PRO-IT Rocks!

Pseudo internet failover controlled by HomeAssistant and zigbee socket using ASA5520

Bartosz Maciejewski -

This might look a little too complicated for its purpose, but it actually works quite very well.

Recently I've migrated all standalone machines tu new server based on low voltage Atom C2758 CPU (8 core, 20W). Hypervisor of my choice is XCP-NG, as this was the easiets method to get my old AMD Brazos server/router/firewall on NetBSD migrated to PV NetBSD virtual machine. Also migrating HomeAssistant from Raspberry Pi 4 to VM and passing trough 3 USB devices (Zigbee Conbee II, Z-wave Aeotec 5 Gen, and UPS USB cable) was painless.

One of recent quirks on old server that I had was its unresponsivene or complete shutdown out of the blue. This was probably due to not so good power supply that has 7 years already. I then installed Cisco ASA 5520, as a backup Internet/DHCP/router/firewall, but leaving ASA alone caused power usage to go up by 90-120W and quite noise from its fans. As a backup that is 99% not used this was not something I was gonna pay for in electricity bills.

So back to current situation. I have all migrated, virtual router is working as expected, ASA stayed turned off in rack. Why not to automate it as a last resort in case of main router failure? I added another zigbee socket and connected ASA to it, leaving socket turned off, and switch of ASA turned on. When socket get power, ASA is automatically booted.

I planned it like this for HomeAssistant:

Ping integration is needed

First automation that is checking gateway in normal circumstances

  1. If 10.1.78.1 (gateway address) is pingable - do nothing
  2. If 10.1.78.1 is not reachable - turn on zocket that is ASA connected to
  3. Then turn on automation that checks if main firewall is up again
  4. Then notify me that main fw is down
  5. Then turn off itself (an automation), because I dont want to check if main firewall is down when its down, because its address will be available in a moment from ASA.
- alias: Glowny firewall down
  trigger:
  - platform: state
    entity_id: binary_sensor.ping_10_1_78_1
    to: 'off'
  action:
  - service: switch.turn_on
    data:
      entity_id:
      - switch.asa
  - service: automation.turn_on
    entity_id:
    - automation.glowny_firewall_up
  - service: notify.mobile_app_iphone
    data:
      message: Główny serwer nie odpowiada - uruchamiam zapasową ASA
  - service: automation.turn_off
    entity_id:
    - automation.glowny_firewall_down
Home Assistant automation checing turning backup ASA firewall if main is down

Second automation, that is normally turned off, and is only turned on by first automation when main server is unresponsive.

  1. If backup addres of main firewall is pingable (10.1.78.254) turn on first automation
  2. Then switch off ASA's socket turning off whole ASA
  3. Then notify me that main firewall is reachable again
  4. Then turn itself (an automation) off
- alias: Glowny firewall UP
  trigger:
  - platform: state
    entity_id: binary_sensor.ping_10_1_78_254
    to: 'on'
  action:
  - service: automation.turn_on
    entity_id:
    - automation.glowny_firewall_down
  - service: switch.turn_off
    data:
      entity_id:
      - switch.asa
  - service: notify.mobile_app_iphone
    data:
      message: Główny serwer działa - wyłączam zapasową ASA
  - service: automation.turn_off
    entity_id:
    - automation.glowny_firewall_up
Home Assistant automation checking if main firewall is up again

Here is a little explanation, because both NetBSD firewall and ASA have same LAN address for clients that is working as a gateway, and same WAN IP (I have only one static address), I don't want to have situation when two devices are on and have same addresses. To have something that I can distinguish which device is up I put another IP to my router which serves only as heartbeat for home assistant.

Here is how it is configured on NetBSD in rc.conf:

ifconfig_xennet1="inet 10.1.78.1 netmask 255.255.255.0; inet 10.1.78.254 netmask 255.255.255.0 alias"
rc.conf

And how it looks in ifconfig:

xennet1: flags=0x8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        capabilities=2800<TCP4CSUM_Tx,UDP4CSUM_Tx>
        enabled=0
        ec_capabilities=1<VLAN_MTU>
        ec_enabled=0
        address: 7a:9e:ec:f6:4b:fa
        inet 10.1.78.1/24 broadcast 10.1.78.255 flags 0x0
        inet 10.1.78.254/24 broadcast 10.1.78.255 flags 0x0
        inet6 fe80::789e:ecff:fef6:4bfa%xennet1/64 flags 0x0 scopeid 0x2
ifconfig of xennet01

Testing by shuttding down firewall VM resulted in almost instant turning on of ASA. Shortly after Internet/NAT is working normally and my push notification came to my phone.

Turning on main firewall, moment when 10.1.78.254 address is available is resulting in ASA socket to be turned off. NetBSD in meantime complaining of duplicate address but few seconds later when ASA is shut down all is back to normal.

Now, that is heavy based on Home Assistant availability, but this was for scenerio that I had previously - main router not responsive. I didn't test how it all work when there will be power outage long enough to collapse whole installation, but for sure after XCP-NG boots, my VM firewall will boot faster than Home Assistant so HA will check that main firewall is up and will not fire ASA which is desired behaviour.

From the other hand if whole XCP-NG fail there will be nor firewall vm nor HA, but then I can turn on ASA brom sockets button.

For the last words, I already had one situation when firewall was heavy on load with I/O updating both pkgsrc and src via cvs and XCP-NG decided to rebuild/check mdraid on 2x 10TB disks which led to NetBSD flapping on its NAT, and automations worked as expected. I was outside home so I could connect to XCP trough ASA and check what is going on and turn off main firewall and leave XCP finish it RAID tasks, then turn on firewall again.

On picture on top of the page you can see ASA, XCP-NG server, and socket on back of a rack that powers ASA.