Looking for someone to write a script

sef1414

I’m looking for assistance getting an unsupported version of high availability running.

I currently have Pfsense HA / CARP working, on local interfaces only. This is because I have dynamic IPs and cannot get static ones. On the WAN side of things, I simply have WAN gateways disabled on my secondary interface. I’m not so much concerned about seamless failover, as I am avoiding long periods of down time.

Currently, if my primary pfsense box failed, I could enable WAN gateways on secondary box, and should be back up in a matter of minutes. However, that only works if I’m sitting in front of the computer.
I’d like to have this automated, so I’m looking for a script that will monitor for HA / CARP status, and enable WAN gateways when a box becomes master, and disable WAN gateways when a box becomes the secondary.
I’m happy to pay for help with this. I’m thinking around $300, I imagine someone well versed with pfsense could accomplish this in short order. Would consider more if its warranted.

Dobby_

@sef1414 said in Looking for someone to write a script:

I’m not so much concerned about seamless failover, as I am avoiding long periods of down time.

High Availability
High Availability Configuration Example

It should be able to archive that the second one is
"jumping" in if the first one fails.

w0w

@sef1414
What exactly your WAN is? Is it PPPoE?

sef1414

@w0w

I have two DHCP WAN connections and one PPPoE.

w0w

@sef1414
So it is multi wan? Each box has one DHCP and PPPoE also is configured on both? Why DHCP WAN should be disabled when the box is not primary? Does this violate the provider's rules? Provide more information of what is wrong and what you want to do. I am already using one script that automatically puts PPPoE down or up, monitoring the status of the firewall, but every configuration is different and in your case it may not work the way you want.

sef1414

@w0w

I have multi WAN for load balancing / WAN failover scenarios (separate from high availability needs). I can't have the same active WAN on both primary and secondary pfsense, as it will create issues (duplicate MACs, VPN problems, etc.)

w0w

@sef1414
So only DHCP WAN need to be supported by script?

w0w

@sef1414

#!/bin/sh

LOCKFILE="/var/run/run.sh.lock"

# Check if the lock file exists and exit if it does
if [ -f "${LOCKFILE}" ]; then
    # Check if the process that created the lock file is still running
    LOCKPID=$(cat "${LOCKFILE}")
    if [ -n "$(ps -p "${LOCKPID}" -o pid=)" ]; then
        echo "Script is already running with PID ${LOCKPID}. Exiting."
        exit 1
    else
        # Remove stale lock file
        rm -f "${LOCKFILE}"
    fi
fi

# Create lock file with current PID
echo "$$" > "${LOCKFILE}"

#############################################################################
# Interfaces configuration
# Put your LAN card ifconfig name here, e.g., "igc1"

LAN="igc1"

# Put your LAN CARP VIP VHID number, e.g., "vhid 5"

VIP_VHID_IPv4_LAN="vhid 5"

# Put your DHCP WAN ifconfig name here

WAN_DHCP="igc0"

# Put your WANDHCP interface "down" status
# Issue "ifconfig igc0 down" command without quotes
# Wait a bit and issue "ifconfig igc0" command
# Sample answer
# igc0: flags=8c22<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
# So use 8c22

WANDHCP_DWN="8c22"

#############################################################################
case "$1" in
start)
    logger "Monitor CARP status"

    # Looping
    INPUT_STRING=hello
    while [ "$INPUT_STRING" != "bye" ]; do
        sleep 30
        CHECKCARPSTATUS=$(ifconfig $LAN | grep -o "MASTER $VIP_VHID_IPv4_LAN" | head -n 1)
        if [ "$CHECKCARPSTATUS" = "MASTER $VIP_VHID_IPv4_LAN" ]; then
            check_WAN_DHCP_if=$(ifconfig $WAN_DHCP | grep -o 'UP')
            if [ "$check_WAN_DHCP_if" = 'UP' ]; then
                echo "WANDHCP already up"
            else
                ifconfig $WAN_DHCP up
                logger "STATUS: MASTER, WANDHCP UP"
            fi
        else
            check_WAN_DHCP_if=$(ifconfig $WAN_DHCP | grep -o "$WANDHCP_DWN")
            if [ "$check_WAN_DHCP_if" = "$WANDHCP_DWN" ]; then
                echo "WANDHCP already down"
            else
                ifconfig $WAN_DHCP down
                logger "STATUS: BACKUP. WANDHCP DOWN"
            fi
        fi
    done
    echo "end"
    ;;
stop)
    exit 0
    ;;
restart)
    exit 0
    ;;
esac

exit 0

Theoretically, this one adjusted should be run on every node in CARP. The main idea is just to put down WAN DHCP interface when firewall is not MASTER, script checks the firewall status every 30 seconds and makes decisions what to do with WAN. The script also checks for instances already running and also using case just for compatibility with service like mode.
Use at your own risk.

sef1414

@w0w

Cool thanks, will give this a shot this weekend. What directory do you store this in and how do you ensure it starts running when pfsense starts up?

w0w

@sef1414
Name it "run.sh", copy to pf and chmod according documentation
https://docs.netgate.com/pfsense/en/latest/development/boot-commands.html#shell-script-option
You will see messages in the system log like those quoted in the script after logger command.