Proposal to use keepalived and contrackd with a dynamic DHCP WAN IP address

Forum members,

I am contemplating how it might be possible to have a scenario as follows hereupon to achieve the idea subject to this posting.

I am new to keepalived and conntrackd and never set them up, but am trying to understand if I might be able to use them within an OpenWRT environment to allow for high availability using a single DSL Modem in bridge mode that assigns a public facing IP address dynamically via DHCP.

Thus, I hypothesize the following idea:

The DSL Modem is placed into bridge mode where a DHCP request when received via the WAN port assigns a dynamic public IP address to the DHCP client (actually I believe my ISP lets me DCHP up to 3 or maybe 5 publicly facing IP address that are dynamic).

Switch 1 port 1 is tagged as VLAN 300 and has the DSL Modem WAN port plugged into it
Switch 1 port 2 is tagged as VLAN 300 and has the router 1 WAN port plugged into it
Switch 1 port 3 is tagged as VLAN 300 and has the router 2 WAN port plugged into it
Switch 1 port 4 is a trunk port that can carry VLAN 192 and VLAN 300 and has router 1 LAN port 1 plugged into it
Switch 1 port 5 is a trunk port that can carry VLAN 192 and VLAN 300 and has router 2 LAN port 1 plugged into it

Router 1 boots up as the Master in the keepalived scenario
Router 1 WAN port is tagged as VLAN 300 with MAC address 06:00:00:00:00:00 and receives a public IP address via DHCP from the DSL modem
Router 1 LAN port1 is tagged as VLAN 192 and plugged into Switch Port 4
Router 1 LAN ports 2-4 are tagged as VLAN 192 with workstations plugged into them
Router 1 routes betwixt the VLAN 192 and VLAN 300

Router 2 boots up as the slave in the keepalived scenario
Router 2 WAN port is tagged as VLAN 301 with MAC address 06:00:00:00:00:00 but does NOT receive a public IP address via DHCP from the DSL modem as it is on VLAN 301
Router 2 LAN port1 is tagged as VLAN 192 and plugged into Switch Port 5
Router 2 LAN ports2-4 are tagged as VLAN 192 with workstations plugged into them
Router 2 routes betwixt the VLAN 192 and VLAN 300

If router 1 fails then the VLAN ID of Router 2's WAN port is changed from VLAN ID 301 to VLAN ID 300 and it sends a DHCP request and gets the same IP address as was already assigned to MAC address 06:00:00:00:00:00 the last time a DHCP request was made on VLAN 300 by router 1. Thereafter, When router 1 recovers as a slave in the keepalived scenario his WAN port is assigned VLAN ID 301.

In the context of a configuration similar to one articulated by the link as follows hereupon, could this work?

This eliminates any possibility of two Ethernet ports ever having the same IP address within the same VLAN.

I welcome the thoughts and comments of forum members.


Router 1 Port1 and Router 2 Port1 might need to be trunk ports able to carry VLAN 192 and VLAN 300 traffic.

This is not really going to achieve anything with respect to high availability. That's because you still have two single-point-of-failure situations in front of everything else:

  1. Your DSL modem, a single hardware device. If the line or the modem itself experiences a problem, your entire network is offline.
  2. Router 1 is also a key link in the configuration. If router 1 goes down, so does all of your internal network connectivity, including the downstream routers because the data all needs to pass through the first router.

In order to create a proper high availability network, you need full redundancy:

  • 2x (or more) independent internet connections, ideally each using different technology and/or from different providers.
  • 2x (or more) modem devices (one per connection)
  • 2x (or more) routers to which these are connected so that no single router failure can bring down the network.
  • And then you add the software layers to handle coordination between the routers and the multiple wans with failover.

The fact is that most consumer gear is pretty reliable when measured against the demands and expectations usually placed on that class of equipment, and it is more likely that you'll have an outage from your ISP and/or electrical power source. However, adding more equipment in a linear fashion only adds more chances of failure (statistically speaking).

The WAN port on a DSL modem is not an ethernet port, you cannot connect it to a switch.

In a normal household and on a budget, it generally makes more sense to keep a fully configured cold spare (for every component, modem, router, switch) in storage. It doesn't necessarily need to be on par with your normal gear, so your old beater might still do, even if it does not reach the same speeds or advanced features. After all it just needs to get you online to order the proper replacement and to do a good enough job while waiting for it to arrive, also appeasing the family.

Pro tip, label everything and make it easy and self-evident enough for even a family member to switch over the 3 cables (power, wan, lan) necessary.


Actually I have a Zyxel C3000Z, which does have an Ethernet WAN port (the DSL line plugs into the "DSL Port", which you are correct is surely not Ethernet). A link to a 2 page description of the DSL modem follows hereupon and page 2 depicts the ports on the back.

However, I did make a mistake as "Switch 1 port 1 is tagged as VLAN 300 and has the DSL Modem WAN port plugged into it" should read plugged into LAN port 1.

All that said, I plan to replace the C3000Z with a C4000BG I got recently and also place it into bridge mode. Oddly, I have heard rumors that the C4000BG uses a modified version of OpenWRT, I will enquire to see if that is true and try to get the source code.


1 Like


I am not trying to write something that is intended to be argumentative, adversarial, or obnoxious, it is truly written due to the surprising response you penned in your reply epistle.

I have a home lab, I do not have multiple WAN connections at this time (though the idea of using my mobile phone as a backup WAN connection would be interesting to make inclusive to my final design), I am not trying to achieve that level of redundancy currently.

However, what is worthy of notation is that I presumed that the specific page in the OpenWRT documentation which speaks to "High Availability" stood for itself. By that I mean that it states in no uncertain terms, and I quote, (under "Preparation, assumptions, description of environment"): "You have 2 openwrt routers and a static WAN IP. (could also be a private IP+DMZ)." Considering the linguistic term "Grammatical number" speaks to the idea of singular vs plural, I had presumed that a basic reading of the document would show that "a static WAN IP" presupposed that the high-availability document is designed to address that specific case of a single WAN IP. This of course does not reduce the optimal nature of your recommendation, it just underscores that my intent is to use the design considered by the documentation.

I am presuming that you have never read that page of the documentation, because, even if you overlooked the meaning of that statement referenced herein above, the solution provided in the documentation certainly stands exclusive of using multiple WAN IP addresses anyway, nor does it speak to multiple routers. My goal is to use a single router (which can provide multiple public IP WAN IPs though).

I do want to point out that I absolutely agree with the your technical assessment as being the best solution, just not the level of redundancy I am concerned about. The main problem I am trying to solve is when I am out of town and an AP dies (this has happened before, in one case the wall wart fell out of the wall in another it stopped working entirely) and I wish another access point to take over as the router. Lastly, I will add that I do have a UPS on my DSL modem and I have two switches not one (Cisco 3560G devices) with trunk ports on each switch linking them together.

The foregoing notwithstanding, given the level of detail you provided in your initial response I am interested in your thoughts concerning my original question (respecting VLANs) as I suspect you have some technical prowess to bring to bear that would be of interest to myself and any future readers of this thread.

I have several access points as I use them for 802.11 roaming to extend coverage around my property and figured why not also setup the APs for routing and setup redundant routing in case one goes off line. The backbone of my network is using MOCA 2.0 devices over CATV. The APs run in "dumb AP mode" right now and I was using pfSense for routing but am ready to use OpenWRT as it now has adblock, fail2ban, and other things that can replace the main feature (pfBlocker-NG) that impelled me to select pfSense originally. I have begun to see how pfSense feels and treats the open source community and am also predisposed to moving away from it for those reasons too. Switching to OpenWRT for more than for 802.11 capabilities will also allow me to extinguish my pi-hole instances as well since adblock on OpenWRT looks just as capable.

I also think there is an error in the documentation (I will try to contact the author), as in section 5 "Configure DHCP" it suggests that is the vip address, however shows "" as the vip address for DHCP option 3 and option 6. I imagine this discrepancy is a typographical error.

I look forward to your reply and those of others within the community.