this post was submitted on 28 Jan 2025
6 points (100.0% liked)

networking

2932 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 2 years ago
MODERATORS
manifex@sh.itjust.works
6
Automating pfsense interface up/down? (lemmy.ml)
submitted 3 weeks ago by brownmustardminion@lemmy.ml to c/networking@sh.itjust.works
7 comments fedilink hide all child comments
 

I'm looking to automate/script my pfsense wireguard tunnels so that each wireguard tunnel only goes up if there are one or more clients connected to the subnet associated with that tunnel and goes down once all clients have disconnected. I was wondering if there is already a plugin that accomplishes this or can be adapted, otherwise what is best practice for running scripts on the pfsense box?

My initial thought was to have a cronjob monitor the various DHCP servers for each subnet, then initiate a script to connect the associated wireguard tunnel if it detects any active DHCP leases on that subnet.

I have multiple subnets on this box, each with it's own wireguard gateway. I like the idea of only making the VPN connection if there is a client calling for it.

you are viewing a single comment's thread
view the rest of the comments
[–] InEnduringGrowStrong@sh.itjust.works 2 points 3 weeks ago (4 children)

The thing with a cron job is that it would likely be every minute at best.
If I connect at 20:25:01 and I have to wait 59 seconds for the next cron pass, it'll probably be noticeable and annoying.

I haven't done pfsense in a while but it shouldn't be too complicated.
I think they still use ISC DHCP? If so, I vaguely remember you could use hooks or something event based instead of checking for leases every x time.
Something like this in dhcpd.conf:

on commit {
  execute("/path/to/wg-up.sh")

Now... bringing it down is generally less "urgent" and a cron job that checks the number of leases would be fine. Being more instantaneous in bringing it up but taking your time to bring in down would be beneficial and introduce some sort of hysteresis so it flaps less.

[–] brownmustardminion@lemmy.ml 1 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

To my frustration, I've tried both your method with ISC and a run_script hook with Kea, and pfsense just overwrites the custom configs. There's a PR on their github but it's been sitting there for months.

[–] InEnduringGrowStrong@sh.itjust.works 1 points 3 weeks ago* (last edited 3 weeks ago)

Well that's annoying.
You could probably read the file where it writes the leases instead. Although that isn't event based unless you do your own wrapper to check it every second instead of cronus minutes

load more comments (2 replies)