I guess better late than never...

So we've got a failover IP, and a nice trick to be able to get the same WAN IP on both our routers. If you do stateless packet filtering, this is actually enough, and your redundant setup is already finished. However, if you do stateful packet filtering, the moment the failover IP moves to the backup router, your connection will be dropped because it doesn't have any knowledge about it in its connection tracking table.

Fortunately this too can be solved, by syncing the connection tracking table with conntrackd. Since we're using an active-backup setup, we'll configure conntrack like this as well. The conntrackd configuration file looks like this:

Sync {
    Mode FTFW {

    Multicast {
        Group 3780
        Interface eth0.54

        SndSocketBuffer 1249280
        RcvSocketBuffer 1249280

        Checksum on

    Options {
        TCPWindowTracking Off
        ExpectationSync On

General {
    Nice -20

    Scheduler {
        Type FIFO
        Priority 99

    HashSize 32768
    HashLimit 32768

    LogFile off
    Syslog on

    LockFile /var/lock/conntrack.lock

    UNIX {
        Path /var/run/conntrackd.ctl
        Backlog 20

    NetlinkBufferSize 2097152
    NetlinkBufferSizeMaxGrowth 8388608
    NetlinkOverrunResync On
    NetlinkEventsReliable On

    Filter From Userspace {
        Protocol Accept {
            ICMP # This requires a Linux kernel >= 2.6.31
            IPv6-ICMP # This requires a Linux kernel >= 2.6.31

        Address Ignore {
            IPv6_address ::1

Now merge the starting and stopping of services and interfaces from the primary-backup.sh script in part 2 into the primary-backup.sh script from the conntrack-tools documentation, and you should be good. Whenever a router switches from active to backup state, the script will instruct conntrackd to sync it's connection tracking table to the other router, and the firewall will no longer drop your connection.