New! Ansible Module for pfSense that uses developer shell pfSsh.php

bevhost · Apr 19, 2019, 7:53 AM

Re: Pfsense Installation using Ansible??

I have just released some ansible modules I built for deploying pfsense firewall configurations.
One design goal was the ability to export the XML config and convert parts of it to YAML for Ansible.
Especially handy for having default firewall aliases and rules across many firewalls.
see
https://github.com/bevhost/ansible-module-pfsense

Modules completed so far :-
Basic system configuration module, DNS, timezone, NTP, snmp, etc plus modules for Interfaces, Aliases, Filter Rules, Auth Servers, Certificates, Groups, Password & SSH Keys, Virtual IPs, High Availability Sync, FRR RAW with BGP, Applying Settings

opoplawski · Oct 28, 2019, 9:21 PM

I'd be interested in your comparison to the approach taken here: https://github.com/opoplawski/ansible-pfsense

bevhost · Nov 3, 2019, 5:22 AM

I think the main difference is that my modules only calls the PHP shell on pfSense and doesn't use XML in any way.
I also wanted to use a XML to YAML converter to download an existing configuration and create playbooks data.
Back in 2018 when I started, I could not find anything online that was anywhere close to everything I needed.

As for whether it's best to use the PHP Shell or write XML on the firewall, is not for me to say.
Better to ask the pfSense developers about that.

It was imperative that as much of firewall configuration could be setup from ansible.
I still find I have to go into the WebUI and step through the wizard to complete the basic install after ansible is done with it.

I'd also love to have cloud-init working with it to save the initial console setup.

maglub · Dec 3, 2019, 2:08 PM

Regardless of approach, I think this is something that is extremely important for me as a systems designer and systems integrator.

It would be awesome if there would be some "official" momentum from pfSense/Netgate side to support such initiative.

What I have been looking for since a couple of years is some sort of automated fleet management of firewalls. My preferred orchestration is Ansible.

I agree with your requirements, as such I have understood them:

Bootstrapping per API or Ansible
Idempotent maintenance per Ansible
Using the WebGui for particularities (which will later on be overwritten by Ansible), for easy troubleshooting

Thanks for your efforts, I wish you a great day!

//magnus

JeGr · Dec 3, 2019, 2:08 PM

@maglub If your main focus is automation and later on managing only/primarily through automated processes (as you write: later overwritten by ansible...), then perhaps you're looking at the wrong product and should take a look into TNSR?