Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    'Pinning' WAN interface to LAN carp

    HA/CARP/VIPs
    1
    3
    1187
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dsmith10 last edited by

      I have an ISP that provides a single WAN address by DHCP.

      I also have a desire to use HA as normally I'd like pfsense to be a virtual machine but will inevitably need to turn this off occasionally, so I have an old power hungry HP ML110 as a backup.

      I have a working cluster with CARP on the LAN working correctly. Latest 2.2 build.

      Both firewalls have the same custom WAN MAC address and so this kind of works, however both firewall receive incoming packets on their WAN interface for obvious reasons as they have the same address.

      This is clearly not a very nice setup currentlty and whilst it works streaming sometimes breaks, probably as switches see the MAC move ports.

      What I'd like to do it pin the WAN interface status to CARP LAN interface.

      Poking around it seems that devd calls rc.carpmaster and rc.carpbackup which might be a good place to start.

      I have two scripts ready for a 'hacky' first go like this

      
      require("functions.inc");
      require("config.inc");
      
      $if = get_real_wan_interface();
      
      exec("/sbin/ifconfig {$if} 0.0.0.0 down");
      ?>
      
      

      These work from the command line.

      I then have

      
      notify 100 {
          match "system"          "CARP";
          match "type"            "BACKUP";
          action "/usr/local/bin/php /tmp/wan_down.php";
      };
      
      notify 100 {
          match "system"          "CARP";
          match "type"            "MASTER";
          action "/usr/local/bin/php /tmp/wan_up.php";
      };
      
      

      in /usr/local/etc/devd/carp.conf

      So my questions if anyone knows the answers

      • How could I hack these i as a dirty POC solution ? Why doesn't devd pick this up ?

      • Can I make these run as part of rc.carpmaster ? There are references to calling plugins ?

      • How would I look to make this into a plugin with a nice gui to select the CARP interface to track ?

      Thanks

      1 Reply Last reply Reply Quote 0
      • D
        dsmith10 last edited by

        To answer my own question 1 as a POC the following works.

        /usr/local/etc/devd/carp.conf - Notify 200 will override the 100 in /etc/devd.conf but we still need to run the pfSctl stuff

        
        notify 200 {
            match "system"          "CARP";
            match "type"            "BACKUP";
            action "/usr/local/bin/wan_down.php || /usr/local/sbin/pfSctl -c 'interface carpbackup $subsystem'";
        };
        
        notify 200 {
            match "system"          "CARP";
            match "type"            "MASTER";
            action "/usr/local/bin/wan_up.php || /usr/local/sbin/pfSctl -c 'interface carpmaster $subsystem'";
        };
        
        

        /usr/local/bin/wan_down.php

        
        #!/usr/local/bin/php -f
        require_once("functions.inc");
        require_once("config.inc");
        require_once("notices.inc");
        require_once("openvpn.inc");
        require_once("interfaces.inc");
        
        $if = get_real_wan_interface();
        
        exec("/sbin/ifconfig {$if} 0.0.0.0 down");
        $message = sprintf("Interface %s pinning down",$if);
        log_error($message);
        
        ?>
        
        

        /usr/local/bin/wan_up.php

        
        #!/usr/local/bin/php -f
        require_once("functions.inc");
        require_once("config.inc");
        require_once("notices.inc");
        require_once("openvpn.inc");
        require_once("interfaces.inc");
        
        $if = get_real_wan_interface();
        
        exec("/sbin/ifconfig {$if} up");
        $message = sprintf("Interface %s bringing up",$if);
        log_error($message);
        
        ?>
        
        
        1 Reply Last reply Reply Quote 0
        • D
          dsmith10 last edited by

          I've put the scripts here

          https://github.com/deasmi/pf_interface_pin
          At some point I might try to make this into a package with a UI if anyone is interested.

          Please note you need to re-install after an upgrade.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post