Skip to content

Instantly share code, notes, and snippets.

@spali
Last active May 10, 2026 13:38
Show Gist options
  • Select an option

  • Save spali/2da4f23e488219504b2ada12ac59a7dc to your computer and use it in GitHub Desktop.

Select an option

Save spali/2da4f23e488219504b2ada12ac59a7dc to your computer and use it in GitHub Desktop.
Disable WAN Interface on CARP Backup
#!/usr/local/bin/php
<?php
require_once("config.inc");
require_once("interfaces.inc");
require_once("util.inc");
$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';
if ($type != 'MASTER' && $type != 'BACKUP') {
log_error("Carp '$type' event unknown from source '{$subsystem}'");
exit(1);
}
if (!strstr($subsystem, '@')) {
log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
exit(1);
}
$ifkey = 'wan';
if ($type === "MASTER") {
log_error("enable interface '$ifkey' due CARP event '$type'");
$config['interfaces'][$ifkey]['enable'] = '1';
write_config("enable interface '$ifkey' due CARP event '$type'", false);
interface_configure(false, $ifkey, false, false);
} else {
log_error("disable interface '$ifkey' due CARP event '$type'");
unset($config['interfaces'][$ifkey]['enable']);
write_config("disable interface '$ifkey' due CARP event '$type'", false);
interface_configure(false, $ifkey, false, false);
}
@stevencoutts

Copy link
Copy Markdown

I stopped using scripts like this as I got the functionality working with opnsense itself. PPPoE to my ISP, dial up interfaces get torn down on CARP backup, I could never get this working which is why I started with this script, but I spent some time on it and have it working properly now.

@kronenpj

Copy link
Copy Markdown

@stevencoutts Do tell, how did you manage to configure this functionality directly within OpnSense?

@stevencoutts

Copy link
Copy Markdown

The main thing I was missing was CARP on the VLAN interface of my WAN port. I had tried CARP on the physical interface, but it had to be on the VLAN. It works as expected now.

@LorenKeagle

Copy link
Copy Markdown

That sounds like a solution that only works for PPPoE connections. I believe that the "Disconnect dialup interfaces" functionality has been in there for a while now. This script is trying to solve the failover situation for any interface connection, including things like fiber, cellular bridge, or cable modem connections.

@oLeDfrEeZe

oLeDfrEeZe commented Apr 11, 2026

Copy link
Copy Markdown

For anyone landing here later: I made a working fork for my setup, tested on OPNsense 26.1.7.

Warning: it is vibe-coded / AI-assisted, so please review it carefully before using it in production.

You must adapt the CARP trigger subsystem, interface key, and gateway name placeholders to your own setup.

In my environment, it correctly keeps the DHCP WAN inactive on BACKUP and active on MASTER.

Fork: Link

@snorre-k

Copy link
Copy Markdown

I am new to OPNsense and had the same problem with WAN DHCP and CARP events.
As all the vibe coded scripts did not work (also had function calls which never were implemented in OPNsense), I took an advanced version of the original script (https://blog.vezpi.com/en/post/migration-opnsense-proxmox-highly-available/) and extended it a little bit in the BACKUP section:

  • added interface_reset($ifkey); to get the WAN interface into the previously configured status
  • added system_routing_configure(); to let the (maybe) configured backup gateway be set
#!/usr/local/bin/php
<?php
/**
 * OPNsense CARP event script
 * - Enables/disables the WAN interface only when needed
 * - Avoids reapplying config when CARP triggers multiple times
 */

require_once("config.inc");
require_once("interfaces.inc");
require_once("util.inc");
require_once("system.inc");

// Read CARP event arguments
$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

// Accept only MASTER/BACKUP events
if (!in_array($type, ['MASTER', 'BACKUP'])) {
    // Ignore CARP INIT, DEMOTED, etc.
    exit(0);
}

// Validate subsystem name format, expected pattern: <ifname>@<vhid>
if (!preg_match('/^[a-z0-9_]+@\S+$/i', $subsystem)) {
    log_error("Malformed subsystem argument: '{$subsystem}'.");
    exit(0);
}

// Interface key to manage
$ifkey = 'wan';

// Determine whether WAN interface is currently enabled
$ifkey_enabled = !empty($config['interfaces'][$ifkey]['enable']) ? true : false;

// MASTER event
if ($type === "MASTER") {
    // Enable WAN only if it's currently disabled
    if (!$ifkey_enabled) {
        log_msg("CARP event: switching to '$type', enabling interface '$ifkey'.", LOG_WARNING);
        $config['interfaces'][$ifkey]['enable'] = '1';
        write_config("enable interface '$ifkey' due CARP event '$type'", false);
        interface_configure(false, $ifkey, false, false);
    } else {
        log_msg("CARP event: already '$type' for interface '$ifkey', nothing to do.");
    }

// BACKUP event
} else {
    // Disable WAN only if it's currently enabled
    if ($ifkey_enabled) {
        log_msg("CARP event: switching to '$type', disabling interface '$ifkey'.", LOG_WARNING);
        unset($config['interfaces'][$ifkey]['enable']);
        write_config("disable interface '$ifkey' due CARP event '$type'", false);
        interface_configure(false, $ifkey, false, false);
        interface_reset($ifkey);
        system_routing_configure();
    } else {
        log_msg("CARP event: already '$type' for interface '$ifkey', nothing to do.");
    }
}

`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment