G'day all,
I've created a firewall from a fan-less Zotac ZBox CI331 Nano (Intel Celeron N5100 Quad Core) and OPNSense, and it's really nice. But of course, I want something out of the ordinary.
I currently have Shaping rules that I use to ... modify ... my children's access to the internet during downtime, but occasionally need some ad-hoc access for additional time/less time to the normal.
So of course, I reached for the API.
From another server, I've got the API calls working, I've got the on/off for the shaping rules working, as well as the feedback to the system calling the OPNSense API. And finally, I have flushreload called.
The OPNSense GUI responds as you would expect, the little tick appears and all is happy! ... except that it doesn't work. Simply pressing the apply button on the OPNSense Shaping page resolves the issue.
Now, the code.
I'm using these as API endpoints:
https://<IP ADDRESS>/api/trafficshaper/settings/toggleRule/
https://<IP ADDRESS>/api/trafficshaper/settings/getRule/
https://<IP ADDRESS>/api/trafficshaper/service/flushreload
And using cURL with the following
$ch = curl_init( $webhookurl );
curl_setopt( $ch, CURLOPT_POST, $isPOST);
curl_setopt( $ch, CURLOPT_POSTFIELDS, $DATA);
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt( $ch, CURLOPT_HEADER, 0);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt( $ch, CURLOPT_USERPWD, "$UserK:$PassK");
curl_setopt( $ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, false);
This is the important bit...
CurlFn(<toggleRule API END POINT FROM ABOVE><ID OF RULE>,<0 or 1>);
usleep(5000);
CurlFn(<flushreload API END POINT>,"");
usleep(1000);
{redirects here to calling page}
(It's a little simplified, but it definitely gets called.)
And as noted above, for all appearances, it works. (The sleeps were my attempt at giving things time to "settle".)
First question: Why doesn't this work? Does anyone else have any similar experience? Is it able to be replicated* elsewhere?
Second question: Of the API permissions, can I pare it back from everything to something more granular? If so, what and where?
-- edit --
So the second question was an "Oh Duh!" moment, with my browser full screen, I didn't notice there was a scrollbar for the permissions section. I've changed the permissions to:
/ui/trafficshaper/*
/api/trafficshaper/*
as per the ACL.xml file here: /usr/local/opnsense/mvc/app/models/OPNsense/TrafficShaper/ACL/ACL.xml
-- end edit --
I intend to expand this to cron schedule certain firewall rules on/off as well. But I will do that on the box itself, rather than from an external system.
Thanks in advance for your help. :)
(First time poster, I think I've read all the things - please forgive any faux pas)
Ok, this has been resolved.
It seems that I was using the wrong ServiceController command. Rather than using the end point of flushreload, I should have been using reconfigure (as seen immediately under flushreload in the documentation https://docs.opnsense.org/development/api/core/trafficshaper.html).
Changing over to this made it work as expected.
One thing I did find out thanks to Ad Schellevis was that there is an end point noted in the web GUI for a button. In the case of the Traffic Shaper Apply button it was data-endpoint="/api/trafficshaper/service/reconfigure" - which as you can see would have pointed me in the right direction had I noticed it.