OPNsense Forum

English Forums => High availability => Topic started by: evildevil on January 24, 2023, 10:17:47 am

Title: Poor Mans HA with CARP on internal Interfaces only
Post by: evildevil on January 24, 2023, 10:17:47 am

Hello,

due to the Shortage of WAN IP-Addresses (I am already using all the available IP-Addresses in
my IPv4 /29 Public Network) I wanted to implement a stripped down HA Solution.
Currently I am using two Sophos UTM SG Appliances to accomplish that (they don't use CARP and can failover without the need of additional IP-Addresses).
My Idea was to only configure the internal Interfaces using CARP and do an Active-Passive Failover on the WAN Interface.
Both OPNsense Boxes are running 22.7.10_2
Active Unit: WAN is up and configured with the main static IPv4 Address and the additional IPv4 Addresses
Passive Unit: WAN is down and configured with the main static IPv4 Address and the additional IPv4 Addresses

So, if the internal Interfaces fail and CARP is triggered, the Passive Unit's WAN Interface should be brought up by Script. I looked at the Scripts in https://github.com/opnsense/core/tree/master/src/etc/rc.syshook.d/carp and https://gist.github.com/jprenken/18ca7bf14ddae547ae0fdf6f56d72573#file-10-wireguard-L1
but my PHP Skills are not that sophisticated. I tried to walk trough the Source-Codes and Include-Files, but I don't get how/where the WAN interface can be simply brought up.
And should I enable/disable the physical Interface (igc2) or the logical IPv4 Interfaces? My Gut suggest the physical interface.

Based on the Wireguard Script:

Code: [Select]

if ($type === "MASTER") {
    log_error("Enabling WAN due to CARP event '$type'");
    # Checking `isset` avoids a race condition during startup when the
    # WireGuard config stanza seems like it's not yet loaded. Without it, this
    # can create an extra, empty, invalid stanza that breaks WireGuard.
# is the isset necessary?
    if (isset($config['OPNsense']['igc2']['general']['enabled'])) {
      $config['OPNsense']['igc2']['general']['enabled'] = '1';
    }
#    configd_run('wireguard start');   # WAN is not a service, or is it?
    write_config("Enable WAN due to CARP event '$type'", false);
} else {
    log_error("Disabling WAN due to CARP event '$type'");
#    configd_run('wireguard stop');
    if (isset($config['OPNsense']['igc2']['general']['enabled'])) {
        $config['OPNsense']['igc2']['general']['enabled'] = '0';
    }
    write_config("Disable WAN due to CARP event '$type'", false);
}

Any Hints and Pointers in the right Direction are appreciated.

Best Regards,
Patrick

Title: Re: Poor Mans HA with CARP on internal Interfaces only
Post by: evildevil on January 25, 2023, 05:16:57 pm

Hi all,

after meddling around unsuccessfully with my Idea, I decided to throw it away and implement CARP, loosing 2 public IP Addresses and go ahead and implement a reverse Proxy (HAProxy) to handle most incoming Webserver/-service Requests to make up for the loss of the 2 public IP Addresses.

Learn from my Failure, review your Requirements and try to implement it using Tools that are already available ;-)

Best Regards,
Patrick