pfSense Integration

travisghansen · January 15, 2022, 5:26pm

The vast majority of data is actually all pulled in via a single api request so this is not really needed.

The exception to that is the device tracker integration which has it’s own polling interval for several reasons.

rexave · January 15, 2022, 5:32pm

ok perfect, you even did think about this, thank you again

qJake · January 30, 2022, 7:21pm

Hey @travisghansen - first off thanks for this integration!

I seem to be having the same or similar issue as reported here:

github.com/travisghansen/hass-pfsense

Login SSL Issue

opened 09:41AM - 09 Jan 22 UTC

Bounties1337

Hi Folks, Perhaps a bit of dumb question. But Yeah, eventually you can help. … I am already stuck on the initial setup of PfSense integration, choosing SSL and w/o SSL connect. When running w/ SSL I do receive prompt "SSL Failure", so I changed to When running w/o SSL I do receive "%key:common::config_flow::error::invalid_auth%" The format of URL is actually straight forward <scheme>://(ip):(port) Scheme running over https. Reading network trace, Wireshark, I see Homeassistant exchanging the certificate but reporting "Alert" Unknown CA. I assume I am not the only user discovering that obstacle. But Yeah, as said, I hope reported issue is not to dumb... . Thanks for the help.

When I try to hook up the integration, I get the error:

[%key:common::config_flow::error::unknown%]

Logs confirm this:

Any ideas?

industriellITsjel · January 31, 2022, 10:02pm

Could this integration report back IP addresses to an entity?
I would like to set up Home Assistant monitoring the IP address of the client connecting to PfSense OpenVPN server.
This information is shown on PfSense dashboard, on the OpenVPN pane.

markfrancisonly · February 1, 2022, 8:05pm

Is there an existing service, or can you add a service to reset the firewall states table? Firewall rule switches work great, love it, but some times it is necessary to reset the state table for rules newly enabled to take effect immediately with existing connections

markfrancisonly · February 2, 2022, 6:06pm

okay I was in a hurry so I’ve coded a flush states service and submitted a pull request

travisghansen · February 4, 2022, 3:34am

It’s hard to say what’s going on here. I’ve not experienced it so it’s hard to debug obviously if you discover something do share on github so we can correct it as best we can!

travisghansen · February 4, 2022, 3:34am

Thanks for that! I provided some comments and we’ll get it merged.

travisghansen · February 4, 2022, 3:36am

I’m not sure what you’re asking for exactly here. I honestly spend more time in github than on this forum so maybe open an issue over there and we’ll discuss and see what we can do!

markfrancisonly · February 8, 2022, 3:29pm

In pf, enabled firewall rules are only applied to new connections. Any existing connection that would be subject to the rule will not be affected.

Great example would be an RTSP camera streaming rule: I want to enable a pfsense rule that blocks access to a camera subnet. Okay, enabling a blocking rule works for new camera connections, but I want existing connections to be terminated also.

The only method to affect existing connections, with a newly enabled firewall rule, is to kill the existing connections. This is performed by removing the connections from the state table or by resetting the entire state table. Complex changes to the firewall may require that the entire state table is reset.

The pr I submitted provides services that perform this function, and may be needed by others who want to toggle firewall rules

simlaf · February 11, 2022, 1:42pm

Killing states in pfSense is really disruptive to your network and ideally should never be done except for extreme cases.

States from blocking rules are not dropped when the rule is toggled.
States from passing rules are dropped when the rule is toggled.

Here’s what I do to get the result you’re looking for:

Create a rule to block all traffic to your camera subnet
Create a second rule to allow traffic to your camera subnet, make sure the rule is higher in the list
Now when you toggle the Allow rule, states for these connections will be dropped immediately, without affecting other states.

markfrancisonly · February 14, 2022, 7:26pm

yeah I tested this scenario, before I posted…

and it does not work on pfsense 2.6 toggling the allow/pass rule does not drop existing connections immediately (or ever) as you say… these steps do not work for any of my existing rtsp connections, but I can see how these steps might “appear” to work for a connection that appears to be stay open but in fact it a series of reconnections.

true, but instead of the entire state table, it is possible to kill specific connections, and I’ve added a service to travis’s integration for targeting specific states. I’ll agree that reseting the entire state table is undesirable and should be used as a last resort

pfsense packet filter rules changes are only applied to new connections.

danbutter · February 21, 2022, 6:39pm

Will this integration allow me to block on a per client basis on my network? Like kids tablet or pc. Need wireless and wired.
Like this guy did here: https://peyanski.com/home-assistant-unifi-integration-how-to/
This is the only thing I have seen so far (in my limited research) that can do this, but I’d rather not go the ubiquiti route.
I haven’t used pfsense in over a decade, but getting to the point where I need a more powerful firewall and looking into what will work for me at this time. Some control of my network in a way that is user friendly and others in my home can understand (in lovelace) would be great.

trailwhim · February 24, 2022, 3:28am

Wow. Ok, this is exactly what I came here to look for.

So in Services – Captive Portal – Edit – Macs, I have a bunch of MAC addresses that I allow traffic to pass to/from. It would be amazing if I could toggle something in HA that would allow me to disallow/allow traffic for a particular MAC address.

Is this possible? Sorry, I’m not the sharpest tool in the shed, so I’m basically trying to figure this out as I go!

ArjanNS · February 25, 2022, 11:48am

I would like to use this integration only as device_tracker, so I created a dedicated account for it in pfsense and gave this account only the “WebCfg - Diagnostics: ARP Table” privilege. This works great in Pfsense. When I login to the Pfsense UI with the account, I only see the ARP Table and nothing else.

When I configure this limited account in the pfsense integration, I get the error message “User has insufficient privileges (System - HA node sync)”. I do understand that this integration can do more, which requires additional Pfsense privileges. But from a security point of view, I do not like having a automated process having admin access to the heart of my network.

Would it be possible to change the integration, so it does still work as device_tracker, through the limited “WebCfg - Diagnostics: ARP Table” privilege? By tweaking the ARP expiration time (for instance to 5 minutes) in Pfsense, I still get a fairly quick update time for the device_tracker (5 minutes is good enough for my purposes), without the need to give PfSsense admin permissions to a automated process.

danbutter · February 25, 2022, 6:05pm

If you only want device tracker you could look into nmap tracker. Then you don’t need to worry about logging into pfsense.

travisghansen · March 1, 2022, 2:18pm

Yes. You can easily toggle individual firewall rules so assuming you create a rule per device you should be good to go!

travisghansen · March 1, 2022, 2:20pm

There currently is no integration with captive portal but that could likely be achieved easily enough. The switches currently created are for the firewall rules themselves.

travisghansen · March 1, 2022, 2:24pm

The whole of the integration uses xmlrpc (including the device tracker integration) so it will not work with only that permission. However if you do setup the integration I assure you the logic will likely work much better than the other options floating around.

danbutter · March 2, 2022, 2:15am

I was hoping you’d say that…I kinda thought so, but thanks for confirming.
Now I just need to find some hardware to run pfsense on…chip shortage and all…things are super expensive right now.

thanks