Disable WAN Interface on CARP Backup

10-wancarp

#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("interfaces.inc");
require_once("util.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($type != 'MASTER' && $type != 'BACKUP') {
    log_error("Carp '$type' event unknown from source '{$subsystem}'");
    exit(1);
}

if (!strstr($subsystem, '@')) {
    log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
    exit(1);
}

$ifkey = 'wan';

if ($type === "MASTER") {
    log_error("enable interface '$ifkey' due CARP event '$type'");
    $config['interfaces'][$ifkey]['enable'] = '1';
    write_config("enable interface '$ifkey' due CARP event '$type'", false);
    interface_configure(false, $ifkey, false, false);
} else {
    log_error("disable interface '$ifkey' due CARP event '$type'");
    unset($config['interfaces'][$ifkey]['enable']);
    write_config("disable interface '$ifkey' due CARP event '$type'", false);
    interface_configure(false, $ifkey, false, false);
}

thank you all for your efforts for getting a solution at this usecase. Someone created a Featurerequst at opnsense which i also commented: opnsense/core#7333

I'll still try to get this solution to work properly (even with the comment from @oasis9 and @stevencoutts) -. but i don't get a new ipv6 after these commands are fired:

$config['interfaces'][$ifkey]['enable'] = '1';
interfaces_bring_up($ifkey);
interface_configure(false, $ifkey, true, true);
write_config("enable interface '$ifkey' due CARP event '$type'", false);
usleep(200 * 1000);

if i manually do an configctl interface reconfigure wan on the console - i instantly get an ipv6/route. Exactly the same if i press the "Reload" Button in the commands from the UI (interfaces/overview).

it seems, that interface_configure is not "enough" for getting a working connection with ipv4 AND ipv6 AND a default route

here is a screenshot only from executing by the script:

and here a Screenshot after pressing reload:

i've tried the scripts from @kronenpj @tlyakhov and also from another thread this one

So, does someone have any hints for getting this done without an manual step or - in best case - only in php without console command?

So, does someone have any hints for getting this done without an manual step or - in best case - only in php without console command?

I haven't tested my script for IPv6 specifically yet but I believe it's working (I can verify later). My first WAN interface is public IP cable and that WAN interface between instances shares the same MAC address. My second WAN interface is Starlink and is CG-NAT'd so that interface between instances has a different MAC address between interfaces. In both instances, I usually see an IPv6 WAN address per interface.

This would be nice!

I only have 1 WAN Interface with CGNAT - so ipv6 is very important ;-)

Thanks @spali. Now in 2024, your script still works with single WAN IP on 24.1.7.

I got side tracked reading thru all the other scripts and posts abt changes in 24.1 breaking scripts etc and wasted a day going around in circles and finally decided to use yr script exactly as is and it works great.

I added a few more lines to stop most of the services when its on backup firewall. I also had problems in the beginning with ipv6 not working. I noticed that you need to let both machines run for a day or so to let it properly sync. Then bring the firewalls up/down to test and now even ipv6 works. So for anyone who's found this script, it still works.

This stopped working for me but now seems
To be working again :)

I added a few more lines to stop most of the services when its on backup firewall. I also had problems in the beginning with ipv6 not working. I noticed that you need to let both machines run for a day or so to let it properly sync. Then bring the firewalls up/down to test and now even ipv6 works. So for anyone who's found this script, it still works.

@klingon888 what did you exactly change?

Thanks @spali. Now in 2024, your script still works with single WAN IP on 24.1.7.

I got side tracked reading thru all the other scripts and posts abt changes in 24.1 breaking scripts etc and wasted a day going around in circles and finally decided to use yr script exactly as is and it works great.

I added a few more lines to stop most of the services when its on backup firewall. I also had problems in the beginning with ipv6 not working. I noticed that you need to let both machines run for a day or so to let it properly sync. Then bring the firewalls up/down to test and now even ipv6 works. So for anyone who's found this script, it still works.

Yep, the script as is still works fine for me. I've made no changes since upgrading to recent versions of opn and I'm 24.x

I am on OPNsense 24.1.8, the Spali script works properly for my single WAN connections. I also want to have the backup firewall to access internet, and thus I created a gateway in my backup firewall as per point 4 (optional) from Spali instructions. It works properly.

However, when the backup becomes master and then reverts to backup, both the WAN and WAN-on-LAN gateways are deleted. I suppose that only the WAN interface should be deleted. Not sure if the script is not meant to retain the backup WAN-on-LAN gateway, or if I am doing something wrong.

I am on OPNsense 24.1.8, the Spali script works properly for my single WAN connections. I also want to have the backup firewall to access internet, and thus I created a gateway in my backup firewall as per point 4 (optional) from Spali instructions. It works properly.

However, when the backup becomes master and then reverts to backup, both the WAN and WAN-on-LAN gateways are deleted. I suppose that only the WAN interface should be deleted. Not sure if the script is not meant to retain the backup WAN-on-LAN gateway, or if I am doing something wrong.

I am using the gw groups too. I don't have this issue with my 2nd's gws getting deleted when it fails back / forth.

Does your general or audit log show what's going on with it?

Apologies if understanding wrong, but if you want your backup's default route through the primary (or vice versa), I've added a GW indeed but you'll have to look at the priority e.g. when other GWs are down your LAN should prevail, but not prevail when their up.

Embarrassed to say, it now works properly, e.g. the WAN-on-LAN gateway gives access to internet when backup, it becomes secondary weh the firewall is master, and when the firewall goes back to become a backup only the WAN gateway is delete, the WAN-on-LAN gateway doesn't get deleted. Not sure why it wasn't working in the last couple of months after I installed it. Maybe the new 24.1.7 makes a difference...