os-freevrrpd

OPNsense plugin for VRRP (Virtual Router Redundancy Protocol) using the freevrrpd daemon.

Overview

This plugin integrates VRRP as a first-class VIP type in OPNsense, alongside the existing CARP, IP Alias, and Proxy ARP modes. VRRP VIPs are configured through the standard Virtual IPs interface and managed by the freevrrpd daemon.

Features

• VRRP VIP mode in Interfaces > Virtual IPs
• Automatic freevrrpd daemon management
• Netgraph-based virtual interfaces (ngeth)
• PF firewall anchor for VRRP traffic
• CARP/VRRP mutual exclusivity per interface

Requirements

• OPNsense 25.1 or later
• freevrrpd daemon (patched version with proper restart handling)

Building

Requires FreeBSD and the OPNsense plugins repository.

# Clone plugins repo and add this plugin
git clone https://github.com/opnsense/plugins.git
cd plugins/sysutils
git clone --recurse-submodules https://github.com/chall37/os-freevrrpd.git

# Build freevrrpd from submodule and package everything
cd os-freevrrpd
./build.sh

The freevrrpd daemon is built from the chall37/FreeVRRPd submodule, which includes fixes for proper daemon restart handling. This will be switched to upstream once the fixes are merged.

Installation

pkg add os-freevrrpd-<version>.pkg

The plugin:

1. Installs the embedded freevrrpd daemon
2. Patches OPNsense core files to add VRRP support
3. Registers service hooks and firewall anchor

All patches are reverted on uninstall.

Configuration

1. Navigate to Interfaces > Virtual IPs
2. Click Add
3. Select VRRP as the mode
4. Configure:
   • Interface: The interface for VRRP advertisements
   • Address: The virtual IP address
   • VRID: Virtual Router ID (1-255), must be unique per interface
   • Priority: Router priority (1-254), higher = more likely to be master
   • Password: Optional authentication (max 8 characters)

DHCP Considerations

DHCP servers do not automatically advertise the VRRP VIP as the gateway. You must manually configure DHCP options:

For dnsmasq

In Services > Dnsmasq DNS & DHCP > DHCP Options, add:

• Option 3 (router): Set to your VRRP VIP
• Option 6 (dns-server): Set to your VRRP VIP

Additionally, add listen-address=<VIP> to /usr/local/etc/dnsmasq.conf.d/ so DHCP responses come from the VIP.

For ISC DHCP (Kea)

In Services > DHCPv4 > [Interface], set:

• Gateway: Your VRRP VIP
• DNS servers: Your VRRP VIP

How It Works

1. VIP Model Extension: The plugin patches Vip.xml to add vrrp mode and VRRP-specific fields (vrid, priority, password, etc.)

2. Interface Whitelisting: Patches interfaces.inc so services recognize VRRP VIPs as valid interface addresses

3. Daemon Management: The freevrrpd.inc plugin hook manages the freevrrpd daemon lifecycle, starting/stopping based on VRRP VIP presence

4. Netgraph Interfaces: freevrrpd creates ngeth interfaces with virtual MAC addresses (00:00:5e:00:01:XX) for each VRID

5. Firewall Integration: A PF anchor allows traffic from VRRP-enabled subnets on ngeth interfaces, placed before antispoof rules

Files

build.sh                          # Build script
freevrrpd/                        # Daemon submodule (chall37 fork)
contrib/Makefile                  # Installs built daemon into package
+POST_INSTALL                     # Plugin post-install script
+PRE_DEINSTALL                    # Plugin pre-deinstall script
src/
  etc/inc/plugins.inc.d/
    freevrrpd.inc                 # Service hooks and VIP lifecycle
  opnsense/
    scripts/OPNsense/Freevrrpd/
      patch_core.php              # Core file patcher (install/uninstall)
    service/
      conf/actions.d/
        actions_freevrrpd.conf    # configd actions
      templates/OPNsense/Freevrrpd/
        freevrrpd.conf            # Daemon config template
        freevrrpd.pf.conf         # PF rules template

License

BSD 2-Clause License