Looking for someone to write a script
-
I’m looking for assistance getting an unsupported version of high availability running.
I currently have Pfsense HA / CARP working, on local interfaces only. This is because I have dynamic IPs and cannot get static ones. On the WAN side of things, I simply have WAN gateways disabled on my secondary interface. I’m not so much concerned about seamless failover, as I am avoiding long periods of down time.
Currently, if my primary pfsense box failed, I could enable WAN gateways on secondary box, and should be back up in a matter of minutes. However, that only works if I’m sitting in front of the computer.
I’d like to have this automated, so I’m looking for a script that will monitor for HA / CARP status, and enable WAN gateways when a box becomes master, and disable WAN gateways when a box becomes the secondary.
I’m happy to pay for help with this. I’m thinking around $300, I imagine someone well versed with pfsense could accomplish this in short order. Would consider more if its warranted. -
@sef1414 said in Looking for someone to write a script:
I’m not so much concerned about seamless failover, as I am avoiding long periods of down time.
High Availability
High Availability Configuration ExampleIt should be able to archive that the second one is
"jumping" in if the first one fails. -
@sef1414
What exactly your WAN is? Is it PPPoE? -
I have two DHCP WAN connections and one PPPoE.
-
@sef1414
So it is multi wan? Each box has one DHCP and PPPoE also is configured on both? Why DHCP WAN should be disabled when the box is not primary? Does this violate the provider's rules? Provide more information of what is wrong and what you want to do. I am already using one script that automatically puts PPPoE down or up, monitoring the status of the firewall, but every configuration is different and in your case it may not work the way you want. -
I have multi WAN for load balancing / WAN failover scenarios (separate from high availability needs). I can't have the same active WAN on both primary and secondary pfsense, as it will create issues (duplicate MACs, VPN problems, etc.)
-
@sef1414
So only DHCP WAN need to be supported by script? -
#!/bin/sh LOCKFILE="/var/run/run.sh.lock" # Check if the lock file exists and exit if it does if [ -f "${LOCKFILE}" ]; then # Check if the process that created the lock file is still running LOCKPID=$(cat "${LOCKFILE}") if [ -n "$(ps -p "${LOCKPID}" -o pid=)" ]; then echo "Script is already running with PID ${LOCKPID}. Exiting." exit 1 else # Remove stale lock file rm -f "${LOCKFILE}" fi fi # Create lock file with current PID echo "$$" > "${LOCKFILE}" ############################################################################# # Interfaces configuration # Put your LAN card ifconfig name here, e.g., "igc1" LAN="igc1" # Put your LAN CARP VIP VHID number, e.g., "vhid 5" VIP_VHID_IPv4_LAN="vhid 5" # Put your DHCP WAN ifconfig name here WAN_DHCP="igc0" # Put your WANDHCP interface "down" status # Issue "ifconfig igc0 down" command without quotes # Wait a bit and issue "ifconfig igc0" command # Sample answer # igc0: flags=8c22<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500 # So use 8c22 WANDHCP_DWN="8c22" ############################################################################# case "$1" in start) logger "Monitor CARP status" # Looping INPUT_STRING=hello while [ "$INPUT_STRING" != "bye" ]; do sleep 30 CHECKCARPSTATUS=$(ifconfig $LAN | grep -o "MASTER $VIP_VHID_IPv4_LAN" | head -n 1) if [ "$CHECKCARPSTATUS" = "MASTER $VIP_VHID_IPv4_LAN" ]; then check_WAN_DHCP_if=$(ifconfig $WAN_DHCP | grep -o 'UP') if [ "$check_WAN_DHCP_if" = 'UP' ]; then echo "WANDHCP already up" else ifconfig $WAN_DHCP up logger "STATUS: MASTER, WANDHCP UP" fi else check_WAN_DHCP_if=$(ifconfig $WAN_DHCP | grep -o "$WANDHCP_DWN") if [ "$check_WAN_DHCP_if" = "$WANDHCP_DWN" ]; then echo "WANDHCP already down" else ifconfig $WAN_DHCP down logger "STATUS: BACKUP. WANDHCP DOWN" fi fi done echo "end" ;; stop) exit 0 ;; restart) exit 0 ;; esac exit 0
Theoretically, this one adjusted should be run on every node in CARP. The main idea is just to put down WAN DHCP interface when firewall is not MASTER, script checks the firewall status every 30 seconds and makes decisions what to do with WAN. The script also checks for instances already running and also using case just for compatibility with service like mode.
Use at your own risk. -
Cool thanks, will give this a shot this weekend. What directory do you store this in and how do you ensure it starts running when pfsense starts up?
-
@sef1414
Name it "run.sh", copy to pf and chmod according documentation
https://docs.netgate.com/pfsense/en/latest/development/boot-commands.html#shell-script-option
You will see messages in the system log like those quoted in the script after logger command.