-
-
Save kronenpj/e90258f12f7a40c4f38a23b609b3288b to your computer and use it in GitHub Desktop.
#!/usr/local/bin/php | |
<?php | |
require_once("config.inc"); | |
require_once("system.inc"); | |
require_once("interfaces.inc"); | |
require_once("util.inc"); | |
$subsystem = !empty($argv[1]) ? $argv[1] : ''; | |
$type = !empty($argv[2]) ? $argv[2] : ''; | |
// Add more interfaces that need to be disabled/enabled after a CARP event. | |
//$iface_aliases = array('wan', 'opt2'); | |
//$iface_names = array('wan' => 'igc0', 'opt2' => 'gif0'); | |
$iface_aliases = array('wan', 'wan'); | |
$iface_names = array('wan' => 'igc0'); | |
$dhcp_ifaces = array('lan', 'opt3', 'opt1'); | |
if ($type != 'MASTER' && $type != 'BACKUP') { | |
log_error("Carp '$type' event unknown from source '{$subsystem}'"); | |
exit(1); | |
} | |
if (!strstr($subsystem, '@')) { | |
log_error("Carp '$type' event triggered from wrong source '{$subsystem}'"); | |
exit(1); | |
} | |
if ($type === "MASTER") { | |
if ($config['interfaces']['wan']['enable'] == 0) { | |
foreach ($iface_aliases as $ifkey) { | |
// $iface_name = $iface_names[$ifkey]; | |
log_error("enable interface '$ifkey' due CARP event '$type'"); | |
$config['interfaces'][$ifkey]['enable'] = '1'; | |
interfaces_bring_up($ifkey); | |
interface_configure(false, $ifkey, true, true); | |
write_config("enable interface '$ifkey' due CARP event '$type'", false); | |
// usleep(200 * 1000); | |
//foreach ($dhcp_ifaces as $dhkey) { | |
// $config['dhcpd'][$dhkey]['enable'] = true; | |
//} | |
} | |
} else { | |
log_msg("Carp '$type' duplicate event triggered."); | |
} | |
} else { | |
if ($config['interfaces']['wan']['enable'] == 1) { | |
foreach ($iface_aliases as $ifkey) { | |
// $iface_name = $iface_names[$ifkey]; | |
log_error("disable interface '$ifkey' due CARP event '$type'"); | |
//foreach ($dhcp_ifaces as $dhkey) { | |
// $config['dhcpd'][$dhkey]['enable'] = false; | |
//} | |
interface_reset($ifkey); | |
unset($config['interfaces'][$ifkey]['enable']); | |
interface_configure(false, $ifkey, true, false); | |
exec('/sbin/ifconfig ' . escapeshellarg($ifkey) . 'down 2>&1', $ifc, $ret); | |
write_config("disable interface '$ifkey' due CARP event '$type'", false); | |
} | |
} else { | |
log_msg("Carp '$type' duplicate event triggered."); | |
} | |
} | |
?> |
@FA9US
Try using sudo
before the nano
or vi
command:
sudo vi /usr/local/etc/rc.syshook.d/carp/10-wancarp
sudo nano /usr/local/etc/rc.syshook.d/carp/10-wancarp
The file should be owned by root
so your normal user account won't be able to change it.
@kronenpj
After a CARP event on 23.7, the script is successfully running and disabling the WAN interface.
However, the PPPoE link remains connected with the public IP address in a unmanageable state.
Please could I request assistance to modify the script to disconnect PPPoE connections on the backup and reconnect on master.
Thank you in advance, much appreciated.
You should be able to add 'pppoe0' to the list on line 23, possibly replacing 'opt2'.
@kronenpj Thank you for the feedback.
After replacing 'opt2' with 'pppoe0' the PPPoE connection remained connected and administratively down.
Are you able to advise what commands would be required to 'connect' and 'disconnect' a PPPoE connection rather than disable the WAN interface? Thanks in advance.
Unfortunately no. I'm not entirely sure I have it working on my firewalls either. The available methods and existing actions aren't documented so I'm really just trying different things and seeing if something works. So far I haven't found any combination that satisfactorily solves this situation.
@kronenpj After removing 'true' from line 36 the script now disconnects the PPPoE connection prior to disabling the WAN interface on 23.7.1_3
interface_bring_down($ifkey);
Thanks again for all your feedback.
Very interesting. I'm glad you got it to work! I need to get back to looking at mine.
Another variant can be found here: https://gist.github.com/tlyakhov/15172db645d01dc67a0b585096f28ab3
I've updated the script with @Blip9575's suggested change. It's working as I need it to on recent versions of Opnsense.
Heya, thanks for this script! It helped me get started on managing my multiple WANs via CARP.
I did run into an issue though, and that is that I have multiple CARP subsystems (one per LAN) and sometimes CARP on one LAN would transition from MASTER to BACKUP or vice versa which would initiate toggling the WAN interfaces. I've spent about the last four hours sorting that out in my own version such that toggling the WAN interfaces only happens once all CARP subsystems are MASTER or BACKUP (or if CARP is disabled/enabled). I also throw some more logging in it so that it makes a little more sense what's happening when it does.
Hope this helps someone!
https://gist.github.com/willjasen/6ae0f47bca36ced2bd52b2fefc2bc21e
Hi Guys, i've posted a question at https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc?permalink_comment_id=5008023#gistcomment-5008023 - i've tried your Script @kronenpj and also the other variant from @willjasen and the one you mentioned here
I've made another update to the script in an attempt to reduce the switch-over / recovery time. On my setup the unbound
daemon took upwards of 30 minutes to begin serving DNS. The current version of this script reduces that to under 5 minutes. The "cause" was the daemon being restarted each time a WAN interface was changed, which was approximately 14 times in my case.
This change reduces that to two, partially by removing opt2
from the list of interfaces to bring down and partially to only run the configuration change twice.
Unfortunately this has identified two problems, which may be bugs:
- I need to bring the WAN interface up twice either because it doesn't properly request a DHCP address or it takes "too long" to get one from my ISP.
- ~~Failing over from primary->secondary takes longer than secondary->primary. I don't know the cause of the asymmetry, but I'm going to bring it up in the forums and possibly file a bug. Presumably the fail-back does the same work but it takes ~1 second to transition back to the primary firewall.~~ Update - This was possibly due to a 'bad' secondary VM image. I've cloned the primary to the secondary and it appears that the failover is symmetric now.
@kronenpj
i ran this but is there any way to modify the files? i cant nano or vi into the script afterwards as i need to change interfaces
curl -sL -H "Cache-Control: no-cache" \ https://gist.githubusercontent.com/kronenpj/e90258f12f7a40c4f38a23b609b3288b/raw/10-wancarp \ --output /usr/local/etc/rc.syshook.d/carp/10-wancarp && \ chmod +x /usr/local/etc/rc.syshook.d/carp/10-wancarp