Dear diary,

First: This is not a tutorial. This is how I’ve set it up now, and I’m learning. I’m not a network engineer - I’m a curious sysadmin getting my feet wet by jumping in on the deep end.

What I wrote about the other day turned out wasn’t as mysterious as I first thought. I was confused, and it came to my attention that I also had to do some VRRP configuration.

From their end it looked like both of my routers said they were the primary router, so I had to fix that.

So, here’s the same logic diagram as in the previous post, with a few changes. Note: As before, the 172.16.-IPs are examples and in reality they are public IPs. The 10.0.0.0 network is as in the diagram and configuration - a private network.

+------------------------------------------------+
|                  The internet                  |
+------------------------------------------------+
      |                                   |
+------------+                      +------------+
| 172.16.0.2 | <--> negotiates <--> | 172.16.0.3 |
+------------+          |           +------------+
ISP primary             |           ISP secondary
                        v
                  +------------+
                  | 172.16.0.1 | ISP VIP
                  +------------+
                        ^
                        |
                        v
                  +------------+
                  | 172.16.0.4 | My VIP
                  +------------+
                        ^
My primary              |           My secondary
  router                |             router
+------------+          |           +------------+
| 172.16.0.5 | <--> negotiates <--> | 172.16.0.6 |
|   10.0.0.1 |                      | 10.0.0.2   |
+------------+                      +------------+
      |                                   |
+------------------------------------------------+
|                   My network                   |
+------------------------------------------------+

Configuring VRRP

This is on a Ubiquiti Edgerouter 6p. The configuration below is for the primary router.

# Create a bridge with both the public facing interface (eth5) and the
# interface that's connected directly to the other router (eth1)
set interfaces ethernet eth1 bridge-group bridge br0
set interfaces ethernet eth5 bridge-group bridge br0

# Set the private (first) address and the public (second) address on the
# bridge. The private address is used for negotiation, the public for
# public access. These are "static" addresses not affected by VRRP.
set interfaces bridge br0 description vrrp-bridge
set interfaces bridge br0 address 10.0.0.1/30
set interfaces bridge br0 address 172.16.0.5/29

# Configure VRRP, group ID picked at random. Has to be the same on both my
# routers, and should not (as I understand it) conflict with what the
# other two routers by my datacenter operators are using on their end.
# Whatever they have.
# Higher number equals higher priority.
set interfaces bridge br0 vrrp vrrp-group 12 priority 200

# Configure the "floating" IP - the one that will be taken over by the
# secondary router if the first one goes down.
set interfaces bridge br0 vrrp vrrp-group 12 virtual-address 172.16.0.4/29

The secondary router has the same configuration, with these exceptions:

  • priority 100
  • IP 172.16.0.6/29 and 10.0.0.2/30 respectively

… and that’s it. It started working and all is fine. :)

The eth1 interface on each router is important because the routers need a way to talk to each other if the upstream network isn’t working properly. Why they have to be on a bridge with the eth5 interface isn’t clear to me right now, but when it becomes more clear to me I’ll try to share it here.