Archive for July, 2014

Automatically update pfSense firewalls (with puppet)

July 14th, 2014 Comments off

Updating pfSense firewalls is easy and stable thanks to its proven upgrade mechanisms. So why should I use the WebGUI to update every pfSense firewall manually? If you have multiple pfSense firewalls and a working test environment, there is no reason to avoid automatic updates.

I’ve extracted a portion of the pfSense firmware upgrade code and put together a small PHP script. This makes it possible to automatically update pfSense. In combination with puppet you need just one line to enable automatic updates:

class { 'pfsense_autoupdate': }

Now your pfSense firewall will check hourly for new versions and install it (almost) instantly. If you want more control you can specify any of the optional parameters:

class { 'pfsense_autoupdate':
  major_updates => false,
  update_hours => ['22-23', '2-4', 6],
  update_weekdays => ['6-7'],
  random_sleep => false,
  firmware_url => '',
  sig_verification => false,
  quiet => true,

You may download the PHP script and puppet module from puppet forge. Additionally you may want to check out the project page on github. Note that you need the puppet agent for pfSense and my pfSense provider collection for this to work.

Prepare pfSense for RANCID (with puppet)

July 14th, 2014 Comments off

pfSense is a great firewall and RANCID is a good choice for regular configuration backups. Sounds like a good team? It is! And it has been for years. But configuring pfSense for RANCID can be a pain. I wrote a puppet module to make it easier. You may download it from puppet forge.

Now configuring pfSense for RANCID is quite simple:

class { 'pfsense_rancid':
  password => '$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.',

I’ve added some optional parameters to make it suitable for most environments:

class { 'pfsense_rancid':
  username       => 'backupuser',
  password       => '$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.',
  authorizedkeys => [
    'ssh-rsa AAAAksdjfkjsdhfkjhsdfkjhkjhkjhkj',
    'ssh-rsa AAAAksdjfkjsdhfkjhsdfkjhkjhkjhkj',
  diskusage      => false,

Note that you need the puppet agent for pfSense and my pfSense provider collection for this to work.

Categories: [EN] Tech Tags: , ,

pfSense user/group management with puppet

July 14th, 2014 Comments off


Categories: [EN] Tech Tags: , , , , ,

Installing puppet on pfSense firewalls

July 14th, 2014 2 comments


While pfSense offers a rather large collection of packages, there is currently no puppet package available. However, there is a pull request to add a puppet package, but it has not been accepted yet. Please join the discussion here.

Some people might tell you to just install a FreeBSD package in pfSense to get puppet. Don’t do it, it’s just wrong. pfSense isn’t plain FreeBSD, it is an appliance and thus a different kind of beast. There are good reasons to use specialized pfSense packages.

Besides the technical reasons, the puppet package on pfSense includes a small but nice GUI component, as you can see from the screenshot below.


Configure package repo

Since there’s no official puppet package for pfSense yet, we need to use an unofficial package. I’ve setup a pfSense package repo so everyone may checkout puppet on pfSense. To use this unofficial repo you need to open a hidden settings page in your pfSense firewall:

This allows you to configure a non-official server for packages. Enter for Base URL and click Save. Now go to Available Packages tab, find the puppet package and install it.

Configure puppet agent

Go to Services->Puppet to configure the puppet agent. You may want to change the Puppet Server and Environment settings. Once you click Save the puppet agent configuration will be created and pfSense will try to start the puppet agent daemon. Of course, this will fail, since no signed SSL certificate is available. Now you should see a certificate request on your puppet master.

When the certificate was signed by your puppet master, you need to restart the puppet agent. Go to Status->Services and restart the puppet service accordingly.

Debug puppet agent

Now verify that the puppet agent is running. Go to Services->Puppet and open the Status tab. The agent should be running and no errors should be reported for the last run. The Facts and Debug tabs provide additional debug information. Additionally you may want to check Status->System Logs to see the log messages from last puppet run.

If your puppet agent is still not running you may want to open a pfSense shell and run puppet agent –test –verbose.

What’s next

Currently the number of ready-to-use puppet modules for pfSense is very limited, but most FreeBSD compatible modules/providers should work. You may also want to check out my collection of pfSense providers, pfsense_rancid module and pfsense_autoupdate module.

Categories: [EN] Tech Tags: , ,