Keepalived for more than 20 virtual addresses
- by cvaldemar
I have set up keepalived on two Debian machines for high availability, but I've run into the maximum number of virtual IP's I can assign to my vrrp_instance. How would I go about configuring and failing over 20+ virtual IP's?
This is the, very simple, setup:
LB01: 10.200.85.1
LB02: 10.200.85.2
Virtual IPs: 10.200.85.100 -  10.200.85.200
Each machine is also running Apache (later Nginx) binding on the virtual IPs for SSL client certificate termination and proxying to backend webservers. The reason I need so many VIP's is the inability to use VirtualHost on HTTPS.
This is my keepalived.conf:
vrrp_script chk_apache2 {
        script "killall -0 apache2"
        interval 2
        weight 2
}
vrrp_instance VI_1 {
        interface eth0
        state MASTER
        virtual_router_id 51
        priority 101
        virtual_ipaddress {
            10.200.85.100
            .
            . all the way to
            .
            10.200.85.200
}
An identical configuration is on the BACKUP machine, and it's working fine, but only up to the 20th IP.
I have found a HOWTO discussing this problem. Basically, they suggest having just one VIP and routing all traffic "via" this one IP, and "all will be well". Is this a good approach?  I'm running pfSense firewalls in front of the machines.
Quote from the above link:
ip route add $VNET/N via $VIP
or
route add $VNET netmask w.x.y.z gw $VIP
Thanks in advance.
EDIT:
@David Schwartz said it would make sense to add a route, so I tried adding a static route to the pfSense firewall, but that didn't work as I expected it would. 
pfSense route:
Interface:            LAN
Destination network:  10.200.85.200/32 (virtual IP)
Gateway:              10.200.85.100    (floating virtual IP)
Description:          Route to VIP .100
I also made sure I had packet forwarding enabled on my hosts:
$ cat /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.ip_nonlocal_bind=1
Am I doing this wrong? I also removed all VIPs from the keepalived.conf so it only fails over 10.200.85.100.