wg interface on failover node up despite Depend on (CARP) being in BACKUP state

[Evert]

Hi all,

The topic basically says it all. We have a 2-node setup, and 2 wireguard instances.
Both instances have 'Depend on (CARP)' set to the CARP VHID of the WAN interface.

On the active node, where the CARP for WAN is in MASTER state, both wireguard instances are up (as expected).

On the passive/failover node, despite the CARP for the WAN being in BACKUP state, one of the wireguard instances is up anyway.

Is this a bug? A feature? Or did I misconfigure/misinterpret something?  8)

[franco]

Hi,

Which version?


Cheers,
Franco

[Evert]

Hi,

Which version?

OPNsense 23.10.2-amd64
os-wireguard 2.6

[franco]

Hmm, I don't expect any changes to the plugin anymore until 24.4 is out, but all in all it sounds a bit strange.

When you say "is up" do you mean "ifconfig wgX" will actually say "UP"? Because it is just set to "DOWN" and that should suffice. It might show differently somewhere else but functionally it should be ok?


Cheers,
Franco

[Evert]

I managed to do it again (so at least it's reproducable...)

Turned off the primary node -> Failover node took over, including Wireguard.

Turn on the primary node -> Primary node took over, but the wgX interfaces on the failover node remain up (I checked in the cli this time)

[franco]

Can you provide this log portion?

# opnsense-log wireguard | grep "Wireguard configure event instance"


Cheers,
Franco

[Evert]

Can you provide this log portion?

# opnsense-log wireguard | grep "Wireguard configure event instance"

Here are the entries from the relevant timeframe (previous messages are hours before)

Code Select Expand

<37>1 2024-02-13T15:24:20+01:00 node2.domain.com wireguard 70461 - [meta sequenceId="1"] Wireguard configure event instance WG1 (wg1) vhid: 1 carp: BACKUP interface: -
<37>1 2024-02-13T15:24:20+01:00 node2.domain.com wireguard 70461 - [meta sequenceId="6"] Wireguard configure event instance WG2 (wg2) vhid: 1 carp: BACKUP interface: up

(slightly redacted)

[franco]

# opnsense-log | grep ifconfig

Any errors here? Or here

# opnsense-log wireguard | grep ifconfig

[Evert]

# opnsense-log | grep ifconfig

Any errors here? Or here

# opnsense-log wireguard | grep ifconfig

Nope, neither one gives any output...

[franco]

Ok let's look at the whole sequence of PID "70461" then:

# opnsense-log wireguard | grep 70461

It looks like the last change it is supposed to make doesn't happen for whatever reason.


Cheers,
Franco

[Evert]

Ok let's look at the whole sequence of PID "70461" then:

# opnsense-log wireguard | grep 70461

It looks like the last change it is supposed to make doesn't happen for whatever reason.

Then I get some more lines:

Code Select Expand

<37>1 2024-02-13T15:24:20+01:00 node2.arkivo.no wireguard 70461 - [meta sequenceId="1"] Wireguard configure event instance WG1 (wg1) vhid: 1 carp: BACKUP interface: -
<37>1 2024-02-13T15:24:20+01:00 node2.arkivo.no wireguard 70461 - [meta sequenceId="2"] wireguard instance WG1 (wg1) can not reconfigure without stopping it first.
<37>1 2024-02-13T15:24:20+01:00 node2.arkivo.no wireguard 70461 - [meta sequenceId="3"] wireguard instance WG1 (wg1) stopped
<37>1 2024-02-13T15:24:20+01:00 node2.arkivo.no wireguard 70461 - [meta sequenceId="4"] wireguard instance WG1 (wg1) started
<37>1 2024-02-13T15:24:20+01:00 node2.arkivo.no wireguard 70461 - [meta sequenceId="5"] /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt9'
<37>1 2024-02-13T15:24:20+01:00 node2.arkivo.no wireguard 70461 - [meta sequenceId="6"] Wireguard configure event instance WG2 (wg2) vhid: 1 carp: BACKUP interface: up
<37>1 2024-02-13T15:24:20+01:00 node2.arkivo.no wireguard 70461 - [meta sequenceId="7"] wireguard instance WG2 (wg2) can not reconfigure without stopping it first.


These are all from yesterday though. Nothing from today...