single-wan OpnSense HA setup. Put this file into /usr/local/etc/rc.syshook.d/carp on both primary/backup firewalls

10-wancarp

#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("system.inc");
require_once("interfaces.inc");
require_once("util.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($type != 'MASTER' && $type != 'BACKUP' && $type != 'INIT') 
	log_error("Carp '$type' event unknown from source '{$subsystem}'");
	exit(1);
}

if (!strstr($subsystem, '@')) {
	log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
	exit(1);
}

// Add more interfaces that need to be disabled/enabled after a CARP event.
$wan_interfaces = array('wan');

// interfaces object
$conf_ifs = $config['interfaces'];

foreach ($wan_interfaces as $if_name) {
if (!array_key_exists($if_name, $conf_ifs))
	continue;
    $os_if_name = $conf_ifs[$if_name]['if'];
    if ($type === "MASTER") {
        log_msg("enable interface '$if_name' due CARP event '$type'");
        $config['interfaces'][$if_name]['enable'] = '1';
        legacy_interface_flags($os_if_name , 'up');
	usleep(500 * 1000);
        interface_configure(false, $if_name, true, true);
        write_config("enable interface '$if_name' due CARP event '$type'", false);
        usleep(2000 * 1000);
	exec("/usr/local/sbin/pluginctl -s routing restart
    } else if ($type === 'BACKUP') {
        log_msg("disable interface '$if_name' due CARP event '$type'");
        interface_reset($if_name, true);
        unset($config['interfaces'][$if_name]['enable']);
        interface_configure(false, $if_name, false, false);
        write_config("disable interface '$if_name' due CARP event '$type'", false);
	legacy_interface_flags($os_if_name , 'down');
    }
}
?>

Copied from https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc?permalink_comment_id=4011961#gistcomment-4011961

Script that allows to have WAN DHCP with single IP address
(forced to use same MAC address on WAN interface) running CARP only on
LAN interface.

---

In theory, only one WAN will be active at once and independent of the node.
They should reuse the same DHCP lease from your ISP.
If a node is BACKUP, the optionally created gateway will kick in for the backup node to have internet connection via the MASTER.
This should also work with all WAN related services, due we completely disable the WAN connection and "restart" it in the case of MASTER.

---

1. to not mess with the current DHCP lease on WAN or have temporary the same MAC twice on the WAN, you should remove the cable on the WAN port during setup.

2. Setup CARP for LAN interface according to the doc's.

3. [optional] If one WAN DHCP lease should be shared between MASTER and BACKUP, set the MAC address of the WAN interface of MASTER and BACKUP to the same.

4. [optional] Create an additional WAN gateway:

   Field	Value
   Interface	LAN
   IP address	the LAN CARP VIP address
   Upstream Gateway	☑
   Priority	255 or something higher than the WAN default gateway.

   This allows the BACKUP firewall to have internet connection over the MASTER during the time the WAN interface is disabled.

5. Execute on the MASTER and on the BACKUP:

   curl -sL -H "Cache-Control: no-cache" \
     https://gist.githubusercontent.com/edward-scroop/c4c6c06360951a0ed514b35c1a7ac0ba/raw/10-wancarp \
     --output /usr/local/etc/rc.syshook.d/carp/10-wancarp && \
     chmod +x /usr/local/etc/rc.syshook.d/carp/10-wancarp
   

6. Put the MASTER once into "Persistent CARP Maintenance Mode" and then leave the "Maintenance Mode".
   This should disable the WAN interface no the BACKUP node.