When a physical interface or virtual interface has a VRRP interface defined, all incoming traffic arrives through the VRRP interface. Zone-based firewalls drop all traffic in and out unless explicitly allowed. Therefore, if you are using VRRP interfaces with a zone-based firewall, you must make sure you include the VRRP interfaces in your zone.

To use VRRP interface in a zone you must attach the physical interface on which VRRP is enabled. The configuration is the same as zone configuration on a physical interface, the only difference is that VRRP is running on this interface.

In the example in Applying the rule sets to the zones, the private zone is defined to include the dp0p1p1 and dp0p1p2 interfaces. The following example shows how to add VRRP interfaces for both dp0p1p1 and dp0p1p2. In this example:

• Interface dp0p1p1 is a member of VRRP group 99.
• Interface dp0p1p2 is a member of VRRP group 101.

When you add configuration to a VRRP interface, you do not specify the interface identifier. The system internally constructs the identifier from the name of the parent interface together with the VRRP group ID.

vyatta@R1# set security zone-policy zone private interface dp0p1p1

vyatta@R1# set security zone-policy zone private interface dp0p1p2

vyatta@R1# commit

vyatta@R1# show zone-policy zone private description "PRIVATE ZONE"

zone dmz {
    firewall {
        to_private
    }
}
    firewall {
        to_private
    }
}
    firewall {
        from_vyatta
    }
}
interface dp0p1p1
interface dp0p1p1v99
interface dp0p1p2
interface dp0p1p2v101