Text only | Text with Images

OPNsense Forum

English Forums => High availability => Topic started by: davorin on March 09, 2026, 08:03:23 AM

Title: Backup FW ignoring CARP for WireGuard Tunnel
Post by: davorin on March 09, 2026, 08:03:23 AM
Weird behaviour of our backup FW running 25.7.6 where WireGuard tunnel is ignoring the WAN CARP state.

The master FW shows no log entries and it stays always the master for the WireGuard tunnel.
The backup FW shows in the WireGuard logs permanently a state change of the WAN CARP and takes over the WireGuard tunnel, although the state of the WAN interface is backup.

The other side of the tunnel is also a HA setup running 26.1.2, but there is no flapping of the tunnel on the backup FW.

Anyone else seing this odd behaviour?

Problem is that I had to disable WireGuard instances and HA syncing of WireGuard configuration.

Title: Re: Backup FW ignoring CARP for WireGuard Tunnel
Post by: davorin on March 09, 2026, 12:20:45 PM
Did now a virtualized test setup with a master/backup running CARP on WAN and LAN and a WG tunnel to a third OPNSense installation...

Tunnel runs fine on master FW, but as soon I change high availability settings to include WireGuard for syncing, the backup FW immediately takes over and becomes the master. After around 70 seconds the backup FW redraws and all is fine again.

Code Select
2026-03-09T12:23:30 Notice kernel <6>[2133] wg0: link state changed to DOWN
2026-03-09T12:23:30 Notice wireguard Wireguard configure event instance Test (wg0) vhid: 10 carp: BACKUP interface: down
2026-03-09T12:23:30 Notice wireguard wireguard instance Test (wg0) switching to DOWN
2026-03-09T12:23:30 Notice wireguard Wireguard configure event instance Test (wg0) vhid: 10 carp: BACKUP interface: up
2026-03-09T12:22:24 Notice wireguard Wireguard configure event instance Test (wg0) vhid: 10 carp: MASTER interface: up
2026-03-09T12:22:24 Notice kernel <6>[2068] wg0: link state changed to UP
2026-03-09T12:22:24 Notice wireguard wireguard instance Test (wg0) switching to UP
2026-03-09T12:22:24 Notice wireguard Wireguard configure event instance Test (wg0) vhid: 10 carp: MASTER interface: down
2026-03-09T12:21:30 Notice kernel <6>[2014] wg0: link state changed to DOWN
2026-03-09T12:21:30 Notice kernel <6>[2014] wg0: link state changed to UP
2026-03-09T12:21:30 Notice wireguard wireguard instance Test (wg0) started
2026-03-09T12:21:30 Notice wireguard /usr/local/opnsense/scripts/wireguard/wg-service-control.php: plugins_configure monitor (execute task : dpinger_configure_do(,[]))
2026-03-09T12:21:30 Notice wireguard /usr/local/opnsense/scripts/wireguard/wg-service-control.php: plugins_configure monitor (,[])
2026-03-09T12:21:30 Notice wireguard /usr/local/opnsense/scripts/wireguard/wg-service-control.php: ROUTING: entering configure using opt2
2026-03-09T12:21:30 Notice wireguard wireguard instance Test (wg0) stopped
Text only | Text with Images