Not currently no.
The vast majority of data is actually all pulled in via a single api request so this is not really needed.
The exception to that is the device tracker integration which has itās own polling interval for several reasons.
ok perfect, you even did think about this, thank you again
Hey @travisghansen - first off thanks for this integration!
I seem to be having the same or similar issue as reported here:
When I try to hook up the integration, I get the error:
[%key:common::config_flow::error::unknown%]
Logs confirm this:
Any ideas?
Could this integration report back IP addresses to an entity?
I would like to set up Home Assistant monitoring the IP address of the client connecting to PfSense OpenVPN server.
This information is shown on PfSense dashboard, on the OpenVPN pane.
Is there an existing service, or can you add a service to reset the firewall states table? Firewall rule switches work great, love it, but some times it is necessary to reset the state table for rules newly enabled to take effect immediately with existing connections
okay I was in a hurry so Iāve coded a flush states service and submitted a pull request
Itās hard to say whatās going on here. Iāve not experienced it so itās hard to debug obviously if you discover something do share on github so we can correct it as best we can!
Thanks for that! I provided some comments and weāll get it merged.
Iām not sure what youāre asking for exactly here. I honestly spend more time in github than on this forum so maybe open an issue over there and weāll discuss and see what we can do!
In pf, enabled firewall rules are only applied to new connections. Any existing connection that would be subject to the rule will not be affected.
Great example would be an RTSP camera streaming rule: I want to enable a pfsense rule that blocks access to a camera subnet. Okay, enabling a blocking rule works for new camera connections, but I want existing connections to be terminated also.
The only method to affect existing connections, with a newly enabled firewall rule, is to kill the existing connections. This is performed by removing the connections from the state table or by resetting the entire state table. Complex changes to the firewall may require that the entire state table is reset.
The pr I submitted provides services that perform this function, and may be needed by others who want to toggle firewall rules
Killing states in pfSense is really disruptive to your network and ideally should never be done except for extreme cases.
- States from blocking rules are not dropped when the rule is toggled.
- States from passing rules are dropped when the rule is toggled.
Hereās what I do to get the result youāre looking for:
-
Create a rule to block all traffic to your camera subnet
-
Create a second rule to allow traffic to your camera subnet, make sure the rule is higher in the list
-
Now when you toggle the Allow rule, states for these connections will be dropped immediately, without affecting other states.
yeah I tested this scenario, before I postedā¦
and it does not work on pfsense 2.6 toggling the allow/pass rule does not drop existing connections immediately (or ever) as you sayā¦ these steps do not work for any of my existing rtsp connections, but I can see how these steps might āappearā to work for a connection that appears to be stay open but in fact it a series of reconnections.
true, but instead of the entire state table, it is possible to kill specific connections, and Iāve added a service to travisās integration for targeting specific states. Iāll agree that reseting the entire state table is undesirable and should be used as a last resort
pfsense packet filter rules changes are only applied to new connections.
Will this integration allow me to block on a per client basis on my network? Like kids tablet or pc. Need wireless and wired.
Like this guy did here: https://peyanski.com/home-assistant-unifi-integration-how-to/
This is the only thing I have seen so far (in my limited research) that can do this, but Iād rather not go the ubiquiti route.
I havenāt used pfsense in over a decade, but getting to the point where I need a more powerful firewall and looking into what will work for me at this time. Some control of my network in a way that is user friendly and others in my home can understand (in lovelace) would be great.
Wow. Ok, this is exactly what I came here to look for.
So in Services ā Captive Portal ā Edit ā Macs, I have a bunch of MAC addresses that I allow traffic to pass to/from. It would be amazing if I could toggle something in HA that would allow me to disallow/allow traffic for a particular MAC address.
Is this possible? Sorry, Iām not the sharpest tool in the shed, so Iām basically trying to figure this out as I go!
I would like to use this integration only as device_tracker, so I created a dedicated account for it in pfsense and gave this account only the āWebCfg - Diagnostics: ARP Tableā privilege. This works great in Pfsense. When I login to the Pfsense UI with the account, I only see the ARP Table and nothing else.
When I configure this limited account in the pfsense integration, I get the error message āUser has insufficient privileges (System - HA node sync)ā. I do understand that this integration can do more, which requires additional Pfsense privileges. But from a security point of view, I do not like having a automated process having admin access to the heart of my network.
Would it be possible to change the integration, so it does still work as device_tracker, through the limited āWebCfg - Diagnostics: ARP Tableā privilege? By tweaking the ARP expiration time (for instance to 5 minutes) in Pfsense, I still get a fairly quick update time for the device_tracker (5 minutes is good enough for my purposes), without the need to give PfSsense admin permissions to a automated process.
If you only want device tracker you could look into nmap tracker. Then you donāt need to worry about logging into pfsense.
Yes. You can easily toggle individual firewall rules so assuming you create a rule per device you should be good to go!
There currently is no integration with captive portal but that could likely be achieved easily enough. The switches currently created are for the firewall rules themselves.
The whole of the integration uses xmlrpc (including the device tracker integration) so it will not work with only that permission. However if you do setup the integration I assure you the logic will likely work much better than the other options floating around.