Problem Statement and Proposed solution
I use Apple HomeKit as my smart home platform of choice. Its not perfect and doesn’t have nearly the ecosystem that Alexa does but I like it and it compliments the fact that I use mostly Apple devices in the rest of my network. I don’t do anything all that complicated because I rent so there is a limit to the amount of smarts I can integrate. One feature I do like is the ability to automatically turn on and off an accessory (in my case lamps) based on if someone is home or not. HomeKit has a built in function for this that uses iPhone location data of people who have joined your home to determine if someone is there. The geofence size is pretty big and I live in a densely populated part of NYC where I might very well go to a store or other location that is not outside the geofence accuracy circle and my automation would never fire. I wanted something more accurate. The solution I came up with was to track if my or my partners iPhone is connected to the Wifi in the apartment. That gives a much smaller geofence and accomplishes my goal.
Enter Homebridge
Since I’m trying to do something that HomeKit doesn’t do natively I need to add 3rd party software to accomplish the wifi monitoring. I use Homebridge. Homebridge is an open source project that emulates a HomeKit bridge device and accepts plugins to interact with devices and platforms that HomeKit doesn’t natively support. I’m not going to go deeply into how to do the base install and setup of Homebridge. There are many good guides. One thing to note – as you search for Homebridge info you may see references to HOOBS. HOOBS is a scaled back, simpler, easier to use version of Homebridge with many capabilities and plugins being incompatible. While it may be a little easier to setup its worth taking the plunge and getting full Homebridge working.
Unifi Plugin
Prior to having a Fortigate/FortiAP combo for my home network I used Ubiquiti Unifi network equipment. Unifi is a pro-sumer brand that gives you a more robust and expandable system then the Netgears and Linksys’ of the world but less so than an enterprise brand like Fortigate or Palo Alto. Since Unifi is more common in the consumer space it has a better community of home-oriented developers writing software for it. There is a plugin called homebridge-unifi-occupancy-sensor that did exactly what I wanted. It polled the Ubiquiti controller using a REST call on a regular basis (5-10 seconds) and looked for the MAC address of one of our iPhones. If one or more of them were detected it would trigger what appears to HomeKit as an occupancy sensor saying that the Living Room was occupied. The occupancy sensor was used as a trigger for an automation to enable a scene with the Living Room lights on. Nice and easy.
Moving to Fortigate
Now that I have a Fortigate I wanted to accomplish the same thing. Since Fortigate isn’t usually a consumer device there are no Homebridge plugins for it at all. I had to figure out a different method. I tried a couple of plugins that used ping or ARP to determine if a machine was on the network but they had a lot of limitations and didn’t operate fast enough to have an elegant user experience (and in the case of one plugin a misconfiguration filled the ARP table on my core server and crashed it). I needed a way to directly determine based on the Fortigate if the iPhone was connected. There was no REST call or SNMP query I could find that would allow me to poll so I needed it to be a push from the Fortigate to Homebridge when one of us connected or disconnected. Enter Automation Stiches
Automation Stiches
Automation Stiches are an IF/THEN framework for Fortigates that allow actions to be taken based on triggers from the OS. Examples of triggers are detecting an intrusion, a process running out of memory, an interface state changing, or what I needed: an event log entry. Then I needed an action that would signal Homebridge and the Fortigate provided: the action can be a Webhook. There is a Homebridge plugin called homebridge-http-webhook that has the ability to present to HomeKit as an occupancy sensor (among other device types) which can be marked occupied or unoccupied based on receiving a particularly crafted HTTP request.
Create the Trigger
I needed two triggers one for each iPhone. The easiest way to identify them was by their Wifi MAC address. NOTE: For this to work you have to turn off “Private Wi-Fi Address” for your home SSID on the iPhone settings. If you don’t, there will not be a consistent MAC address to track and your automation will never fire.
I searched through the Wifi Event log and found the message (action: client-authentication) that indicates a client has successfully authenticated to my SSID. That message also contains the MAC of the device so that’s the one we want
Now navigate to Security Fabric -> Automation -> Trigger (Trigger is a tab at the top) and create a new trigger of type FortiOS Event Log
The details are filled in as follows
Note the event and filter. The event is the friendly/description name of the log event ID we identified above. If we used that event without a filter then ANY device joining the network would trigger this item we need to only use that event ID if it is for my iPhone. The field filter is using the name “stamac” which was not a field in the screenshot above. You can map the friendly names of the fields to their short names by checking the Fortigate Log Reference document on the Fortinet support site.
I now need a second trigger for when I disconnect from the network. The Event ID for that is “client-leave-wtp.” Setup the trigger using the same basic structure as the connect trigger.
I then setup the same triggers for my partners phone using their MAC address in the stamac field.
Create the Action
Switch to the Action tab and create a new action of type Webhook
The specifics of the Webhook configuration will depend on how you configure the webhook plugin in Homebridge. Note that the configuration below is wildly insecure. I would recommend setting up HTTPS and authentication for your Webhooks.
4 actions were created 2 for each iPhone to send the Webhook that marks the sensor occupied or unoccupied
Create the Stich
Switch to the stitch tab and create a new stitch that ties together the matching action and trigger that you created above
Configure HomeKit
I’m now successfully informing Homebridge if either of us is connected or disconnected from Wifi. Now I need to link the lights to that action. The built in HomeKit automation allows me to trigger a scene based on occupancy. The problem with this is that each of our phones are different occupancy sensors. The built in automation editor only allows a single condition to fire the automation. I want the lights to come on if either of us is home but not turn off unless both of us are gone.
Once again we need some third party software to create the automation. I use Controller for HomeKit which brings the ability to add additional logic to HomeKit automations. Controller is a paid app for some of the advanced features. I’m told that the Eve app can do similar for free but I haven’t tested that.
I used Controller to create three automations. The first turns the life on if I am on the network OR my partner is on the network
Now I need to insert the logic that confirms both Phones are off the network before turning off the lights. I need two automations for that. The reason is that if I combined my leaving or my partner leaving into an OR for the trigger it would still turn off when either of us left. I can add the AND option to only turn it off if someone leaves and the other person has already left. So, I need two to cover the scenario where I drop off the network first or my partner does. The IF is when the person goes off the network and the AND is if the other persons occupancy sensor is unoccupied.
