'Pinning' WAN interface to LAN carp



  • I have an ISP that provides a single WAN address by DHCP.

    I also have a desire to use HA as normally I'd like pfsense to be a virtual machine but will inevitably need to turn this off occasionally, so I have an old power hungry HP ML110 as a backup.

    I have a working cluster with CARP on the LAN working correctly. Latest 2.2 build.

    Both firewalls have the same custom WAN MAC address and so this kind of works, however both firewall receive incoming packets on their WAN interface for obvious reasons as they have the same address.

    This is clearly not a very nice setup currentlty and whilst it works streaming sometimes breaks, probably as switches see the MAC move ports.

    What I'd like to do it pin the WAN interface status to CARP LAN interface.

    Poking around it seems that devd calls rc.carpmaster and rc.carpbackup which might be a good place to start.

    I have two scripts ready for a 'hacky' first go like this

    
    require("functions.inc");
    require("config.inc");
    
    $if = get_real_wan_interface();
    
    exec("/sbin/ifconfig {$if} 0.0.0.0 down");
    ?>
    
    

    These work from the command line.

    I then have

    
    notify 100 {
        match "system"          "CARP";
        match "type"            "BACKUP";
        action "/usr/local/bin/php /tmp/wan_down.php";
    };
    
    notify 100 {
        match "system"          "CARP";
        match "type"            "MASTER";
        action "/usr/local/bin/php /tmp/wan_up.php";
    };
    
    

    in /usr/local/etc/devd/carp.conf

    So my questions if anyone knows the answers

    • How could I hack these i as a dirty POC solution ? Why doesn't devd pick this up ?

    • Can I make these run as part of rc.carpmaster ? There are references to calling plugins ?

    • How would I look to make this into a plugin with a nice gui to select the CARP interface to track ?

    Thanks



  • To answer my own question 1 as a POC the following works.

    /usr/local/etc/devd/carp.conf - Notify 200 will override the 100 in /etc/devd.conf but we still need to run the pfSctl stuff

    
    notify 200 {
        match "system"          "CARP";
        match "type"            "BACKUP";
        action "/usr/local/bin/wan_down.php || /usr/local/sbin/pfSctl -c 'interface carpbackup $subsystem'";
    };
    
    notify 200 {
        match "system"          "CARP";
        match "type"            "MASTER";
        action "/usr/local/bin/wan_up.php || /usr/local/sbin/pfSctl -c 'interface carpmaster $subsystem'";
    };
    
    

    /usr/local/bin/wan_down.php

    
    #!/usr/local/bin/php -f
    require_once("functions.inc");
    require_once("config.inc");
    require_once("notices.inc");
    require_once("openvpn.inc");
    require_once("interfaces.inc");
    
    $if = get_real_wan_interface();
    
    exec("/sbin/ifconfig {$if} 0.0.0.0 down");
    $message = sprintf("Interface %s pinning down",$if);
    log_error($message);
    
    ?>
    
    

    /usr/local/bin/wan_up.php

    
    #!/usr/local/bin/php -f
    require_once("functions.inc");
    require_once("config.inc");
    require_once("notices.inc");
    require_once("openvpn.inc");
    require_once("interfaces.inc");
    
    $if = get_real_wan_interface();
    
    exec("/sbin/ifconfig {$if} up");
    $message = sprintf("Interface %s bringing up",$if);
    log_error($message);
    
    ?>
    
    


  • I've put the scripts here

    https://github.com/deasmi/pf_interface_pin
    At some point I might try to make this into a package with a UI if anyone is interested.

    Please note you need to re-install after an upgrade.


Log in to reply