Reliable Alternative to pfSense Arpwatch

Author: Chris Huey
Date: May 29, 2022

Looking for a more reliable, easy-to-manage alternative to pfSense without frequent false-positive notifications? … chueyise.com has a recommendation.  This article describes a customizable solution to monitor devices connected to your network and utilizes the pfSense notification feature to alert you via email and/or text message when new devices are detected.  The solution maintains a persistent database of known devices that can be tailored as needed (e.g., your guests using wifi left and you want to remove them from the known device list).

Step 1: Create a Google App Password

A 16-character passcode is needed to allow your pfSense firewall to access your Google account to send alert emails/text messages. Information for creating and managing Google App passwords is located in Gmail App Password HelpNOTE: The passcode is not available once you close the window displaying the newly generated 16-character passcode.

Step 2: Enable pfSense E-Mail Notifications

Log into your pfSense firewall via the web interface. Click System >> Advanced >> Notifications. Populate the E-Mail stanza with the appropriate gmail information. Enter your 16-character Google App passcode from Step 1 in the ‘Notification E-Mail auth password‘ fields.

NOTE: If you ‘Test SMTP Settings‘, you will need to re-enter your 16-character passcode and then ‘Save‘.

NOTE: This site provides details for how to send a text message from your email account.

Step 3: Create Network Monitoring (netmon) Directory Structure

Log into your pfSense firewall via SSH and access the Shell. Perform the following commands:
  • mkdir /var/netmon
  • cp /etc/inc /var/netmon/

Step 4: Create the netmon Bash Script

Create a script (called /var/netmon/netmon.sh) that performs the following functions.

  • get current date/time
  • use arp command to identify mac addresses/ip addresses on the network and read into an array
  • traverse the array
  • if ‘first run’, read the mac/ip pair into a /var/netmon/mac.db database file
  • if not ‘first run’, check if mac/ip pair already exists in the mac.db or in the /var/netmon/ignore.txt list (which contains IPs that periodically change mac addresses)
  • if mac/ip is new or not contained in the ignore.txt list, populate the mac/ip pair info into a report to send in an alert, and then populate mac.db with the mac/ip/date/time
  • if new mac/ip found, send report using the send-report.php and mail_netmon_reports.inc scripts in Step 5.  These scripts utilize the pfSense notification feature

Here are examples of the netmon bash script, and the mac.db and ignores.txt files used by netmon.

Step 5: Create custom 'send report' modules

Use the following example files and customize as needed. These are closely based on the original pfSense modules contained in /etc/inc directory.

Once the files from Steps 4 and 5 are uploaded onto your pfSense in the appropriate directories, run commands:
chown -R root:wheel /var/netmon
chmod -R 750 /var/netmon

Step 6: Create a Cron Schedule for the netmon Utility

Log into your pfSense firewall via the web interface. Click Services>> Cron >> +Add. Create a cron job to run the netmon utility every minute and ‘Save‘.

Step 7: Initialize and Test the netmon Utility

Log into your pfSense firewall via SSH and access the Shell. Perform the following:

  • Run the netmon utility to initialize the mac.db database:  /var/netmon/netmon.sh init
  • Open the /var/netmon/mac.db file, remove one line of your choice, and save the file
  • Wait up to one (1) minute and you should receive a notification a new system was detected on the network

chris.huey@chueyise.com

www.chueyise.com