Messages

Great, nice to hear a success  ;D

Regarding the MAC, maybe you need to sniff the DHCP traffic to find out whats wrong (probably mac spoofing not working properly?). In my case I have two virtual machines. So I spoof the mac on the virtual network card. I have it entered in the GUI too, but maybe this doesn't really work? If your routers are virtual, then don't forget to enable promiscuous mode.
do you use my version of the script with write_config and interface_configure or a custom one?
I'm asking because I had a similar problem as I just started with a script das does just start and stop the interface. The version that uses the configuration interface of opnsense kicks in a lot of reconfiguration tasks that may help.

Not sure if I got your question.
But you need the script on both routers.
But during setup I recommend to disable the WAN(s) on the BACKUP router manually to not have both enabled at the same time. On the MASTER you could leave the interface enabled.

Not sure why igb4 is working at all.
It's the interface key in the config.xml.
So lowercase of the internal interface name. i.e. lan, wan, opt1, opt2 etc.
Don't mix it with the name you gave to the interface. You can see these in the "Interfaces" -> "Overview" behind the interface in brackets (the first one before comma).

We've effectively arrived on the same method to achieve this. Except your calls, Spali, are probably much better since you are using the config system's normal calls (which I'm not familiar with. I'm instead smashing in console commands via exec, equivalent to using a hammer. (unsanitized code execution risks here!)

If it works for you, then I you've done a good job  ;)
I started as you, but had also the problem with the WAN lease not working etc. And I just decided instead of manually issue a renew, to issue the disabling of the WAN interface over the configuration (same as you would untick "enabled" in the interface GUI) to allow OPNsense to reconfigure everything as it would also do it when manually disabled or enabled. That is also responsible to get the DHCP lease during enable keeps all other stuff up to date. Just thought, it would be less error prone, but I don't like that it probably makes a lot more than required.
I think your version works for what it's made needed adaption for other use cases. Mine does more, but probably to much.
So people can choose what they want and that is good as it is :D

I am trying to do this on Dual WAN using Spali's script and the primary kicks but the secondary WAN just sits there.

bitcore's solution works, though I don't know if we need to kill the dhcp server on the backup.. if it all works correct, dhcp should failover to the backup when the primary fails.. if you sync all leases, the backup should take over as dhcp server. 

If anyone sees this before I figure it out.. how can I tweak Spali's script to kick both WAN interfaces when there is a failure?

regarding DHCP, currently not tested, but according to docs and setup DHCP synced with failover defined, I assume this should work on the LAN side.

also replied in the gist for the other question.
But here too:

Assuming you just want to disable both WAN interfaces on the backup and enable both on the master, you can just duplicate the script with a any suffix in the filename and adjust the $ifkey variable to for the second WAN interface.

A bit cleaner solution would be adapt the script to allow to define an array for $ifkey variable to it can loop over the interfaces.

As I investigated a bit of time for getting DHCP WAN with single lease working (no CARP on WAN, only on LAN).
I can share some thoughts.
You could put a script in /usr/local/etc/rc.syshook.d/carp/ to stop wireguard service in BACKUP mode and start it in MASTER mode.

checkout the 20-openvpn script there.
Especially the part:

Code Select Expand


$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';
$type will either contain "MASTER" or "BACKUP".

Not sure, but I think the script does explicitly reconfigure the openvpn interface configuration. But in case of Wireguard, assuming you have a working wireguard setup, I think just stopping or starting the service should work to prevent connections from the BACKUP, due the fact that wireguard is listening on all interfaces by default.

You can also checkout my script for ideas, which does in fact disable WAN interface on BACKUP and enable it if it get's the master:
https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc

I have made a WIP script for WAN with single DHCP lease (only LAN setup as CARP).
I didn't switch to production with it yet, but testers with feedback are welcome.
at least some synthetic test cases did work as expected. A forced switch with Maintenance Mode is almost immediate... no ping lost. The only thing, that took a couple of seconds was when I shutdown the master. There the switch takes a bit longer but acceptable for me.

https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc