Last active
August 10, 2025 15:11
-
-
Save spali/2da4f23e488219504b2ada12ac59a7dc to your computer and use it in GitHub Desktop.
Disable WAN Interface on CARP Backup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/php | |
| <?php | |
| require_once("config.inc"); | |
| require_once("interfaces.inc"); | |
| require_once("util.inc"); | |
| $subsystem = !empty($argv[1]) ? $argv[1] : ''; | |
| $type = !empty($argv[2]) ? $argv[2] : ''; | |
| if ($type != 'MASTER' && $type != 'BACKUP') { | |
| log_error("Carp '$type' event unknown from source '{$subsystem}'"); | |
| exit(1); | |
| } | |
| if (!strstr($subsystem, '@')) { | |
| log_error("Carp '$type' event triggered from wrong source '{$subsystem}'"); | |
| exit(1); | |
| } | |
| $ifkey = 'wan'; | |
| if ($type === "MASTER") { | |
| log_error("enable interface '$ifkey' due CARP event '$type'"); | |
| $config['interfaces'][$ifkey]['enable'] = '1'; | |
| write_config("enable interface '$ifkey' due CARP event '$type'", false); | |
| interface_configure(false, $ifkey, false, false); | |
| } else { | |
| log_error("disable interface '$ifkey' due CARP event '$type'"); | |
| unset($config['interfaces'][$ifkey]['enable']); | |
| write_config("disable interface '$ifkey' due CARP event '$type'", false); | |
| interface_configure(false, $ifkey, false, false); | |
| } |
Anyone running this on 25.7 yet?
I have not been able to get this working on anything newer than 25.1.12, the syshook script seems to be getting called with the BACKUP parameter and it’s bringing the WAN interface down even when the carp state is master. Can anyone else duplicate this?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
yes and sorry i dropped the additional interfaces, i figured if that is something you need it can be built in to carp and firewall rules to exclude the physical addresses but allow the vip, just like what we need to do with dhcp anyways otherwise hosts will com with both routers this allows even the dhcpd and unbound to stay up and be carp aware
this way only services that use broadcast like I think, udprepeater, and some others that might not work the best still in carp failover need to be managed. as long as its a port based service you can do the carp blocks like this and make the service carp aware in fact you might want to block all ports on the physical addresses besides ssh and https as long as you allow router phy to router phy before the block
I am pretty restrictive and i log blocks on the ! (not) vip requests and reconfigure those hosts to use for example ntp on the interface instead of trying to get out and skew my times, or dns. then for select services i poke a hole before the general block rule.