CARP group tracking

[pmladenov]

Hello,

I have 2 opnsense firewalls in HA with 2 different CARP groups - one for the LAN and one for the WAN.
I would like to implement a little bit more complex failover logic - instead of relying on physical interface down event, the idea is to use a script pinging several WAN IPs and in case all are down to demote active CARP LAN group.
Based on https://docs.opnsense.org/development/backend/carp.html document - I've created a shell script returning 0 in case all is good and 1 in case it needs to demote.
The script is executable and located in /usr/local/etc/rc.carp_service_status.d/

The question I have is how, when and by whom that script is being executed?


Regards,
Plamen

[AdSchellevis]

Hi Plamen,

It's in the note here https://docs.opnsense.org/development/backend/carp.html#trigger-event

The service involved should fire it's own events using the hook subscribed, this is for example how FRR subscribes to messages using syslog-ng https://github.com/opnsense/plugins/blob/ad3c3e745ad9768b764ed35617cbfa20a41921dd/net/frr/src/opnsense/service/templates/OPNsense/Quagga/syslog-ng-frr-events.conf#L5

Best regards,

Ad

[pmladenov]

Thanks,

It's a little bit more clear for me now. I have few assumptions now that I would like to verify. So in FRR example - in case of syslog-ng matches the specific syslog message then syslog-ng executes "/usr/local/sbin/configctl -e -t 0.5 interface update carp service_status" which runs ALL scripts in "/usr/local/etc/rc.carp_service_status.d/" ?
If above logic is correct - what happens if some of the executed scripts return 0 and other return 1 (for example)?

Regards,
Plamen

[AdSchellevis]

Hi Plamen,

Best read https://github.com/opnsense/core/blob/master/src/sbin/carp_service_status (which calculates and sets demotion)

Best regards,

Ad

[pmladenov]

Thanks Ad,

That addressed all my questions/assumption.

Regards,
Plamen