I guess better late than never...
So we've got a failover IP, and a nice trick to be able to get the same WAN IP on both our routers. If you do stateless packet filtering, this is actually enough, and your redundant setup is already finished. However, if you do stateful packet filtering, the moment the failover IP moves to the backup router, your connection will be dropped because it doesn't have any knowledge about it in its connection tracking table.
Fortunately this too can be solved, by syncing the connection tracking table with conntrackd. Since we're using an active-backup setup, we'll configure conntrack like this as well. The conntrackd configuration file looks like this:
Sync {
Mode FTFW {
}
Multicast {
IPv4_address 225.0.0.50
Group 3780
IPv4_interface 192.168.54.254
Interface eth0.54
SndSocketBuffer 1249280
RcvSocketBuffer 1249280
Checksum on
}
Options {
TCPWindowTracking Off
ExpectationSync On
}
}
General {
Nice -20
Scheduler {
Type FIFO
Priority 99
}
HashSize 32768
HashLimit 32768
LogFile off
Syslog on
LockFile /var/lock/conntrack.lock
UNIX {
Path /var/run/conntrackd.ctl
Backlog 20
}
NetlinkBufferSize 2097152
NetlinkBufferSizeMaxGrowth 8388608
NetlinkOverrunResync On
NetlinkEventsReliable On
Filter From Userspace {
Protocol Accept {
TCP
SCTP
DCCP
UDP
ICMP # This requires a Linux kernel >= 2.6.31
IPv6-ICMP # This requires a Linux kernel >= 2.6.31
}
Address Ignore {
IPv4_address 127.0.0.1
IPv4_address 192.168.54.253
IPv4_address 192.168.54.254
IPv6_address ::1
}
}
}
Now merge the starting and stopping of services and interfaces from the primary-backup.sh script in part 2 into the primary-backup.sh script from the conntrack-tools documentation, and you should be good. Whenever a router switches from active to backup state, the script will instruct conntrackd to sync it's connection tracking table to the other router, and the firewall will no longer drop your connection.