[Vyatta-users] R: Routing problem
Details : ExternalInternal eth0 eth1 .2 169.68.1 68.1068.869.10 Router|--|FW| --|Vyatta||PC| 192.168.69.1 - Test2 Network 192.169.68.x | Def GW : .68.10 GW: 192.168.69.10 | DHCP for Test2 Network | |Test1 Network| 192.168.68.x GW: 192.168.68.10 In FW static route : # IP Mask GatewayDevice Distance 1192.168.69.0255.255.255.0 192.168.68.8internal 1 2 0.0.0.0 0.0.0.0192.169.68.2 external 2 Thanks ! -Messaggio originale- Da: Justin Fletcher [mailto:[EMAIL PROTECTED] Inviato: martedì 11 dicembre 2007 18.02 A: Andrea Zaini Cc: [EMAIL PROTECTED] Oggetto: Re: [Vyatta-users] Routing problem Do the systems have their default gateway set to the Vyatta? Is it the directly connected interface? Looking at your DHCP config, only systems on the .69 network would be able to reach the .68, but those on the .68 wouldn't be able to reach the .69 network, unless their default gateway is configured with a static address. Not sure what the production network is -- Justin On Dec 11, 2007 8:51 AM, Andrea Zaini [EMAIL PROTECTED] wrote: I installed a router vyatta between Network Test1 192.168.68.0/24 and a Network Test2 192.168.69.0/24 From the PC in the network test i can start Outlook, program management etc. He can do some ping towards networked computer... but not at all the PC in Production Network ! No firewall configured ! Thanks everyone! |FW| --|Vyatta||PC| 192.168.69.1 - Test2 Network | | | |Test1 Network| 192.168.68.x mynetwork.txt ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] FIREWALL question: How can I stealth tcp ports
Hi Josh, There is no firewall by default on Vyatta. Your firewall rule does not prevent packets from external to your Vyatta itself. You can apply the firewall instance as in, out and local per interface. You have used in, meaning that packets entering that interface will be filtered by the firewall. But you are scanning Vyatta's external IP address meaning that packets are sent to the local instance. So you should define a rule like: set firewall name extlocal rule 10 action accept set firewall name extlocal rule 10 protocol tcp set firewall name extlocal rule 10 state new enable set firewall name extlocal rule 10 state established enable set firewall name extlocal rule 10 destination port-number 22 set interfaces ethernet eth0 firewall local name extlocal Obviously this means that tcp port 22 will come as open because you wanted to use ssh from the external net. Other traffic will be implicitly denied. So you won't be able to ping from Vyatta itself say, google's ip addresses. For that you need to add another rule allowing the returning echo reply packet(unfortunetelly we cannot have state parameter for other protocols then TCP with Vyatta VC3, there is a report on bugzilla for that, https://bugzilla.vyatta.com/show_bug.cgi?id=2502): set firewall name extlocal rule 20 action accept set firewall name extlocal rule 20 protocol icmp set firewall name extlocal rule 20 icmp type 0 set firewall name extlocal rule 20 icmp code 0 Also I assume that you will want to filter packets entering Vyatta's external interface. You can use something like: Say for Http/Https returning traffic: set firewall name exttoint rule 10 action accept set firewall name exttoint rule 10 protocol tcp set firewall name exttoint rule 10 destination network your internal network set firewall name exttoint rule 10 state established enable set firewall name exttoint rule 10 state related enable set firewall name exttoint rule 10 state invalid disable set firewall name exttoint rule 10 source port-number 80 set firewall name exttoint rule 10 source port-number 443 For DNS returning traffic(unfortunetelly again we cannot have the state parameter for other protocols then TCP with Vyatta VC3), this may vary depending on your DNS design, if you are using DNS forwarders...: set firewall name exttoint rule 14 action accept set firewall name exttoint rule 14 source address Your External DNS Server Address set firewall name exttoint rule 14 protocol udp set firewall name exttoint rule 14 destination your internal network or your internal DNS server address set firewall name exttoint rule 14 source port-number 53 set interfaces ethernet eth0 firewall in name exttoint In the same way you can set an in firewall instance for your local interface(obviuosly for tcp you will have to use the new parameter and now the source ports become destination ports). And also for the local instance of you local interface. Since the rest of the traffic is denied you need to carefully create your rules. It will be better if you will use nmap to scan your Vyatta. There aren't any stealth ports. They are merely filtered. Adrian ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] [SOLVED] invalid pre-shared secret key
The patch did work, thanks. Ciao Mathias I know this worked in earlier versions, but it seems the current release has added an overly restrictive syntax check. If you login as root we can fix this on the fly by changing the file /opt/vyatta/share/ofr/template/vpn/ipsec/site-to-site/peer/node.tag/authentication/pre-shared-secret/node.def From: help: Set pre-shared secret key type: txt syntax: pattern $(@) ^[-_a-zA-Z0-9.]+$ ; invalid pre-shared secret key \$(@)\ To: help: Set pre-shared secret key type: txt syntax: pattern $(@) ^[\([EMAIL PROTECTED] ; invalid pre-shared secret key \$(@)\ Hope that helps. stig mathias [EMAIL PROTECTED] set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret 11([EMAIL PROTECTED] [edit] [EMAIL PROTECTED] commit [edit] Commit Failed invalid pre-shared secret key 11([EMAIL PROTECTED] [EMAIL PROTECTED] set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret '11([EMAIL PROTECTED]' [edit] [EMAIL PROTECTED] commit [edit] Commit Failed sh: -c: line 0: syntax error near unexpected token `(' sh: -c: line 0: `/opt/vyatta/sbin/xorp_tmpl_tool set vpn ipsec site-to-site peer 'xxx.xxx.xxx.xxx' authentication pre-shared-secret ''11([EMAIL PROTECTED]''' ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPsec and VRRP problem
Ah, piffle - looks like that bug was fixed after VC3 was released. You need to correct /opt/vyatta/sbin/vpn-config.pl .You can get the corrected version from http://suva.vyatta.com/git/?p=ofr.git;a=blob_plain;f=cli/scripts/vpn/vpn-config.pl;hb=HEAD or you can just comment out the check, if you're comfortable with perl. Best, Justin On 12/12/07, Senad Uka [EMAIL PROTECTED] wrote: Now we have found the right one and again we have the same problem. I configured the router EXACTLY as it is written in the manual, clustering chapter :) But still, even if the cluster is up and running and I can ping the cluster ip adresses it doesn't let me set local ip on the ipsec peer configuration to the cluster ip address complaining that ip address is not address of the interface or cluster address ... I have attached the configuration of the first router Currently i set the local-ip to the pysical interface's ip so i can commit and save the config ... also i didn't setup the second monitor node but as I understand, that should not be the problem. Configuration of second router is identical with respective interface ip addresses changed (and has the same problem with local-ip) ... On Dec 11, 2007 5:25 PM, Justin Fletcher [EMAIL PROTECTED] wrote: Certainly. Let me know if you need more information (though there's a new clustering chapter in the documentation for this :-) ) Best, Justin On Dec 11, 2007 8:22 AM, Senad Uka [EMAIL PROTECTED] wrote: Thank you for the quick answer. On Dec 11, 2007 5:11 PM, Justin Fletcher [EMAIL PROTECTED] wrote: It is; clustering support was added recently exactly for scenarios such as this. You'll need to set up WEST and WEST backup as cluster members, define the IP addresses, and set up IPSec as the failover service. This will actually be using clustering instead of VRRP for your virtual address failover. Best, Justin On Dec 11, 2007 6:28 AM, Senad Uka [EMAIL PROTECTED] wrote: Hello. I am trying to setup a network similar to the one in the configuration manual under pre-shared key IPSEC VPN settings section, but adding a VRRP backup router to the router named WEST in the manual (page 231). | SERVER | 192.168.40.7/24 | | * (virtual IP: 192.168.40.20) / \ / \ / \ 192.168.40.6/24 192.168.40.5/24 | WEST | | WEST backup | 192.0.2.2/26 192.168.0.2.3/26 \/ \ / \ / \ / * (virtual IP: 192.0.2.1) | | | 192.0.2.33/26 | EAST | 192.168.60.8/24 | | 192.168.60.7/24 | CLIENT | Client communicates with server through IPSEC tunnel between EAST and WEST routers. IF the WEST router goes down WEST backup should take over. I have setup the routers according to manual and it worked. When I setup VRRP on the WEST, and set the ipsec peer on the EAST to the virtual IP - the tunnel cannot be established. From the debug data for the ipsec I can see that the EAST is expecting a tunnel 192.68.60/24===192.0.2.33...192.0.2.1===192.168.40.0/24 , while the WEST doesn't use it's virtual address and expects 192.168.40.0/24 ===192.0.2.2...192.0.2.33===192.68.60/24 so it cannot finish the phase 2 negotiation ... In order to solve it, I tried to setup the local-ip in ipsec configuration on the WEST side to virtual IP address (192.0.2.1) but i cannot commit the changes since vyatta does not recognize it as address of an interface (Message: Local IP specified for peer 192.0.2.33 has not been configured in any of the ipsec interfaces or clustering.) Is my requested behaviour even possible to achieve? Am I missing something ? -- LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN -- LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] R: R: Routing problem
ok ok ! my error ! sorry ! ;) -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Andrea Zaini Inviato: mercoledì 12 dicembre 2007 9.18 A: [EMAIL PROTECTED] Oggetto: [Vyatta-users] R: Routing problem Details : ExternalInternal eth0 eth1 .2 169.68.1 68.1068.869.10 Router|--|FW| --|Vyatta||PC| 192.168.69.1 - Test2 Network 192.169.68.x | Def GW : .68.10 GW: 192.168.69.10 | DHCP for Test2 Network | |Test1 Network| 192.168.68.x GW: 192.168.68.10 In FW static route : # IP Mask GatewayDevice Distance 1192.168.69.0255.255.255.0 192.168.68.8internal 1 2 0.0.0.0 0.0.0.0192.169.68.2 external 2 Thanks ! -Messaggio originale- Da: Justin Fletcher [mailto:[EMAIL PROTECTED] Inviato: martedì 11 dicembre 2007 18.02 A: Andrea Zaini Cc: [EMAIL PROTECTED] Oggetto: Re: [Vyatta-users] Routing problem Do the systems have their default gateway set to the Vyatta? Is it the directly connected interface? Looking at your DHCP config, only systems on the .69 network would be able to reach the .68, but those on the .68 wouldn't be able to reach the .69 network, unless their default gateway is configured with a static address. Not sure what the production network is -- Justin On Dec 11, 2007 8:51 AM, Andrea Zaini [EMAIL PROTECTED] wrote: I installed a router vyatta between Network Test1 192.168.68.0/24 and a Network Test2 192.168.69.0/24 From the PC in the network test i can start Outlook, program management etc. He can do some ping towards networked computer... but not at all the PC in Production Network ! No firewall configured ! Thanks everyone! |FW| --|Vyatta||PC| 192.168.69.1 - Test2 Network | | | |Test1 Network| 192.168.68.x mynetwork.txt ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta null route
Hmm, that doesn't seem to do the trick. Just for giggles, I am running v3. ERROR: node next-hop: argument discard is not a valid IPv4: value must be an IP address in dotted decimal form. [edit] :O Shane McKinley Habersham EMC -Original Message- From: Peter Wohlers [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 12, 2007 12:22 PM To: Shane McKinley Cc: [EMAIL PROTECTED] Subject: Re: [Vyatta-users] Vyatta null route Try the 'discard' operator so set protocols static route x.x.x.x/x discard or maybe it's set protocols static route x.x.x.x/x next-hop discard --Peter Shane McKinley wrote: I am trying to figure out how to insert a null route into my Vyatta OFR. I tried: set protocols static route x.x.x.x/x next-hop 0.0.0.0 But then it does not show when executing: show route Any ideas? Thanks, Shane McKinley Habersham EMC ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] R: R: Routing problem
ok ok ! my error ! sorry ! ;) There is a law of the universe somewhere that you're most likely to notice your own mistake right after posting to an Internet mailing list. ;-) If this phenomenon hasn't yet been named yet, I hereby dub it Dave's Law. ;-) -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Vyatta null route
I am trying to figure out how to insert a null route into my Vyatta OFR. I tried: set protocols static route x.x.x.x/x next-hop 0.0.0.0 But then it does not show when executing: show route Any ideas? Thanks, Shane McKinley Habersham EMC ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta null route
Try the 'discard' operator so set protocols static route x.x.x.x/x discard or maybe it's set protocols static route x.x.x.x/x next-hop discard --Peter Shane McKinley wrote: I am trying to figure out how to insert a null route into my Vyatta OFR. I tried: set protocols static route x.x.x.x/x next-hop 0.0.0.0 But then it does not show when executing: show route Any ideas? Thanks, Shane McKinley Habersham EMC ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta null route
Unfortunately there is a known bug with discard. See http://bugzilla.vyatta.com/show_bug.cgi?id=1933 stig -Original Message- From: [EMAIL PROTECTED] [mailto:vyatta-users- [EMAIL PROTECTED] On Behalf Of Peter Wohlers Sent: Wednesday, December 12, 2007 9:22 AM To: Shane McKinley Cc: [EMAIL PROTECTED] Subject: Re: [Vyatta-users] Vyatta null route Try the 'discard' operator so set protocols static route x.x.x.x/x discard or maybe it's set protocols static route x.x.x.x/x next-hop discard --Peter Shane McKinley wrote: I am trying to figure out how to insert a null route into my Vyatta OFR. I tried: set protocols static route x.x.x.x/x next-hop 0.0.0.0 But then it does not show when executing: show route Any ideas? Thanks, Shane McKinley Habersham EMC ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta null route
The best solution seems to be a init script as follows: ip route add blackhole 172.16.0.0/20 ip route add blackhole 10.0.0.0/8 ip route add blackhole 192.168.0.0/16 Too bad, I keep running into limitations on Vyatta..I am not complaining though, its free and seems to work well overall. Thanks, Shane McKinley Habersham EMC -Original Message- From: Stig Thormodsrud [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 12, 2007 12:53 PM To: 'Peter Wohlers'; Shane McKinley Cc: [EMAIL PROTECTED] Subject: RE: [Vyatta-users] Vyatta null route Unfortunately there is a known bug with discard. See http://bugzilla.vyatta.com/show_bug.cgi?id=1933 stig -Original Message- From: [EMAIL PROTECTED] [mailto:vyatta-users- [EMAIL PROTECTED] On Behalf Of Peter Wohlers Sent: Wednesday, December 12, 2007 9:22 AM To: Shane McKinley Cc: [EMAIL PROTECTED] Subject: Re: [Vyatta-users] Vyatta null route Try the 'discard' operator so set protocols static route x.x.x.x/x discard or maybe it's set protocols static route x.x.x.x/x next-hop discard --Peter Shane McKinley wrote: I am trying to figure out how to insert a null route into my Vyatta OFR. I tried: set protocols static route x.x.x.x/x next-hop 0.0.0.0 But then it does not show when executing: show route Any ideas? Thanks, Shane McKinley Habersham EMC ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta null route
Ya... it doesn't make breakfast for me in the morning either... oh well. Maybe next version ;) The nice thing about open source is its relentless improvement. ;-) In this particular case, the bug is fixed in the next version. Because of the structural work we have been doing over the past few months, many of the more annoying things in the system will have been removed. For those that have not been removed, the infrastructure will have been put in place to make faster progress in getting them. -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta null route
Ya... it doesn't make breakfast for me in the morning either... oh well. Maybe next version ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shane McKinley Sent: Wednesday, December 12, 2007 1:50 PM To: [EMAIL PROTECTED] Subject: Re: [Vyatta-users] Vyatta null route The best solution seems to be a init script as follows: ip route add blackhole 172.16.0.0/20 ip route add blackhole 10.0.0.0/8 ip route add blackhole 192.168.0.0/16 Too bad, I keep running into limitations on Vyatta..I am not complaining though, its free and seems to work well overall. Thanks, Shane McKinley Habersham EMC -Original Message- From: Stig Thormodsrud [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 12, 2007 12:53 PM To: 'Peter Wohlers'; Shane McKinley Cc: [EMAIL PROTECTED] Subject: RE: [Vyatta-users] Vyatta null route Unfortunately there is a known bug with discard. See http://bugzilla.vyatta.com/show_bug.cgi?id=1933 stig -Original Message- From: [EMAIL PROTECTED] [mailto:vyatta-users- [EMAIL PROTECTED] On Behalf Of Peter Wohlers Sent: Wednesday, December 12, 2007 9:22 AM To: Shane McKinley Cc: [EMAIL PROTECTED] Subject: Re: [Vyatta-users] Vyatta null route Try the 'discard' operator so set protocols static route x.x.x.x/x discard or maybe it's set protocols static route x.x.x.x/x next-hop discard --Peter Shane McKinley wrote: I am trying to figure out how to insert a null route into my Vyatta OFR. I tried: set protocols static route x.x.x.x/x next-hop 0.0.0.0 But then it does not show when executing: show route Any ideas? Thanks, Shane McKinley Habersham EMC ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users __ NOD32 2719 (20071212) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta null route
Meaning Glendale? -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Dec 12, 2007, at 2:48 PM, Dave Roberts wrote: the bug is fixed in the next version ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta null route
Meaning Glendale? Yes. -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] DHCP for external interface
Folks; Looking through the previous mails, it looks like there were plans to implement Kill configuration for interfaces... Anyone know what the status of this is or where I can look? I need this for a home environment where ISP provides the IP information via DHCP... KW ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] VRRP Confusion
Hello everyone, I used google to search the mail list archive, but didn't get any results for my issue. This is my second day working on the problem and my colleagues don't have any suggestions. This post is a little long, but I hope thorough enough to give all relevant information. Here is my setup: vyatta01 - eth0:192.168.2.50, eth1:192.168.10.3 vyatta02 - eth0:192.168.2.51, eth1:192.168.10.2 laptop01 - eth0:192.168.10.11 Laptop01 is connected to a switch, which also has cables from eth1 on both vyatta01 and vyatta02 connected. Eth0 on both vyatta01 and vyatta02 are connected into the main 192.168.2.0/24 network which has internet connectivity. With a base configuration of a default route to 192.168.2.21 on both vyatta01 and vyatta02, and the above IPs assigned to their respective network cards, I can ping 192.168.10.2 and 192.168.10.3 from laptop01; and I can ping 192.168.10.2 from vyatta01, and I can ping 192.168.10.3 from vyatta02. Basically, everything can ping everything. I then proceed to setup VRRP between vyatta01 and vyatta02 with the following config: --Vyatta02-- set interfaces ethernet eth1 vrrp vrrp-group 10 set interfaces ethernet eth1 vrrp virtual-address 192.168.10.1 set interfaces ethernet eth1 vrrp preempt true set interfaces ethernet eth1 vrrp priority 150 commit --Vyatta01-- set interfaces ethernet eth1 vrrp vrrp-group 10 set interfaces ethernet eth1 vrrp virtual-address 192.168.10.1 set interfaces ethernet eth1 vrrp preempt true set interfaces ethernet eth1 vrrp priority 20 commit So vyatta02 is the master, VIP is 192.168.10.1. Immediately, and as expected, I see in the output of show vrrp that vyatta02 considers itself the master, and vyatta01 sees itself as the backup. In a tcpdump from laptop01 I can see the VRRPv2 advertisements from vyatta02 every second. At this time from laptop01 I am unable to ping 192.168.10.1 or 192.168.10.2, but I can ping 192.168.10.3. The arp table on laptop01 shows the following: # arp -n Address HWtype HWaddress Flags MaskIface 192.168.10.3 ether 00:1A:A0:2A:04:0A C eth0 192.168.10.1 ether 00:00:5E:00:01:0A C eth0 192.168.10.2 ether 00:00:5E:00:01:0A C eth0 From vyatta01, I am also unable to ping 192.168.10.1 and 192.168.10.2. What is causing me great confusion is if on vyatta02 I login as root and execute a tcpdump -i eth1, instantly my pings from laptop01 and vyatta01 to both 192.168.10.1 and 192.168.10.2 start getting responses. As soon as I ctrl-c the tcpdump on vyatta02, the ping responses stop again. If I reconfigure the VRRP priority of vyatta02 to be lower than vyatta01, they change over to vyatta01 being the master, and vyatta02 as the backup. At this time from laptop01 I am able to ping 192.168.10.1, 192.168.10.2 and 192.168.10.3. In a tcpdump on laptop01 I see the VRRP advertisements coming from 192.168.10.3 as expected. The arp table on laptop01 now looks like this: # arp -n Address HWtype HWaddress Flags MaskIface 192.168.10.3 ether 00:00:5E:00:01:0A C eth0 192.168.10.1 ether 00:00:5E:00:01:0A C eth0 192.168.10.2 ether 00:14:6C:70:50:6B C eth0 All systems can ping eachothers 192.168.10.x IPs at this time. In summary, I don't understand why when vyatta02 is master in the VRRP group both its IP 192.168.10.2 and the VIP 192.168.10.1 it is holding become unresponsive to pings. Then when a tcpdump -i eth1 is run on vyatta02 both of the previously unresponsive IPs start responding to pings, then when the tcpdump is killed, the ping responses stop again. In a tcpdump from laptop01 while pinging 192.168.10.1 while vyatta02 is master and a tcpdump is not running, I can see the arp request and reply, then icmp echo requests being sent, but no responses. 15:24:38.645141 arp who-has 192.168.10.1 tell 192.168.10.11 15:24:38.645304 arp reply 192.168.10.1 is-at 00:00:5e:00:01:0a 15:24:38.645327 IP 192.168.10.11 192.168.10.1: ICMP echo request, id 43386, seq 1, length 64 15:24:39.644156 IP 192.168.10.11 192.168.10.1: ICMP echo request, id 43386, seq 2, length 64 15:24:40.644125 IP 192.168.10.11 192.168.10.1: ICMP echo request, id 43386, seq 3, length 64 15:24:41.644104 IP 192.168.10.11 192.168.10.1: ICMP echo request, id 43386, seq 4, length 64 15:24:42.644064 IP 192.168.10.11 192.168.10.1: ICMP echo request, id 43386, seq 5, length 64 15:24:43.644038 IP 192.168.10.11 192.168.10.1: ICMP echo request, id 43386, seq 6, length 64 Then if I start the tcpdump -i eth1 on vyatta02 and start pinging 192.168.10.1 from laptop01, it gets responses to the icmp echo requests. 15:27:06.332838 arp who-has 192.168.10.1 tell 192.168.10.11 15:27:06.332983 arp reply 192.168.10.1 is-at 00:00:5e:00:01:0a