linux

How to set up non-standard Failover IP routing in Hetzner?

There is such a "setup" (clickable). Draw.io Chart Input :

• Failover IP - IP that can be switched to any of the servers, Hetzner routes traffic to the main IP of the desired server, then the server itself must route traffic to the VM. The servers themselves "don't know" whether Failover IP is directed at them or not. You can make a request to the API and find out, but the API has a limit of 100 requests per hour, you can’t really accelerate.
  
• 3 KVM hypervisors, 2 have VMs that use Failover IP.
  
• Failover IP connected on KVM Host 1
  
• Setting up vmbr2 on the host
  

  auto vmbr2
  iface vmbr2 inet manual
    bridge_ports none
    bridge_stp off
    bridge_fd 0

  
  
• Configuring the interface and routes on the VM
  

  2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
      link/ether 86:47:47:fb:a7:ff brd ff:ff:ff:ff:ff:ff
      inet 46.4.100.100 peer 88.99.99.100/32 scope global ens18
         valid_lft forever preferred_lft forever
  
  # ip route show
  default via 172.21.3.1 dev ens19
  88.99.99.100 dev ens18 proto kernel scope link src 46.4.100.100
  
  # ip rule sh
  0:      from all lookup local
  32765:  from 46.4.100.100 lookup 10
  32766:  from all lookup main
  32767:  from all lookup default
  
  # ip route show table 10
  default via 88.99.99.100 dev ens18

  
  

The goal is to allow external clients and all VMs hosted on hypervisors
to access resources located on Failover IP.
The simplest option is for traffic to go to the VM, I prescribe a route on each hypervisor.
ip route add 46.4.100.100/32 dev vmbr2
The problem of such an implementation is that only external clients can get access to Failover IP, and those VMs that are located on the same hypervisor with the "Failover IP VM", moreover, the traffic will go to the nearest " Failover IP VM", VM11 and VM12 will go to VM10, VM21 and VM22 will go to VM20, and VM30 and VM31 will not get anywhere, they will get "Destination Host Unreachable" because hypervisors simply send all traffic to vmbr2 .
An alternative using policy based routing, which gives a slightly better result

ip route add 46.4.100.100/32 dev vmbr2 table 11
ip rule add to 46.4.100.100 table 11
ip rule add to 46.4.100.100 iif vmbr1 table main

# ip rule sh
0:      from all lookup local
32763:  from all to 46.4.100.100 iif vmbr1 lookup main
32764:  from all to 46.4.100.100 lookup 11
32765:  from all lookup main
32766:  from all lookup default

With this setting, traffic from the VM falls under the rule from all to 46.4.100.100 iif vmbr1 lookup mainand goes to the main routing table, respectively, is sent to the default gateway, i.e. to the Hetzner equipment that routes traffic to the currently active Failover IP server, i.e. on KVM Host 1, on KVM Host 1 the traffic falls under the rule from all to 46.4.100.100 lookup 11and goes to VM10 via vmbr2 .
The problem is that this does not work for machines on KVM1, the traffic flies to Hetzner and this is where it all ends, apparently the gateway "sees" that after passing the routing table SRC = DST and does not send anything anywhere.
Is it possible to solve this problem in general by means of static routing, or is dynamic routing necessary?