Configuring VRRP in NG Firewall

Overview

NG Firewall supports VRRP (Virtual Redundancy Router Protocol), enabling the admin to run two or more NG Firewall instances in parallel. This provides redundancy, should one NG Firewall suffer a hardware failure.

How does VRRP work?

VRRP sets up a continuous "heartbeat" between two matching interfaces, one per NG Firewall: this heartbeat informs the VRRP daemon on both appliances that the specified interface is still up and operating normally.

If the heartbeat should fail, the secondary/backup appliance takes over handling of traffic until the primary NG Firewall's VRRP heartbeat is restored. In this way, VRRP acts as hardware failover protection, automatically "replacing" the primary NG Firewall.

 

VRRP requirements

  1. All NG Firewall servers must be turned on in order to participate. This may sound obvious, but it must be noted. 

  2. All NG Firewall servers must be configured with the same shared VRRP virtual address on each interface participating in the VRRP configuration. This means that you will need at least three IPs: one for each server, and the virtual IP to be shared between all devices. You will enter the virtual IP on each server under VRRP Aliases
    aliases.png

  3. All participating NG Firewall interfaces must be configured statically. This means that the IPv4 configuration must be set to static. 
    static.png

  4. All participating NG Firewall interfaces must be addressed, no bridged interfaces. Parallel NG Firewalls configured as bridges will create a bridge loop. 
    static.png

Configuring VRRP

  1. In Config > Network > Interfaces, edit the interface to enable VRRP on.
  2. Select the Redundancy (VRRP) Configuration tab.
  3. Check the Enable VRRP box. This enables further settings.
  4. Set a VRRP ID. This value must match between all NG Firewalls in this specific VRRP pairing, so you will configure the same VRRP ID value on the secondary/backup unit.
  5. Set a VRRP Priority for the primary unit. Higher values are higher-priority. In the example below, this is the "primary" NG Firewall, so we set its Priority to 255 (the highest value).
    When configuring the backup unit, we will choose a lower Priority to indicate that this unit is secondary.

 

What are the limitations of VRRP?

VRRP does have a few limitations that the admin must be aware of. 

VRRP is hardware-only

VRRP is a hardware failover mode only. If an interface stops receiving traffic but its hardware is still operating normally, VRRP will not trigger. As an example, if a downstream switch fails and traffic no longer arrives at this NG Firewall, the interface hardware will remain unaffected and VRRP will not switch to a backup unit.

VRRP and subscriptions

The backup appliance(s) does not automatically inherit the subscription associated with the primary appliance. Purchasing a subscription for the VRRP backup appliance(s) will enable that appliance to retain all paid features in the event of a failover.

If you do not purchase a separate subscription, you will have two options in the event of a failover:

  1. Log into your ETM Dashboard account, unassign the subscription from the primary appliance, and assign it to the secondary. You will need to move the subscription back to its usual appliance once it has been restored.
  2. Leave the secondary unit without a subscription. You will retain all "free" features even without a subscription: traffic will still pass, Port Forwards will continue to operate, and so forth. Refer to this page for a listing of all "free" NG Firewall features: NG Firewall Software Packages. Note that operating without a subscription will disable both IPsec and WireGuard VPNs and thus may affect connectivity to other sites or remote workers.

DHCP serving

When NG Firewall is acting as a DHCP server, each appliance in a VRRP pair must have distinct and non-overlapping DHCP pool settings. As an example, if the primary NG Firewall is providing leases in the 192.168.5.0/24 range, the secondary unit cannot use that range as well; we could choose 192.168.6.0/24 or any other unused range.

Follow
Was this article helpful?
3 out of 8 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Powered by Zendesk