'Pinning' WAN interface to LAN carp
-
I have an ISP that provides a single WAN address by DHCP.
I also have a desire to use HA as normally I'd like pfsense to be a virtual machine but will inevitably need to turn this off occasionally, so I have an old power hungry HP ML110 as a backup.
I have a working cluster with CARP on the LAN working correctly. Latest 2.2 build.
Both firewalls have the same custom WAN MAC address and so this kind of works, however both firewall receive incoming packets on their WAN interface for obvious reasons as they have the same address.
This is clearly not a very nice setup currentlty and whilst it works streaming sometimes breaks, probably as switches see the MAC move ports.
What I'd like to do it pin the WAN interface status to CARP LAN interface.
Poking around it seems that devd calls rc.carpmaster and rc.carpbackup which might be a good place to start.
I have two scripts ready for a 'hacky' first go like this
require("functions.inc"); require("config.inc"); $if = get_real_wan_interface(); exec("/sbin/ifconfig {$if} 0.0.0.0 down"); ?>These work from the command line.
I then have
notify 100 { match "system" "CARP"; match "type" "BACKUP"; action "/usr/local/bin/php /tmp/wan_down.php"; }; notify 100 { match "system" "CARP"; match "type" "MASTER"; action "/usr/local/bin/php /tmp/wan_up.php"; };in /usr/local/etc/devd/carp.conf
So my questions if anyone knows the answers
-
How could I hack these i as a dirty POC solution ? Why doesn't devd pick this up ?
-
Can I make these run as part of rc.carpmaster ? There are references to calling plugins ?
-
How would I look to make this into a plugin with a nice gui to select the CARP interface to track ?
Thanks
-
-
To answer my own question 1 as a POC the following works.
/usr/local/etc/devd/carp.conf - Notify 200 will override the 100 in /etc/devd.conf but we still need to run the pfSctl stuff
notify 200 { match "system" "CARP"; match "type" "BACKUP"; action "/usr/local/bin/wan_down.php || /usr/local/sbin/pfSctl -c 'interface carpbackup $subsystem'"; }; notify 200 { match "system" "CARP"; match "type" "MASTER"; action "/usr/local/bin/wan_up.php || /usr/local/sbin/pfSctl -c 'interface carpmaster $subsystem'"; };/usr/local/bin/wan_down.php
#!/usr/local/bin/php -f require_once("functions.inc"); require_once("config.inc"); require_once("notices.inc"); require_once("openvpn.inc"); require_once("interfaces.inc"); $if = get_real_wan_interface(); exec("/sbin/ifconfig {$if} 0.0.0.0 down"); $message = sprintf("Interface %s pinning down",$if); log_error($message); ?>/usr/local/bin/wan_up.php
#!/usr/local/bin/php -f require_once("functions.inc"); require_once("config.inc"); require_once("notices.inc"); require_once("openvpn.inc"); require_once("interfaces.inc"); $if = get_real_wan_interface(); exec("/sbin/ifconfig {$if} up"); $message = sprintf("Interface %s bringing up",$if); log_error($message); ?> -
I've put the scripts here
https://github.com/deasmi/pf_interface_pin
At some point I might try to make this into a package with a UI if anyone is interested.Please note you need to re-install after an upgrade.