pfSense automation and orchestration - current options, plans to extend or do we need TNSR?
-
I've started work in a new shop that has an XG7100 pair. I'm analysing the existing practices to determine areas of improvement.
Currently, all management is being done manually via the WebConfigurator. I would like to understand if there are any automation/orchestration possibilities other than web browser drivers such as Selenium?
The initial aim to be able to perform automated general management from a remote machine for the following example tasks:
- firewall rules
- DHCP and DNS entries
- interface and VLANs
- general settings
- HA management (whatever is required when VLANS are changed)
- log management and retrieval
Can these tasks be achieved via orchestration, remote scripts, file manipulation via file shares, or some other way?
I have seen one post directed the question raiser to TNSR for orchestration support. However, I did read a blog entry stating that there might be plans for pfSense 3.0.
Please would Netgate clarify the state of play.
If it is the case that orchestration capabilities will only ever be viable on TNSR, I would like to understand if it is possible to switch the XG7100 pair we have to TNSR? If so, what are the implications of such a move? I don't believe this company has any support contract at the moment and I gather a move to TNSR would be a move into to a paid subscription for the software?
If this query is better directed elsewhere, please point me in the right direction.
Thanks for any assistance.
-
Congrats on the new gig and glad to see you hit the floor running!
However, your question seems very strategic and as such, I believe, it's best to contact Netgate directly instead of posting to the forum. They will be happy to discuss with you how to best meet your long-term goals and establish a relationship to get you there. -
@NollipfSense Thank you for your reply. I have been in discussions with Netgate but it's been a non-starter.
For their own reasons, Netgate are entirely unwilling to discuss ways of automating pfSense. Their only response has been to push us towards TNSR. However, TNSR is no good for us as it won't work on our kit. We could possibly swing additional software costs but there is no way I'm going to get sign-off on scrapping our kit. We need to work with what we've got.
I'm giving up this line of enquiry. I will raise a more specific question about automating a single task, probably adding static DHCP lines as this is the most pressing automation task we have at the moment. Hopefully another shop has got somewhere with running the PHP shell remotely via some kind of batch file or custom program. Or maybe they've been able to get one of the github offerings up and running. Automating Linux-based kit just isn't my area and I'm floundering around a bit.
If I can't get a better solution than manual updates via a web GUI, we will have to go back to running DHCP/DNS services on a Windows box (which we already know how to automate).
Thank you for your assistance.
-
a lot of things can be done using the developers shell / script /macro.
if you wish to spend some time, you can hack together a script that inserts/updates/deletes the dhcp static leaseshttps://docs.netgate.com/pfsense/en/latest/development/using-the-php-pfsense-shell.html
-
@heper: I was hoping it could be done via the shell, but I'm new to executing SSH commands remotely in general, let alone driving the pfSense shell itself.
Time isn't an issue here. This shop is very keen to remove user error potential via automation as far as possible.
I've dug up some code examples of how to open SSH connections to a host (python, C#). Is that what the kind of approach you would recommend? I'm unsure how to open an SSH connection to a Linux box from a Windows machine without some kind of code library?
I'm also a bit baffled about how to navigate the shell menu once the SSH connection is open. Is it just a case of sending the menu item number as a command? To clarify what I'm talking about, the link you sent me shows a first step of selecting menu item 12. Would that be part of an automated process?
And then, once I'm in the shell remotely, I'd need to figure out the commands to use to create/edit/delete the entries. I'll have a dig around the shell documentation for that and post specific questions about that if I need to.
And finally, some kind of service restart. I'll ask about that separately too if needed.
For now, I'm just trying to proof I can open a connection from a Windows box and get into a position where I can start sending the actual PHP commands.
Any pointers would be gratefully received.
-
i would not open ssh commands remotely and push the commands.
i would run a php script on pfsense to pull a mac-address list to add or delete. The script could be started manually from shell, or automatically every day or you could possibly create a new menu entry in the webgui to start the script if you wanted ...
start by understanding the source-code below
https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/services_dhcp_edit.phpyou can use the required bits in your custom script
-
@heper : Thanks for the source link.
The use case here is that the updates will be driven by events that happen within our infrastructure management software.
When we are setting up a new server, our infrastructure management software automatically adds it to the domain, etc, etc. Part of that process is to create the DHCP static mapping and the DNS. The event is initiated from from our tooling and the updates need to happen when the tooling wants them to.
I may be misunderstanding your distinction between push/pull. What I am hoping I can do is extend our tooling to generate a script that it can then then execute remotely on the pfsense device. The key is the execution has to be when the tooling wants it. A daily or hourly or manual process isn't any good as it would cause unwanted delays.
The aim is to have no manual steps apart from the configuration of the intent. Otherwise we are going backwards. We already have DNS and DHCP automated on Windows servers. This scenario is coming up because management want to move our networking services to the pfsense kit.
Another example (for DNS this time) is when a project manager here commissions a new client-flavoured copy of our system. Our deployer will publish the components to the various servers automatically. Part of that process is to configure the new client-flavoured DNS entries for the services. Again, any manual step here would defeat the aim entirely.
To summarise:
I want to be to programmatically, from a Windows box, generate a custom script, open whatever connection I need to the pfSense device and run the generated script. I was thinking that could be done via the developer shell over an SSH connection?
-
i understand your need to automate; so yes, you can do whatever over ssh...
but then you allow some 3rd-party tooling/deployment software root access to your firewall; me personally wouldn't do that because the possible attack vector is too big for me.
it will be a trade-off between security & convenience ... not an easy balancing act
-
It's not what we want, to be sure.
What we want is a secure API as provided with TNSR. Even that has an attack surface.
Unfortunately, we can't have TNSR and management want automation. It's up to them in the end. Once I've proven the concept it goes up the chain.
All our tooling is written in-house. We want SSH on anyway for manual remote access. We intend to only allow SSH access via the DevOps segment, but yes, there is a risk element.
As you say, trade-offs :).
-
@jklmn12345 Well, I thought you were expecting to be talking about TNSR with Netgate as you indicated in your first post subject..."or do we need TNSR!" It would be unreasonable to expect Netgate to talking about pfSense when the real solution it appears you need is TNSR.
I would find out the cheapest device Netgate has that can run TNSR then draft a document with the pros/cons then submit the draft to the CEO/CIT...(you can ask the janitor to place it on the their desk when everyone left the office)...you might be surprised at the response since automation is what management wants...unless the management doesn't really know what it wants.
-
We were expecting to talk about options.
The title of my post also includes the phrase "current options, plans to extend".
I don't think being able to have such a discussion with Netgate is unreasonable at all.
There were, at one time, plans to add an API to pfSense version 3.0. Those plans were taken into consideration when our company made our purchase. Now I can't even get an answer from Netgate about whether or not those plans are still active.
And, insisting TNSR is the "only solution" is a misrepresentation of the facts by Netgate. There are definitely means of automating pfSense. As stated by @heper, we can do "whatever over ssh".
The process of working out how to do a few simple tasks via scripts would be easier for us if we could have a conversation with Netgate. And not just for free; we would pay for such assistance. But we can't, because the line from Netgate is that it just isn't possible.
We invested with Netgate when we bought the kit. Out team was split down the middle between those who wanted to take a chance on an up-and-coming vendor and those who wanted to stick with Cisco. A little guidance, paid or otherwise, helping us not to have to scrap our almost brand new kit would have been very much appreciated.
Regarding TNSR:
I was completely open to considering TNSR. I initially expected to be writing a recommendation to switch.
But, TNSR is not a "solution" for us, even if we did buy new kit, because it doesn't support QoS.
I didn't actually expect to get anywhere with Netgate. They can obviously do whatever they want. That's why I came to a forum first. My hope was that another shop was in the same position as us and had managed to get a working automation runner up.
Perhaps the Netgate forum wasn't the best place for this question. Maybe this question would have been better placed on ServerFault or SpiceWorks or some other more generic, non-Netgate platform.
For now, thanks to @heper, I have enough information to work with to attempt to get a proof of concept experiment up. If I manage to get anything working, I will report back on this thread in an attempt to prevent any other shop going through the same pain on this subject as we are.
I think the conversation has been exhausted and I'm going to shut this thread down.
-
@jklmn12345 Great point about the need to discuss options! I had recommended talking to Netgate because your firm purchased two Xg7100 hardware. It disappointing to hear you couldn't discussed options.
To me, it seems that pfSense currently is in a state of confusion...things that were promised for V2.5, such as RestConf API, won't happen, nor FreeBSD 12.1 hasn't made it to pfSense v2.5 yet despite waiting on it, but FreeBSD 12.1 was released Nov. 2019. So, I doubt pfSense 3.0 with API plugin will happen anytime soon. So, it's difficult to rely on pfSense in this confused state.
It's great you got some fruitful out come from the thread despite been a slim input thanks to Heper; however, I would not shut down the thread.