Engineering Automated Network Defense: A Comprehensive Guide to pfSense Orchestration with Ansible

Published by TechMarmot Editorail Staff on | Category Ansible

The transition from manual appliance management to Infrastructure as Code (IaC) represents a paradigm shift for network administrators. While pfSense is traditionally managed through a robust web-based graphical user interface (GUI), the necessity for scalability, auditability, and rapid recovery demands a programmatic approach. By leveraging Ansible, an open-source automation engine, administrators can move away from "snowflake" configurations—where a single firewall is manually tweaked over years—toward a declarative state where the entire network perimeter is defined in YAML. This methodology allows for the precise deployment of complex networking features, including multiple subnets, firewall zones, and advanced routing protocols, ensuring that the configuration is reproducible across multiple hardware or virtual instances.

The Architectural Foundation of pfSense Automation

Automating pfSense requires a fundamental shift in how the system is accessed. Because pfSense is based on FreeBSD and designed as a closed-loop appliance, it does not ship with the necessary hooks for remote orchestration by default. The primary mechanism for this automation is the pfsensible.core collection, which provides the specialized modules required to interact with the pfSense backend.

The goal of using Ansible in this context is to manage a wide array of network services that would otherwise require manual entry in the web UI, such as:

  • DNS and DHCP services for both IPv4 and IPv6 stacks.
  • Dynamic DNS (DDNS) for managing public IP changes.
  • Certificate management for securing internal home or enterprise servers.
  • Avahi mDNS reflectors for service discovery across subnets.
  • Tailscale subnet routing for secure overlay networking.
  • Border Gateway Protocol (BGP) implementation via the FRR (Free Range Routing) package.
  • Complex firewall zone definitions and associated interface/subnet mappings.

Pre-Deployment Manual Requirements and System Preparation

Before Ansible can execute its first playbook, the pfSense environment must be prepared to accept remote commands. This "bootstrap" phase is the only time manual intervention in the GUI is strictly required, as the system must be made "SSH-ready" and "privilege-aware."

The Necessity of Sudo Installation

By default, pfSense does not include the sudo package. Since most firewall configuration changes require root-level permissions, Ansible's become functionality (which typically relies on sudo) will fail upon installation.

  • Direct Fact: The sudo package must be installed manually via the pfSense web UI.
  • Technical Layer: To install this, the administrator must navigate to System -> Package Manager -> Available Packages, search for sudo, and execute the installation. This introduces the necessary binary to the FreeBSD environment, allowing non-root users to execute commands with elevated privileges.
  • Impact Layer: Without this package, Ansible cannot escalate privileges for the pfsensible.core modules. Users would be forced to run all playbooks as the root user, which is a security risk and often violates the principle of least privilege.
  • Contextual Layer: This installation is a prerequisite for the become: yes directive used later in the playbooks to modify system-level firewall settings.

Secure Shell (SSH) Configuration and User Provisioning

Accessing the firewall via SSH is the transport mechanism for Ansible. To ensure security, it is recommended to move away from password-based authentication.

  • Direct Fact: SSH must be enabled under System -> Advanced -> Secure Shell.
  • Technical Layer: It is highly recommended to configure the SSH daemon to only allow public keys. This removes the vulnerability of brute-force password attacks on the management interface.
  • Impact Layer: By restricting access to public keys, the administrator ensures that only authorized machines possessing the private key can initiate configuration changes, significantly hardening the edge device.
  • Contextual Layer: This step connects the local Ansible control node to the pfSense target, establishing the encrypted tunnel required for all subsequent modules.

User Account Management for Automation

For security and auditing, a dedicated service account should be created rather than using the default admin or root accounts for daily automation.

  • Direct Fact: A new user (e.g., named ansible) should be created in pfSense.
  • Technical Layer: This user must be added to the admins group to grant it the necessary permissions to modify the system. The SSH public key generated on the Ansible control machine must be added to this user's profile.
  • Impact Layer: Using a dedicated ansible user allows for granular logging of changes and prevents the exposure of the primary root password in automation scripts.
  • Contextual Layer: This user is defined in the Ansible inventory file as the ansible_ssh_user, providing the identity used for the connection.

Ansible Inventory and Connectivity Configuration

The inventory file defines the targets and the specific parameters required to communicate with the pfSense instance. Because pfSense uses a specific Python path, the inventory must be explicitly configured.

The following table outlines the critical inventory variables and their functions:

Variable Value/Example Technical Purpose
ansible_host 192.168.X.X Specifies the IP address of the pfSense interface.
ansible_ssh_user ansible The dedicated automation user created in the GUI.
ansible_python_interpreter /usr/local/bin/python3.11 Directs Ansible to the specific Python binary on pfSense to avoid auto-discovery warnings.
ansible_pipelining true Reduces the number of SSH operations by executing multiple tasks in one connection.

The use of ansible_pipelining: true is particularly critical for pfSense. Due to the way the FreeBSD shell and the pfSense PHP shell interact, standard Ansible execution can be slow. Pipelining significantly increases the execution speed of playbooks by reducing the overhead of creating new SSH sessions for every single task.

Implementing the Automation Framework

Once the environment is prepared, the administrator can transition to writing playbooks. A basic connectivity test is the first step to verify that the SSH key, user permissions, and Python interpreter are functioning correctly.

Connectivity Validation

A minimal playbook should be executed to ensure the path is clear. This playbook avoids gathering facts to minimize the initial load.

```yaml

  • name: Test playbook
    hosts: pfsense
    gather_facts: False
    tasks:
    • name: ping

      ping:

      ```

To execute this, the administrator must ensure the SSH key is added to the local agent and run:

ansible-playbook test.yml

Managing Administrative Credentials

In scenarios where the default password must be changed, Ansible can be used to rotate the admin password. However, pfSense requires passwords to be provided in a hashed format.

  • Direct Fact: The admin password must be cyphered using the bcrypt format.
  • Technical Layer: The pfsensible.core.pfsense_user module can be used to update the password. For example:

```yaml

  • name: 00. Set a new password
    hosts: all
    gather_facts: False
    tasks:

    • name: "default password"
      setfact:
      ansible      password: pfsense
    • name: Change admin password
      pfsensible.core.pfsense_user:
      name: admin
      password: $2a$12$IYmI.P2rFGao6i8NXqMefO22LpX60Rf5fQT9dc64DOi6oObeX/Aqy
      ```

  • Impact Layer: Since the default password is pfsense, this playbook is not idempotent in its simplest form. The first run succeeds; subsequent runs fail because the ansible_password no longer matches the actual password on the device.

  • Contextual Layer: This demonstrates the necessity of using set_fact and understanding the bcrypt requirement for the pfsensible.core modules.

Advanced Configuration and Network Orchestration

With the foundation laid, the administrator can begin deploying complex networking configurations. A primary example is the creation of Virtual Local Area Networks (VLANs).

VLAN Deployment

The pfsensible.core.pfsense_vlan module allows for the declarative definition of VLANs on a specific parent interface.

  • Direct Fact: VLANs can be created using the pfsensible.core.pfsense_vlan module.
  • Technical Layer: The task requires a parent interface (e.g., mvneta1), a VLAN ID, a description, and a state (set to present).

```yaml

  • name: Configure vlan
    hosts: pfsense
    gather_facts: true
    become: yes
    tasks:

    • name: Add vlan 55
      pfsensible.core.pfsensevlan:
      interface: mvneta1
      vlan      id: 55
      descr: for vlan 55
      state: present
      ```

  • Impact Layer: This removes the need to manually enter the Interface assignment page in the GUI, allowing the administrator to spin up dozens of VLANs across multiple firewalls in seconds.

  • Contextual Layer: Note the use of become: yes. This triggers the sudo process installed during the preparation phase, allowing the module to write changes to the system configuration.

Comparative Analysis of Automation Approaches

There are two primary philosophies for automating pfSense: those that interact with the XML configuration file and those that utilize the PHP shell.

The PHP Shell Approach (pfsensible.core)

The pfsensible.core (formerly opoplawski/ansible-pfsense) collection focuses on interacting with the pfSense PHP shell.

  • Technical Layer: Instead of editing the config.xml file directly, these modules call PHP functions that are native to the pfSense OS.
  • Impact Layer: This is generally safer as it utilizes the same internal logic the WebUI uses, reducing the risk of corrupting the configuration file.
  • Limitation: Certain third-party packages, such as Tailscale and FRR, are not fully covered by these modules.

The XML-to-YAML Approach (bevhost/ansible-module-pfsense)

An alternative approach involves the export and conversion of the XML configuration.

  • Technical Layer: This method involves exporting the XML config and converting parts of it into YAML. This allows for the creation of default firewall aliases and rules that can be shared across many firewalls.
  • Impact Layer: This is particularly useful for large-scale deployments where the same set of "Global Aliases" (e.g., DNS servers, NTP servers) must exist on every device.
  • Contextual Layer: While powerful, the developer of this approach noted that the basic installation wizard in the WebUI often still needs to be stepped through manually after the Ansible run to finalize the setup.

Troubleshooting and Optimization

Automating a FreeBSD-based appliance introduces specific performance and operational hurdles.

Performance Tuning

Standard Ansible communication can be sluggish on pfSense.

  • Direct Fact: SSH pipelining is the primary solution for speed.
  • Technical Layer: By enabling ansible_pipelining: true, Ansible reduces the number of times it has to open and close SSH connections, which is a costly operation on the pfSense hardware.
  • Impact Layer: Playbook execution time is significantly reduced, making the automation loop much tighter.

The Challenge of Third-Party Packages (FRR and Tailscale)

While the base pfSense features are well-covered, ecosystem packages present a gap in automation.

  • Direct Fact: The pfsensible.core module does not yet cover all third-party modules like FRR and Tailscale.
  • Technical Layer: Attempts to use the standard Ansible FRR collection often fail because the pfSense implementation of FRR differs from a standard Linux installation.
  • Impact Layer: If an administrator uses an external FRR collection to configure BGP, the pfSense WebUI settings for FRR will go out of sync. This means the GUI will not reflect the actual running configuration of the routing daemon.
  • Contextual Layer: This creates a "split-brain" scenario where the network is running as intended, but the management interface provides incorrect information.

Summary of the Automation Workflow

To successfully deploy a pfSense firewall via Ansible, the following sequence must be observed:

  1. Manual Bootstrap: Install sudo via the GUI.
  2. Security Setup: Enable SSH, create the ansible user, and upload the public key.
  3. Inventory Definition: Configure the ansible_python_interpreter and ansible_pipelining.
  4. Privilege Escalation: Use become: yes in playbooks to leverage the installed sudo package.
  5. Declarative Configuration: Apply VLANs, users, and firewall rules using pfsensible.core.

Conclusion

The integration of Ansible with pfSense transforms the firewall from a manually managed appliance into a programmable asset. By overcoming the initial hurdles of sudo installation and SSH key management, administrators gain the ability to version-control their entire network perimeter. While the pfsensible.core collection provides a robust bridge to the PHP shell, the ongoing challenge remains the integration of third-party packages like FRR, which currently require a choice between GUI synchronicity and external automation. Ultimately, the shift to an IaC model for pfSense reduces the risk of human error during manual configuration and provides a scalable blueprint for network expansion.

Sources

  1. xoid.net
  2. github.com/opoplawski/ansible-pfsense
  3. forum.netgate.com
  4. virtualtothecore.com

Related Posts