Skip to content

Instantly share code, notes, and snippets.

@edward-scroop
Forked from tlyakhov/10-wancarp
Last active November 13, 2024 05:26
Show Gist options
  • Save edward-scroop/c4c6c06360951a0ed514b35c1a7ac0ba to your computer and use it in GitHub Desktop.
Save edward-scroop/c4c6c06360951a0ed514b35c1a7ac0ba to your computer and use it in GitHub Desktop.
single-wan OpnSense HA setup. Put this file into /usr/local/etc/rc.syshook.d/carp on both primary/backup firewalls
#!/usr/local/bin/php
<?php
require_once("config.inc");
require_once("system.inc");
require_once("interfaces.inc");
require_once("util.inc");
$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';
if ($type != 'MASTER' && $type != 'BACKUP' && $type != 'INIT')
log_error("Carp '$type' event unknown from source '{$subsystem}'");
exit(1);
}
if (!strstr($subsystem, '@')) {
log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
exit(1);
}
// Add more interfaces that need to be disabled/enabled after a CARP event.
$wan_interfaces = array('wan');
// interfaces object
$conf_ifs = $config['interfaces'];
foreach ($wan_interfaces as $if_name) {
if (!array_key_exists($if_name, $conf_ifs))
continue;
$os_if_name = $conf_ifs[$if_name]['if'];
if ($type === "MASTER") {
log_msg("enable interface '$if_name' due CARP event '$type'");
$config['interfaces'][$if_name]['enable'] = '1';
legacy_interface_flags($os_if_name , 'up');
usleep(500 * 1000);
interface_configure(false, $if_name, true, true);
write_config("enable interface '$if_name' due CARP event '$type'", false);
usleep(2000 * 1000);
exec("/usr/local/sbin/pluginctl -s routing restart
} else if ($type === 'BACKUP') {
log_msg("disable interface '$if_name' due CARP event '$type'");
interface_reset($if_name, true);
unset($config['interfaces'][$if_name]['enable']);
interface_configure(false, $if_name, false, false);
write_config("disable interface '$if_name' due CARP event '$type'", false);
legacy_interface_flags($os_if_name , 'down');
}
}
?>
@edward-scroop
Copy link
Author

edward-scroop commented May 28, 2024

Copied from https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc?permalink_comment_id=4011961#gistcomment-4011961

Script that allows to have WAN DHCP with single IP address
(forced to use same MAC address on WAN interface) running CARP only on
LAN interface.


In theory, only one WAN will be active at once and independent of the node.
They should reuse the same DHCP lease from your ISP.
If a node is BACKUP, the optionally created gateway will kick in for the backup node to have internet connection via the MASTER.
This should also work with all WAN related services, due we completely disable the WAN connection and "restart" it in the case of MASTER.


  1. to not mess with the current DHCP lease on WAN or have temporary the same MAC twice on the WAN, you should remove the cable on the WAN port during setup.

  2. Setup CARP for LAN interface according to the doc's.

  3. [optional] If one WAN DHCP lease should be shared between MASTER and BACKUP, set the MAC address of the WAN interface of MASTER and BACKUP to the same.

  4. [optional] Create an additional WAN gateway:

    Field Value
    Interface LAN
    IP address the LAN CARP VIP address
    Upstream Gateway
    Priority 255 or something higher than the WAN default gateway.

    This allows the BACKUP firewall to have internet connection over the MASTER during the time the WAN interface is disabled.

  5. Execute on the MASTER and on the BACKUP:

    curl -sL -H "Cache-Control: no-cache" \
      https://gist.githubusercontent.com/edward-scroop/c4c6c06360951a0ed514b35c1a7ac0ba/raw/10-wancarp \
      --output /usr/local/etc/rc.syshook.d/carp/10-wancarp && \
      chmod +x /usr/local/etc/rc.syshook.d/carp/10-wancarp
    
  6. Put the MASTER once into "Persistent CARP Maintenance Mode" and then leave the "Maintenance Mode".
    This should disable the WAN interface no the BACKUP node.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment