# CARP/pfsync firewall ifstated.conf file.  For use where
# your external interface is provided via DHCP from your ISP.
#
# origins: Christer Solskogen
# https://marc.info/?l=openbsd-misc&m=167299046309551&w=2
#
# Could probably use some abstraction, except variables don't
# go inside quotes.
# 
# For customizing for your use, look for the "###" commented
# lines below.
#
# Basic strategy: 
#   1) External interface is NOT CARPed
#   2) External interface on both nodes is set to a to common
#	 lladdr
#   3) The machine in the CARP backup state has its external
#	inteface in a "down" state, it routes through the
#	"active" machine, and flushes its old routes
#   4) The machine in the CARP Master state has its external
#	interface brought up, and configured for DHCP.
#
# this way, the ISP always sees the same lladdr (MAC address),
# and presumably gives the same IP addrress after a CARP flip.

carp_up = "carp0.link.up"
carp_down = "!carp0.link.up"
carp_init = "carp0.link.unknown"

init-state auto

state auto {
	if ($carp_up)
		set-state fw_master
	if ($carp_up) 
		set-state fw_backup
	}

state fw_master {
	init {
		run "route -qn flush"
		### replace re0 below with your external interface
		run "ifconfig re0 inet autoconf"
		run "pfctl -f /etc/pf.conf"
	}

	if ($carp_down)
		set-state fw_backup
	if ($carp_init)
		run "sleep 2"
}

state fw_backup {
	init {
		### replace re0 below with your external interface
		run "ifconfig re0 -inet"
		run "route -qn flush"
		### replace 192.168.1.1 with a valid route to the
		## outside world IF this machine is not the gateway
		run "route add default 192.168.1.1"
	}
	
	if ($carp_up)
		set-state fw_master
}