Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 11152 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VRRP between two bridged interfaces

DavidBASQUIN

Hi everyone,

I'm trying to make our ISP routers' VRRP work.

Both routers are connected to physical interfaces on a SG330 cluster like this:
RTR1 <> FW1/eth6
RTR1 <> FW2/eth6
RTR2 <> FW1/eth7
RTR2 <> FW2/eth7

I expected the bridging of my eth6 and eth7 would be sufficient for the VRRP to work but the ISP tells us that both routers act as masters (ie. can't communicate)

As a result, I only have one interface to work with (br0) and can't figure out what's wrong and/or what must be done :
- Creating a firewall policy to allow VRRP protocol (IP/112) from/to my br0 interface seems pointless
- There might be something to do with Multicast Routing, but to be honest, I don't quite understand the point if only one interface (br0) is involved

Any help would be much appreciated

Thanks, david



This thread was automatically locked due to age.
Parents
  • 0

    Hi, David, and welcome to the UTM Community!

    VRRP is not available on the UTM, but you can achieve what you want.  I doubt that this includes bridging, but it's not clear from your post what problem you're addressing.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi Bob and thanks for your reply,

    Actually, VRRP is only used by the routers of my ISP to provide a redundant MPLS gateway to our firewall.
    Both routers use their LAN interface to communicate with each other and negociate the master/slave role.
    As we don't have a "WAN switch" to link them together, I've used two interfaces available on our SG330 boxes (eth6 and eth7, that I bridged)

    Here's a basic schema (ignoring the Sophos cluster and other WAN, DMZ, WiFi interfaces to simplify)

                                        (eth6) ----MPLS-RTR1
                                          /      
    LAN--- (eth1) ----SG330
                                          \      
                                        (eth7) ----MPLS-RTR2


    Despite the fact that the IP packets are forwarded between the two physical interfaces (default behavior), the routers are unable to negociate their role according to the VRRP Protocol.

Reply
  • 0 in reply to BAlfson

    Hi Bob and thanks for your reply,

    Actually, VRRP is only used by the routers of my ISP to provide a redundant MPLS gateway to our firewall.
    Both routers use their LAN interface to communicate with each other and negociate the master/slave role.
    As we don't have a "WAN switch" to link them together, I've used two interfaces available on our SG330 boxes (eth6 and eth7, that I bridged)

    Here's a basic schema (ignoring the Sophos cluster and other WAN, DMZ, WiFi interfaces to simplify)

                                        (eth6) ----MPLS-RTR1
                                          /      
    LAN--- (eth1) ----SG330
                                          \      
                                        (eth7) ----MPLS-RTR2


    Despite the fact that the IP packets are forwarded between the two physical interfaces (default behavior), the routers are unable to negociate their role according to the VRRP Protocol.

Children
No Data