I believe the easiest option is to create an interface list for firewall rules and put both main interface and VRRP interface in.
I think it would be good to have a note on this in the documentation because this is not logical behavior if you’re not aware of it.
how would that look like facing the switch(es) ?
that would require the VRRP participating routers to be connected to a full trunk port and the vrrp multicasts would exist in the native vlan of those switchports …
i dont think this is considered practical
tested it in EVE-NG
one VRRP interface and all vlans “under” this VRRP does NOT work … as i expected