Disable WAN Interface on CARP Backup

10-wancarp

#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("interfaces.inc");
require_once("util.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($type != 'MASTER' && $type != 'BACKUP') {
    log_error("Carp '$type' event unknown from source '{$subsystem}'");
    exit(1);
}

if (!strstr($subsystem, '@')) {
    log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
    exit(1);
}

$ifkey = 'wan';

if ($type === "MASTER") {
    log_error("enable interface '$ifkey' due CARP event '$type'");
    $config['interfaces'][$ifkey]['enable'] = '1';
    write_config("enable interface '$ifkey' due CARP event '$type'", false);
    interface_configure(false, $ifkey, false, false);
} else {
    log_error("disable interface '$ifkey' due CARP event '$type'");
    unset($config['interfaces'][$ifkey]['enable']);
    write_config("disable interface '$ifkey' due CARP event '$type'", false);
    interface_configure(false, $ifkey, false, false);
}

1. How does this new approach -- or maybe it's the same approach, but stylistically very different to the original script of this gist -- handle dual-WAN? I have dual WAN, plus additional upstream policy-based gateways for site-to-site connections, etc.
2. What if the extra gateway is an actual upstream gateway, but just marked with the appropriate priority so it only becomes active when the others are down? Why the need for non-upstream? In the case of policy-based routing, this gateway will never be used unless I create additional rules to catch the traffic and send it over this gateway. If I just create this backup as an upstream gateway, and include it in a group, then existing PBR rules will keep working. What am I missing here?
3. Separately, I'm seeing issues with 25.1_10+ where the primary doesn't go back to MASTER state, the secondary just stays MASTER forever, even though both levels are 0. Anyone seen this? [This has nothing to do with the script, I'm just asking the hive mind]

just enabling and disabling the interface doesnt clear the states and routes and i was seeing because of that traffic to wan still after demotion to backup, this way we can use the same mac address on both routers and because we try to kill all the traffic off there isnt leaks or looops

I like to have a failover gateway that way the backup can still reach out for firmware etc otherwise backup just sits without an internet connection

lastly this should be designed like both routers are the same. there shouldnt be a preference of 1 router over another. introducing a second failover event in case the master goes down and back up is not the best idea.

although I might make a version or option of the script that when it wants to demote to backup instead it drops all connections, waits then reboots which might help for some leaks/loops i am still seeing.

Your latest script is working very well. Failover has NO to 2 packets lost. No issues with Unbound DNS or multi-home OPT interfaces to DMZ servers. Cheers and thank you for all your effort here!!

yes and sorry i dropped the additional interfaces, i figured if that is something you need it can be built in to carp and firewall rules to exclude the physical addresses but allow the vip, just like what we need to do with dhcp anyways otherwise hosts will com with both routers this allows even the dhcpd and unbound to stay up and be carp aware

this way only services that use broadcast like I think, udprepeater, and some others that might not work the best still in carp failover need to be managed. as long as its a port based service you can do the carp blocks like this and make the service carp aware in fact you might want to block all ports on the physical addresses besides ssh and https as long as you allow router phy to router phy before the block

I am pretty restrictive and i log blocks on the ! (not) vip requests and reconfigure those hosts to use for example ntp on the interface instead of trying to get out and skew my times, or dns. then for select services i poke a hole before the general block rule.