Has anyone done any integration with pfSense?

To pull information from the system, graphs, back it up etc. Be keen to know what you did :slight_smile:


I don‘t own pfSense, but can‘t you do that with SNMP?

Yes, there are many ways. Just interested to hear thoughts from people who have used it. FauxAPI also provides some access into the system

1 Like

i have a PC waiting with pFsense and some ports…
never seem to find the time to this switch … still with my old router …

maybe if someone will give me some kind of push :slight_smile:
what are the benefits, for OH?
i can think of a good presence detection for phones… but what more?

I have pfSense but have not looked into any sort of integration with it. I suppose it’d be nice to detect when phones join the network instead of relying on the Network binding polling but I’ve not come up with any other good use cases yet.

I tend to avoid using OH as a general purpose IT monitoring service. If and when I want that I’ll probably go down the Prometheus route or use Zabbix or something like that instead. Something that is better designed to actually do network and computer monitoring. I only put into OH enough network monitoring so OH can take action when something is offline it needs to use (e.g. send an alert if the garage door controller was commanded but the RPi that controls it is offline).

But I’m curious to see what ideas people have.

I wasn’t aware this existed. I’ll need to look into it. I may not use it in my OH config but I could see using it in some of my Ansible scripts.

  • It makes managing the DHCP leases pretty easy so it’s easy to assign IPs to specific devices.
  • It is also dead simple to set up OpenVPN. I still use myopenhab.org but the vast majority of all my interactions with OH are through OpenVPN.
  • I’ve not been super happy with the bandwidth monitoring (the only thing I want is to see how much I’ve used since a specific day of the month and I still can’t find a good way to do it). I’d love suggestions. I’ve tried pfTop and darkstat so far.
  • pfBlockerNG is like piHole only it’s built in instead of needing a separate machine and it is fantastic for reducing ads and blocking malware sites. I highly recommend it.
  • I’ve played around with Snort but I don’t actually check the alerts often enough to make running it worth while.
  • Override your ISP’s DNS servers LAN wide is simple.

I still am trying to figure out how to create a guest network using pfSense and my DD-WRT wireless AP. I just can’t find the right tutorial apparently. Once I do that I will look into separating the home automation and media networks so as I add more little ESP8266s and the like they won’t slow down my Rokus.

Some or all of these may be available on your existing router.

The big thing you will notice though is that the direct benefit to OH is not super obvious and for the most part OH benefits mostly because your whole network benefits.

1 Like

yep most of your points is why i want to take my ISP router out of the game …
i cannot do even decent dhcp there, one day i will be brave and will change this :slight_smile:

I do exactly this. I have a shell script that runs on the pfsense box (via cron), which checks the pfsense arp tables for mobile phones, and posts the results to openHAB items using REST (via curl commands).


Having OH report your public IP address if you are on DHCP from an ISP is probably helpful to know if it updates.

I also looked into attempting this at one point, the vlan setup on DD-WRT (at the time) seemed like more effort than it was worth; and/or it was the br* interfaces that gave me trouble trying to setup a second SSID and eventually just lead me to obtaining Cisco APs my company were going to chuck to the curb.

Along those lines, pfSense actually supports automatically updating dynamic dns addresses with a number of providers. If I want to find that out myself though I usually just open a browser to go to whatsmyip.com. That’s faster than logging into the OH app for me.

The funny thing I seem to have both the vlan set up on pfSense and the br interfaces set up on the AP. I just can’t seem to get them to work together. I’ll get a bee in my bonnet again some day and try it again. I have no hope of getting cast off APs to solve my problem. :slight_smile:

It will become a bit more important when my little one get’s older. My plan is to put him on a guest network with parental controls and monitoring turned up. That seemed to be a decent approach when I looked into it. Maybe not.

pfblockerNG is awesome, i use my own OH2 Cloud, pfBlockerNG pulls the AWS JSON IP range file and allows it inbound on a weekly basis :slight_smile:

1 Like

In my case Dynamic DNS options don’t work as I place the firewalls in VMs and their “public” is actually another NAT’ed space. Also I believe if there is a DHCP change it may take time for records to be updated (although I doubt it would be a long time even with free account options), all depends on what needs to be fixed while away from home and considered a “crises”. :slight_smile:

I also recall DD-WRT has a vlan structure of 0 - 15, which confused me on why it could only handle the first 15/16…it makes more sense to limit users to a total of that many and allow them to select the values. :man_shrugging:
However it sounds like you made it much further than I did!

1 Like

As far as I know that 15 vlan is the actual number of vlans it’s hardware suporter by the router chip. You can use other vlan numbers like 20 or 100 etc but you can only have max 15 vlans. Cheers

1 Like

@Liviu_Ancas Good to know, perhaps this changed with newer versions of DD-WRT. I think I had a v5 of the actual WRT54G device and the vlans were static/hard set on the GUI, never went far into the CLi if that is how to change the numbers (hate having to learn stripped down CLi/OSes to configure things I can do with full CLI/OSes).

1 Like

could you share some details of what use to achieve this scripts, openhab rules to process this information,more comments on how u achieved it, thanks

Create a shell script on the pfSense server that does the following:

  1. Checks pfSense’s arp table for the mobile phone(s) that you are detecting. E.g the script below returns a count of the number of times the mobile phone name defined in the variable $phone is found in the arp table:
    /usr/sbin/arp -a | /usr/bin/grep -i $phone | /usr/bin/wc -l

  2. If the count is zero, the mobile phone is not currently present (or is switched off/airplane mode etc).

  3. If the count is greater than zero, then the device is active on the network.

  4. Assuming the result of the previous arp command is assigned to a variable count, we can post an update to openHAB’s switch item xxxx_atHome_arp for tracking this device:

if [ $count -gt 0 ]; then
	/usr/local/bin/curl -X POST --header "Content-Type: text/plain" --header "Accept: application/json" -d "ON" "http://openhab:8080/rest/items/xxxx_atHome_arp" >/dev/null 2>&1
	/usr/local/bin/curl -X POST --header "Content-Type: text/plain" --header "Accept: application/json" -d "OFF" "http://openhab:8080/rest/items/xxxx_atHome_arp" >/dev/null 2>&1

Once the script is working, you can create a cron task to run it as frequently as you need (I have mine being executed every 2 minutes).

There is no particular rules required for processing the above in openHAB (unless you want to do your own post processing). It just updates a switch item with ON for when the mobile phone is found in the arp table, or OFF otherwise.


I have both pfsense with pfblockerNG and use openvpn to remotely access OH too. I’ll keep an eye on this thread for interesting suggestions!

1 Like

It seems like this stranded here, and I can’t find any other topics that is closer. I’m looking for a way to get some basic “state” information from OPNsense (a pfSense fork that is still “open”, pfSense has gone down a dark path). What I’d primarily like to know is if the Internet connection or one of the VPN tunnels goes down. I have a siren and lights controlled by OH that could alert me to “take action” if something goes down.

While posting the status to OH using scripts like described above doesn’t look to bad, such solutions end up being pretty “fragile” for me because I forget the details once I’ve worked on a couple of other projects, and when an upgrade of one of the involved system breaks it, I have to start all over again.

Has anyone found a “less manual” solution since this was last discussed?

I have been working on a binding for pfsense. The problem with pfsense was that there was no official api. I had to use a third party addon api. I have now switched and working on a opnsense addon. Opnsense has a json api. I’m mainly focusing on features like presence and to toggle rules on and off.

Main problem is to find time so I can’t give a time line. For detecting if a vpn is down I think it will work to make a request over that interface. I run my vpn on a separate vlan, so is quite easy for me to test. I’m running a script that tests my vpn connection and publishes the result using mqtt.

1 Like

That’s great to hear, I think my remaining pfSense installation will become OPNsense too in the near future, it’s hard for me to see why anyone would stay with pfSense considering their “direction”, unless they have some very specific needs of course.

I don’t know what the OPNsense API exposes, but I’d imagine that once you have the “framework” of a plugin in place, adding channels for the state of interfaces and tunnels probably wouldn’t be too hard…?

Time is always a problem. Do you have your work on a public repo like GitHub or similar?

I understand that there’s lots of ways to monitor “connection” status, I could probably use one of the existing bindings in openHAB and just make it ping “strategic addresses”. I’m not a fan of “spamming” connections with ICMP if the information can be gotten from the source though. My goal at this point is just to orientate myself of what approaches that do exist, so that I can pick what I consider the “best” one.

If pfSense/OPNsense support SNMP, the SNMP binding would be another option.