[Dnsmasq-discuss] HA Cluster - IPv6 router adv lifetime of 0

Jochen Demmer jochen at winteltosh.de
Mon Oct 4 11:04:09 UTC 2021


I'm sorry for being unclear.
There is a cluster of two firewalls (active passive).
The clients use the link local address as their default gateway. I want to initialize a manual switch:
The primary becomes secondary, the old secondary becomes primary.

As the router advertisements for the clients contain a default route I would like to make adjustments. The default route is being published by providing clients with the link-local address of the firewall (whichever is primary).
When there is such a controlled switch I would like to let the old primary send a router advertisement package to the clients with a lifetime of 0. This will signal the clients to not use this device any more.
Next the new primary (formerly secondary) will start to advertise itself as the new default router.

In this event I would like to have a trigger so that the designated primary sends such a 0 lifetime package. If I'm not mistaken such a feature is missing.

AFAIK this is how pfSense handles such setups. They do use CARP but at that point it doesn't differ from a VRRP scenario.


Am Samstag, Oktober 02, 2021 13:17 CEST, schrieb Geert Stappers via Dnsmasq-discuss <dnsmasq-discuss at lists.thekelleys.org.uk>:
 On Sat, Oct 02, 2021 at 10:28:16AM +0200, Jochen Demmer via Dnsmasq-discuss wrote:
> Hi,


> I've been trying to develop my own kind of firewall solution named
> nftwall which uses nftables as packet filter and is being managed
> centrally by Ansible - no webGUI.
> My first attempt was to use dnsmasq but then I found out of this
> obstacle. I've been thinking about switching to KEA + radvd but actually
> I would like to keep using dnsmasq.
> I manage my VRRP IPs with keepalived. There are small scripts
> for an event of a primary - secondary change. Especially in an
> event of controlled switch of primary - secondary I would like the
> primary dnsmasq to send a lifetime of 0 in the router advertisement
> package. That way the clients know that this router shall not be used
> any more.


> Please confirm my findings that this is currently not possible with
> dnsmasq.
> If so please accept my feature request to implement that.

Patches to this mailinglist do get noticed.

Geert Stappers
Silence is hard to parse

Dnsmasq-discuss mailing list
Dnsmasq-discuss at lists.thekelleys.org.uk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20211004/adac0cf6/attachment-0001.htm>

More information about the Dnsmasq-discuss mailing list