Device Tracker with PFSENSE router

I’m using pfsense with SNMP and it works fine. I use this configuration:

device_tracker:
  - platform: snmp
    host: 10.0.0.254
    community: !secret community
    baseoid: 1.3.6.1.2.1.4.22.1.2
1 Like

Nice! I will look into that solution :+1:

Got it working already :nerd_face:

Two questions:

  1. How fast does the device update. Is it based upon the DHCP leases? It seems that the online to offline state is quit slow but the offline to online state is fast.
  2. Is it possible to import hostname of af new device?

It’s not from DHCP, it is the table of all devices in the network. You’ll find a description here:

As for speed it works fast enough for my use - and as far as I can tell the limiting factor is my phone taking some time before it actually finds and connects to my wifi.

The MAC addresses from are updated by the pfSense ARP (Address Resolution Protocol) table. Default is 20 minutes from last time the ARP cache saw the device in question.

You can monitor the “expiration” by logging into pfSense and go to Diagnostics > ARP Table, you will see all the devices and a second-value counting down. It is updated either when there is traffic from the device thru the router, or when a device replies to an ARP request packet on the network and the router hears it. Some things play better than others (our LG Android phones seem to not update the table as often as computers and tablets).

The expiration is set by a kernel variable which you can add a custom value to adjust if you want a shorter time. The risk if it’s too short is there will be more ARP resolution traffic on your network and things may show as “not online” when they really are. Probably not a big deal on a small home network to go as low as 5 minutes, but I found I had to go up to 6 minutes with a “consider home” of 6 minutes to avoid some phones dropping out when they are really still home.

The default value is 20 minutes for ARP purging. You can go to System > Advanced > Tunables, and modify (create) “net.link.ether.inet.max_age” value in seconds. For 6 minutes, I set it to 360.

For the Hassio tracker, I found this worked most reliably (avoiding false-negatives - I really don’t want lights and radios going on-off scaring us when we are home but phones are idle)

# pfSense device tracker
# Useful command to browse SNMP output: "snmpwalk -Os -c public -v 2c 192.168.1.1"
device_tracker:
  - platform: snmp
    host: 192.168.1.1
    community: public
    baseoid: .1.3.6.1.2.1.4.22.1.2
    interval_seconds: 20
    consider_home: 360

I also strongly recommend you only turn on the SNMP features you use, just to cut down on what might be exposed and what resources might be used.

Under Services > SNMP I found the only thing I needed to leave enabled was “SNMP modules: MibII” and I also restricted it only to the VLAN/Interface that my trusted network devices are sitting on.
image

One other note, I also found I could fiddle with the SNMP string to get Hassio to see all VLANs all devices, or only one VLAN of devices (using SNMPwalk command, looking at output) but I don’t know if it’s a predictable pattern (e.g. VLAN-ID, or ???). This could be useful if you REALLY only care about tracking devices on a specific VLAN vs tracking all VLANs.

As for hostname…I haven’t looked into that, I have duplicate hostnames because some people have the same model of phone and they all show as “BRAND-MODEL” which is useless if I can’t tell which is what. I make a “person” for each “thing” I want to track, and add the relevant MAC addresses to it. For example, my TV is “a person” so I can track if it’s on or off, as is my HTPC (with both network MAC addresses added to the “person”). The hostname thing also gets funky with stuff that doesn’t properly report a hostname (e.g. static IP devices) but the MAC addresses work on everything, nomater what.

If you really want to investigate what else you can pull, look at the snmpwalk command and you can manually browse thru everything that pfSense is reporting looking for fields of interest.

8 Likes

The is excellent explanation. Answered so many questions i did not yet ask. Thank you for your thorough walk through the configurations and nubs to tweak.
I will disable the SNMP modules that are not in use and good point about the hostname.

1 Like

Thanks for that detailed info. One thing that can help make the states a lot more reliable is to combine this with something like owntracks (or any other sensor) in a bayesian sensor configuration.

1 Like

Hey mmiller7, Thank you for this great explanation!

Just wondering.
As mentioned some devices like iPhone likes to go sleep and can then appair away.
Can this be overridden by setting a shorter maximum lease time?
Then the device might be forces to wake up to re-lease the address? Anyone know?

Hey everyone! I’ve put together a new integration for pfSense which device_tracker support among other things. No need for fauxapi.

2 Likes

I’m not familiar with Apple products so you would have to try it and see…its also possible that your iPhone would just not bother to attempt re-negotiation with the network until it wakes up again.

There is also no guarantee that a shorter lease will cause it to send out updated ARP (address resolution protocol) announcements before they expire in the pfSense ARP table (what is actually being used to determine if someone is “home” in the tracker) – this is a problem I have with my Android phone where it won’t actually re-announce ARP until it expires in the table and briefly goes away if its sleeping during that time.

On a small home network the increased traffic probably won’t hurt anything but keep in mind ALL devices will be subject to the new shorter time, remember to change it back if you experience other issues or if it doesn’t help. Typically most DHCP clients will attempt to renew their lease at half the time remaining (so if its 1 hour, they will attempt renew at 30 minutes) and to do this they have to come out of any power-saving-standby mode to talk which will result in worse battery life across the board.

In the integration I created I have the unique ability to actually control the arp table directly as well. The logic I’ve implemented is every <poll interval> I check if the mac is in the arp table and if so the device is considered online, if not it is considered offline. However, immediately after the arp table is checked, I remove the arp entry (only for the tracked device(s)) which ultimately ensures the device must communicate with pfSense every <poll interval> to be considered home.

In a stereotypical setup (mobile devices that come and go and fetch some background data) the results are very consistent and predictable.

That seems like it would create an insane amount of extra traffic, and also not work well with phones/tablets that go to sleep for extended time periods? Unless you then ping everything but then it will wake up and kill the battery fast (been there, done that).

If you’re referring to extra arp traffic (arp flooding) in practical terms it’s highly unlikely. It only wipes the entries for the specific devices that are tracked (it doesn’t wipe the entire arp table).

My experience with iOS is that during extended periods of sleep it neither strains the battery nor goes offline completely (I’m set at a 2.5 minute poll interval).

Ah, yeah I’m polling every ~2-3 seconds (and tracking many devices - not just people) because I have things that need to happen in near-real-time to keep people happy.

A few examples:
-Radios that turn off as someone comes home (has to be fast enough to stop people manually turning them off and then never turns on)
-Air purifiers shutting off when the TV turns on (again…has to be fast so people don’t keep shutting them off manually)
-Multi-factor stuff to compute if an authorized person came home and unlock doors (e.g. person + their car + door opener used = unlock door from garage) has to happen fast though so it beats them getting out and walking to the door to be useful.
-Thermostats readjust when anyone comes home so someone doesn’t manually shove them to an unreasonable temp and its heating/cooling before they see it
-Turn on lights as they walk in (home/not-home overrides motion because dogs set them off all the time)

In my case I’d much rather have “false positive” for 15-20 min thinking people are home than even 30 seconds “false negative” not detecting someone who is home

Yeah that’s a very rapid interval. To me I would split the use-case into probably 2 categories:

  • mains powered stuff
  • transient devices that are on battery (ie: phones)

For mains powered stuff a ‘ping’ tracker seems the best candidate as battery consumption is not an issue. For battery powered transient devices there are definitely lots of trade-offs to consider and there’s certainly no ‘silver bullet’. My integration is more focused on the “replace nmap” use-case than anything else. For rapid detection I use ibeacons+mobile app which also provide micro location logic (ie: not am I simply home, but what room am I in), but obviously that doesn’t work for ‘dumb’ devices which can’t have the mobile app installed :frowning:

Thanks for the integration, I seem to be stumbling at the first hurdle of installing the integration in Home Assistant. when I choose Pfsense it states config flow can not be loaded and the logs state Error occurred loading configuration flow for integration pfsense: cannot import name ‘SensorEntityDescription’ from ‘homeassistant.components.sensor’ .

Any ideas?

thanks
Andy

I’ve not heard of that one no. Restart hass if you haven’t already and make sure to do a hard refresh of the browser UI.

What version of hass are you running?

thanks, I managed to get to the same conclusion that it was down to the HASS version. I was a couple of versions back and as soon as I upgraded it worked a treat. Many thanks for taking the time to respond

1 Like

Thanks for the cool integration. Can someone show by example what it means to choose the right devices for tracking. I’m new to Home assistant.