Disable WAN Interface on CARP Backup

10-wancarp

#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("interfaces.inc");
require_once("util.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($type != 'MASTER' && $type != 'BACKUP') {
    log_error("Carp '$type' event unknown from source '{$subsystem}'");
    exit(1);
}

if (!strstr($subsystem, '@')) {
    log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
    exit(1);
}

$ifkey = 'wan';

if ($type === "MASTER") {
    log_error("enable interface '$ifkey' due CARP event '$type'");
    $config['interfaces'][$ifkey]['enable'] = '1';
    write_config("enable interface '$ifkey' due CARP event '$type'", false);
    interface_configure(false, $ifkey, false, false);
} else {
    log_error("disable interface '$ifkey' due CARP event '$type'");
    unset($config['interfaces'][$ifkey]['enable']);
    write_config("disable interface '$ifkey' due CARP event '$type'", false);
    interface_configure(false, $ifkey, false, false);
}

Thank you for the quick reply. I have the LAN_FAILOVER_GW setup now on both. Since I'm using DHCP on WAN would I change the configuration options like this or leave $wan_ip_vp == ''; instead of 'DHCP' like below? Also, I'm not using IPv6 should that cfg option be empty as well? Also not sure about tbroker gateway setting since not using IPv6. Thank you.

// #################### CONFIGURATION ####################
$ifkey = 'wan';
$wan_ip_v4 = 'DHCP';
$wan_subnet_v4 = 30;

// Names of the gateways to manage, as they appear in System > Gateways > Single
$wan_gw_name = 'WAN_GW';
$tbroker_gw_name = '';

// The CARP VIP on your LAN for gateway redirection on the backup node.
$lan_vip_v4 = '10.10.99.1';
$lan_vip_v6 = '2600:1337::1';

This is working perfectly, THANK YOU!!

Please add Unbound DNS restart after master failover. Ty

Please add Unbound DNS restart after master failover. Ty

after testing and about 20 iterations of the script after 2.9 my conclusion is it is a much much better setup to block these ports on the non vip router ip addresses. for dns and dhcpd since they are not carp aware (what a joke)

Yeah I did the same thing for IPSEC

…

On Sat, Jul 12, 2025 at 6:04 PM Lavacano ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Please add Unbound DNS restart after master failover. Ty after testing and about 20 iterations of the script after 2.9 my conclusion is it is a much much better setup to block these borts on the non vip router ip addresses. for dns and dhcpd since they are not carp aware (what a joke) — Reply to this email directly, view it on GitHub <https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc#gistcomment-5673875> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABJEABICSY7RVLS5SVLMP2T3IGA75BFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTCMZYG4YDONZWU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

https://gist.github.com/lavacano/a678e65d31df9bec344e572461ed3e10

With v4.7.3-final-fixed should I undo;

net.inet.carp.init_delay = 60
and
mkdir -p /usr/local/etc/rc.syshook.d/config
ln -s /usr/local/etc/rc.syshook.d/carp/10-wancarp /usr/local/etc/rc.syshook.d/config/20-service-check

With 3.x code I was having issues with traffic passing after failover, so I'm currently using only one firewall with the other disconnected to have a stable network.

Also, if possible could you add an option to include additional interfaces with WAN to be enabled/disabled at failover? I have a server with dual NICs (team with active-backup) connected to each firewall. With both firewall interfaces enabled it eventually floods the switch stack even though it's an active-backup configuration. Thank you.

-PiXEL8

Give this a go; the top one

Your latest script is working very well. Failover has NO to 2 packets lost. No issues with Unbound DNS or multi-home OPT interfaces to DMZ servers. Cheers and thank you for all your effort here!!

1. How does this new approach -- or maybe it's the same approach, but stylistically very different to the original script of this gist -- handle dual-WAN? I have dual WAN, plus additional upstream policy-based gateways for site-to-site connections, etc.

2. What if the extra gateway is an actual upstream gateway, but just marked with the appropriate priority so it only becomes active when the others are down? Why the need for non-upstream? In the case of policy-based routing, this gateway will never be used unless I create additional rules to catch the traffic and send it over this gateway. If I just create this backup as an upstream gateway, and include it in a group, then existing PBR rules will keep working. What am I missing here?

3. Separately, I'm seeing issues with 25.1_10+ where the primary doesn't go back to MASTER state, the secondary just stays MASTER forever, even though both levels are 0. Anyone seen this? [This has nothing to do with the script, I'm just asking the hive mind]