pfSense Integration

I added generic tooling/services to handle this and pretty much any other situation you can dream up but I am likely to merge that PR to make it easier to use.

Merged and released in v0.5.7

Thanks @travisghansen for merging this in. Updated to 0.5.7 and it works great! Also thanks to @markfrancisonly.

FYI, for anyone else wanting to toggle a firewall rule and have it take immediate effect (i.e. kill the established sessions), see example below. This toggles a blocking rule, waits 3 seconds then if the blocking rule is ā€œonā€, it kills ONLY the associated established connections. There may be a tidier way but this works great for my needs.

sequence:
  - service: switch.toggle
    data: {}
    target:
      entity_id: switch.eso_router_filter_rule_1659828645_block_office_tv
  - delay:
      hours: 0
      minutes: 0
      seconds: 3
      milliseconds: 0
  - condition: state
    entity_id: switch.eso_router_filter_rule_1659828645_block_office_tv
    state: "on"
  - service: pfsense.kill_states
    data:
      entity_id: binary_sensor.eso_router_pending_notices_present
      source: 192.168.100.55
1 Like

Thanks for the example!
One question thoughā€¦what is the source IP at the end? is that your office TV that you are blocking? Or the IP of pfsense?

I have a VLAN that my kids use. I started out using a time blocking rule in my wifi Access Point and that worked great because the wifi network just goes away! Everything except for the fact that it was really hard to make an exception for if I wasnā€™t home.
I moved to blocking them with pfsense, but they can still continue surfing with established connections so this new ability to kill states will be good. So if that source is the IP you are blocking is there a way to do an interface in pfsense?

thanks

Hi Dan. Yes, 192.168.100.55 is the IP of my Office TV which is also used in the blocking rule. Iā€™m not sure if you can kill the states based on interface but you should be able to do a whole subnet (e.g. 192.168.100.0/24).

FYI, as alternative to the above I created a separate automation which kills the states whenever the firewall blocking rule is turned on. Then you can switch the rule any way you want with no extra code.

alias: PfSense, kill sessions for Office TV
description: ""
trigger:
  - platform: state
    entity_id:
      - switch.eso_router_filter_rule_1659828645_block_office_tv
    to: "on"
    for:
      hours: 0
      minutes: 0
      seconds: 2
condition: []
action:
  - service: pfsense.kill_states
    data:
      entity_id: binary_sensor.eso_router_pending_notices_present
      source: 192.168.100.55
mode: single
1 Like

Just installed and looks great!

Not sure if this has already been asked, but has it been considered to use a non-admin privileged account / what would be required / is possible at all? Iā€™m not overly keen having a device store / use admin credentials to my main firewall (however unlikely it could be compromised).

Just a thought, thanks for the plugin!

1 Like

Yeah post check the posts around 56 and 59. Author explained why admin is needed.

1 Like

Thanks again to eltonline for the examples.
Iā€™m trying to follow along at home, but having some issues.
I have a switch for the particular rule Iā€™m interested in controlling through home assistant and that works well. When I try to follow along with the aforementioned examples nothing happens to existing connections.
In my pfsense integration the binary_sensor.eso_router_pending_notices_present from the example or in the docs the binary_sensor.pfsense_localdomain_pending_notices_present or in my case binary_sensor.pfsense_pending_notices_present has a triangle next to it and is unavailable. Iā€™m guessing this is why nothing happens for me.

Any thoughts on what I can do to get this to not be unavailable?

I donā€™t know why you would have a triangle for those entities but any entity should work, so just pick one you know is working.

As it stands currently, all services are bound to all entities so you should be able to invoke any service using any entity.

Ok thanks for that info.
I used another entity and got it to work.
I was a little confused about the network to use when looking at the docs.
They say:

service: pfsense.kill_states
data:
  entity_id: binary_sensor.pfsense_localdomain_pending_notices_present
  source: "0.0.0.0/0"
  destination: "192.168.0.1/24"

And using this I couldnā€™t get it to work. Then I remembered our friend eltonline said the source was the IP he was killing the states for so I changed source to 192.168.0.1/24 and deleted destination and it worked!

Thanks again for your continued work on this great integration.

1 Like

@travisghansen is it possible to pull in the data from from the package ā€œStatus_Traffic_Totalsā€? it records wan/lan/vpn server traffic totals hourly,daily,monthly. etc.it can be exported via CSV file, but would be nicer to have it in HA through your integration.

edit: looks like itā€™s pulling the data from a sqlite database that is populated by vnstat.
so if itā€™s easy to do greatā€¦ more metrics the better. else Iā€™ve found several command line solutions to pull the data.

Is it possible to release and renew WAN address with one of the services? I didnā€™t see one, but it would be great. Our IPTV sometimes stops working, and renewing the WAN is the only way to get it up and running again. Iā€™d love it if that could be done from Hass.

Likely very possible. Open an issue on github please for further discussion.

1 Like

Probably not overly relevant as the integration in many ways replaces the need for that via the existing metrics but for further discussion letā€™s open an issue on github.

Iā€™m trying to use this integration to turn off pfBlocker. The switch properly returns the current state of pfBlocker (I can turn it on/off from pfSense and the switch reflects the current state correctly.) The issue Iā€™m having is that hitting the switch does not actually change the state in pfSense. In fact, the switch will just turn back to the old state 2 seconds or so after I attempt to change the state. The integration is using my admin login for pfSenseā€¦ are there any other places that I need to reconfigure?

Thatā€™s not entirely surprising that the service restart for a package does not work 100%. Open an issue on github and Iā€™ll take a look when I can. In the meantime Iā€™m certain you could leverage the exec_php service to create start/stop/etc the service as well but itā€™s a bit more advanced.

Iā€™m very sorry I didnā€™t notice the answer until today (I got a mail when the issue was closed!), but I have tested it and it works like a charm. Thank you very much! The only things I had to change was the name of the pfSense box (of course) and I gave it 5 seconds of sleep instead of 1, to make sure it got fully renewed.

1 Like

I finally had a down on the IPTV, but for some reason this time it needed a full reboot of pfSense, plus turning of and on again the converter from fiber to CAT! I need to put that into the system too, but I see that thereā€™s a service for that, so I will tie that to a second button, together with turning off the converter and then turning it on again five seconds later. So first a nice attempt and then all guns blazing. :rofl:

1 Like

Hi,

happily using this integration and I would like also to start using device tracker feature, on that I have a couple of question.

Following this link I can read:

device_tracker

In order to use the device_tracker integration you must enable it in the integration options and select the specific devices you wish to track.

Tracking uses the pfSense arp table. Each poll interval the arp table is checked for the entry and if present the device is considered Home. Additionally after the arp table is checked the arp entry is force removed (if present) from pfSense by the integration. In short, your devices must communicate with pfSense at least once each poll interval to be considered Home.

Note that by default FreeBSD/pfSense use a max age of 20 minutes for arp entries (sysctl net.link.ether.inet.max_age). You may lower that using System -> Advanced -> System Tunables if desired.

which by my understanding and referring to below picture means:

  • Device tracker Scan interval is what above is mentioned as ā€œeach poll intervalā€

  • Setting Device Tracker consider Home = 2*(Device tracker Scan interval) means device is considered home if it communicates twice each poll interval

is this correct?

image

The consider home interval means the device is considered home at least that amount of time after it has been actually seen by the integration. It creates a sliding window.

As an example, if the value is set to ((scan interval) * 2) + 1 then if the device is present during the 1st scan interval but not present during the 2nd the device would still be considered online. If it is still not present in the arp table for the 3rd interval then it would go offline. If it is in the arp table for the 3rd interval the ā€˜window will slideā€™.

Said differently, once seen the device will be home until at least the considered home time has elapsed.

1 Like