conntrackd – conntrackd is the user-space daemon for the netfilter connection tracking system. This daemon synchronizes connection tracking states between several replica firewalls. Thus, conntrackd can be used to deploy highly available stateful firewalls.

config file is in /etc/conntrackd/conntrackd.conf

Im gonna use FTFW mode for syncing between 2 routers.

Add this configuration at the end of config file in router1 and router2.

Sync {
Mode FTFW {
}

UDP {
IPv4_address 10.100.200.1
IPv4_Destination_Address 10.100.200.2
Port 3780
Interface eno3
SndSocketBuffer 1249280
RcvSocketBuffer 1249280
Checksum on
}
}

On second node – router 2 IPv4_address and IPv4_Destination_Address shoud be opposite =>

IPv4_address 10.100.200.2 and IPv4_Destination_Address 10.100.200.1

3.Tuning some stuff
Creating simple script can be made to start/stop anything when router1 and router2 switch.

example of script

#!/bin/bash
case “$1” in
primary)
sleep 5 # give time to keepalive to wake up
ip addr add 10.12.13.11/24 dev eno4
systemctl start openvpn
systemctl start bgp
systemctl do smethig else.
;;
backup)
ip addr del 0.12.13.11/24 dev eno4
systemctl start openvpn
systemctl start bgp
;;
esac

Edit primary-backup.sh and add following line under “send a bulk update to backups”

logger “ERROR: failed to invoke conntrackd -B”
fi
/etc/keepalived/script.sh primary
;;
backup)

And….

logger “ERROR: failed to invoke conntrackd -n”
fi
/etc/keepalived/script.sh backup
;;
fault)