Page MenuHomeVyOS Platform
Create Task
Maniphest T5745

conntrack-sync: Multiprimary setups for HA/VRRP
Needs reporter action, NormalPublicFEATURE REQUEST
Actions

Description

Description
We have established 10 internal VLANs connecting both router nodes with VRRP. Additionally, there is an external connection through a dedicated VLAN, where OSPF and load-balancing with border routers are implemented. The challenge lies in the lack of control over load-balancing for incoming packets through this external connection, resulting in their potential arrival at any of our router nodes. More details about our design are on the Forum page.

Objective
Our objective is to implement a stateful firewall configuration, allowing outgoing sessions to any IP while permitting the initiation of sessions from outside sources only from a predefined set of IPs.

Solution
Drawing inspiration from commercial firewalls like Palo Alto, VyOS 1.4 currently supports conntrack-sync only in alignment with the VRRP instance. Notably, in VyOS, multiple VRRP instances with distinct active/backup roles can exist on the same router in different instances. This suggests that conntrack-sync could potentially operate in a similar manner. The envisioned setup involves a Multiprimary setup marking each router as the session owner, sending owned sessions to the peer, and accepting only sessions owned by the HA partner. As per documentation, Multiprimary setup is supported by conntrackd on Debian 8 but not yet supported in VyOS 1.4.

Concerns:

  1. VyOS HA Conntrack-Sync is Unidirectional:
    • Conntrack-sync in VyOS HA configuration is observed to be unidirectional (Primary-Backup), limiting synchronization possibilities. The service conntrack-sync does not support multiple instances and allows configuration for only a single instance (documentation reference). Is it feasible to establish multiple unidirectional sync instances in VyOS?
  2. Bidirectional Sync with Native Conntrackd:
    • A key inquiry is whether it is practical to have multiple unidirectional sync instances (e.g., A to B and B to A) or utilize a native Multiprimary setup of the conntrackd utility in VyOS. The goal is to enhance flexibility and establish a bidirectional synchronization setup by having multiple conntrack-sync instances.

Conntrackd Documentation and Implementation:

  1. Feasibility Check:
    • Requesting verification of the feasibility of bidirectional synchronization for conntrack-sync in an active-active HA configuration.
    • If feasible, guidance or step-by-step instructions on configuring such a bidirectional setup would be greatly appreciated.
  2. Conntrackd Documentation Interpretation:
    • Seeking assistance in interpreting conntrackd documentation, specifically in the context of its support for Multiprimary setups within VyOS 1.4 (documentation reference).
    • Additionally, insights into leveraging conntrackd to achieve bidirectional synchronization are appreciated.

Your attention to these inquiries is invaluable, and any insights or guidance you can provide will greatly assist in resolving our configuration challenges.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

qdrddr created this task.Nov 15 2023, 7:30 PM
qdrddr mentioned this in T5425: enable VRF for conntrack-sync.Nov 15 2023, 8:09 PM
Viacheslav added a project: VyOS 1.5 Circinus.Nov 15 2023, 8:10 PM
pasik added a subscriber: pasik.Nov 15 2023, 9:07 PM
syncer assigned this task to Viacheslav.Nov 16 2023, 1:20 AM
syncer triaged this task as Normal priority.
I-n-d-y added a subscriber: I-n-d-y.Nov 16 2023, 8:01 AM
I-n-d-y added a comment.EditedNov 16 2023, 8:19 AM

I have a similar setup where I have two VyOS VMs used as VPN routers with some firewalling enabled. Since I use OSPF for dynamic routing I am not able to synchronize the sessions between both routers so in case one VPN router fails the other one can't take over flawlessly. Having conntrack-sync configuration separated from VRRP would be a great benefit.

Viacheslav added a comment.Jan 19 2024, 10:23 PM

@I-n-d-y Try to get it working without VyOS CLI.
Provide the required contrack config. As I'm not sure that it will work correctly at all.

Viacheslav changed the task status from Open to Needs reporter action.Jan 19 2024, 10:43 PM
hsw0 added a subscriber: hsw0.Mar 11 2024, 11:07 PM
Viacheslav added a comment.Tue, Apr 9, 3:57 PM

https://conntrack-tools.netfilter.org/manual.html#sync-aa

conntrackd allows you to deploy an symmetric Active-Active setup based on a static approach. For example, assume that you have two virtual IPs, vIP1 and vIP2, and two firewall replicas, FW1 and FW2. You can give the virtual vIP1 to the firewall FW1 and the vIP2 to the FW2.

The asymmetric path scenario is hard: races might occurs between state synchronization and packet forwarding. If you would like to deploy an Active-Active setup with an assymmetic multi-path routing configuration, then, make sure the same firewall forwards packets coming in the original and the reply directions. If you cannot guarantee this and you still would like to deply an Active-Active setup, then you might have to consider downgrading your firewall ruleset policy to stateless filtering.
Viacheslav removed Viacheslav as the assignee of this task.Thu, Apr 11, 10:17 AM
Viacheslav added a subscriber: Viacheslav.
dmbaturin removed a project: VyOS 1.4 Sagitta.Fri, Apr 12, 3:13 PM