Messages

[many thanks again for taking your time and responding!]

That did the trick! I've not migrated my "old rules" to "new rules", so I created a simple test "new rule".

Running my Python-script works like a charm, so many thanks again for taking your time and responding!

If anyone is interested;

• as meyergru stated: API access to toggle_rule only works for "new rules", created via https://<OPNSENSE>/ui/firewall/filter/, as only those are exposed via the API
• You don't need a (json-)payload for the POST request, the API endpoint is https://<OPNSENSE>/api/firewall/filter/toggle_rule/<UUID>
• The POST request is as simple as api_response = requests.post(opnsense_api_url, auth=(opnsense_api_key, opnsense_api_secret), verify=False)

Hi,

tried it with and without payload, same effect.

Code Select Expand

api_response = requests.post(opnsense_api_url, auth=(opnsense_api_key, opnsense_api_secret), verify=False)
has the same effect as

Code Select Expand

json_payload = { 'uuid': <UUID> }
api_response = requests.post(opnsense_api_url, auth=(opnsense_api_key, opnsense_api_secret), verify=False, json=json_payload)

I also tried several different "command" nodes (toggle_rule, toggleRule), together with /1 at the end and without.. always the same result ({'result': 'failed'})

Code Select Expand

https://<OPNSENSE>/api/firewall/filter/toggle_rule/<UUID>/1
https://<OPNSENSE>/api/firewall/filter/toggleRule/<UUID>/1
https://<OPNSENSE>/api/firewall/filter/toggle_rule/<UUID>
https://<OPNSENSE>/api/firewall/filter/toggleRule/<UUID>

Reading further at https://docs.opnsense.org/development/api/core/firewall.html#id6... "Rules not visible in the web interface (Firewall ‣ Automation) will not be returned by the API either." -> I don't have such a menu entry on 26.1.1. Does that mean that API endpoint isn't working for "standard" (non-automation) rules?

Hi,

my use-case is relatively simple, I would like to toggle a (LAN-) rule via API.

Based on https://docs.opnsense.org/development/how-tos/api.html#id4, I'm able to connect - but as soon as I try to use the toggle_rule endpoint (https://docs.opnsense.org/development/api/core/firewall.html#id6) I receive the following error;

Code Select Expand

{'result': 'failed'}
This is the endpoint I'm using (<RULE-UUID> based on the corresponding entry in the config.xml);

Code Select Expand

https://<OPNSENSE>/api/firewall/filter/toggle_rule/<RULE-UUID>
The request itself;

Code Select Expand

api_response = requests.post(opnsense_api_url, auth=(opnsense_api_key, opnsense_api_secret), verify=False)
Can you please tell me what I'm missing? Thanks for your time!

[thanks for that]

Code Select Expand

opnsense-patch 8ecd344 based on https://github.com/opnsense/core/pull/9669/commits done and working - thanks for that.

Unfortunately I'm not able to provide the .csv from the export as I've rolled back the config to a previous state.

But... before doing so, I had a look at the two different config.xml's (PRE-new rules and POST-new rules). What I found is, that the corresponding XML-node to the shown rule above in my screenshot had the config options written in the <rule uuid=""> tag.

Let me explain...

correct would be;

Code Select Expand

<rule uuid="<UNIQUE-RULE-ID>">
the faulty rule had something like(what I remember);

Code Select Expand

<rule uuid="<UNIQUE-RULE-ID>,setting1,setting2,setting3,,,,">

Yeah that definitely makes sense :D!

Hi,

I started to (manually) migrate my "old" firewall-rules to the "new" firewall-rules. There's now an automatically created rule on the top, that I can't edit, delete, re-order or deactivate.

You cannot view this attachment.

After pressing "enable logging" I get the following error;

Code Select Expand

[30-Jan-2026 11:32:42 <REDACTED>] Error: Class "OPNsense\Firewall\Api\UserException" not found in /usr/local/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php:379
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php(270): OPNsense\Firewall\Api\FilterBaseController->toggleRuleLogBase('f42dbecd-d93b-4...', '1', 'rules.rule')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\Firewall\Api\FilterController->toggleRuleLogAction('f42dbecd-d93b-4...', '1')
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#3 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#4 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/firewall/f...', Array)
#5 {main}

[25.7.7_4]

Hi there,

I have a strange issue regarding a device that gets an IP, but has no reservation set for it. First things first, I'm on opnSense 25.7.7_4. The device is a soundbar, that is connected via cable and once had 10.0.40.4 as IP reservation. Several months ago, I decided that this device doesn't need to be online anymore, so I removed it's reservation in KEA.

A couple days ago I found out that 10.0.40.4 is (still) ping-able, even though it has no IP reservation in KEA. When I disable the switch-port (where the soundbar is connected to), I can't ping that IP.

My (IoT) VLAN is defined as 10.0.40.0/24, with just a single IP (10.0.40.199/32) as pool.

In my understanding - if I haven't set up an IP reservation for a certain device (based on its MAC), this device shouldn't be able to obtain an IP and access subnets. Am I wrong or is this actually an issue?

[hier meine erste Frage: an was kann das liegen, respektive wie kann man das optimieren?]

Hallo opnsense-Community,

ich hätte ein paar Fragen betreffend AGH, zunächst jedoch mein Setup.

• OPNsense 25.1.3-amd64
• AGH v0.107.57

Ich habe bis dato mit unbound (inkl.) Blocklists gearbeitet, nun aber gesehen dass AGH doch sehr gute Werkzeuge mit an Bord hat um zu "switchen". Allen voran die Client-basierten Möglichkeiten klingen spannend.

AGH läuft aktuell (als primary DNS) und nutzt unbound als Resolver, ich habe hier jedoch relativ hohe Antwortzeiten (~200-250ms).
Direkt über unbound läuft das performanter, direkt über AGH ebenso (bei identen Blocklists) -> hier meine erste Frage: an was kann das liegen, respektive wie kann man das optimieren?
(siehe auch ein ähnliches Problem hier: https://forum.opnsense.org/index.php?topic=44439.msg221745#msg221745)

Meine zweite Frage betrifft die definierten upstream-Server, in diesem Falle direkt über AGH.

Trage ich hier bspw. (basierend auf https://adguard-dns.io/kb/de/general/dns-providers/)

• tls://security.cloudflare-dns.com
• tls://dns.quad9.net

ein, bekomme ich eine Fehlermeldung: "Server ,,tls://security.cloudflare-dns.com:853": konnte nicht verwendet werden, bitte überprüfen Sie die korrekte Schreibweise".

Trage ich tls://dns.adguard-dns.com ein, funktioniert alles fehlerfrei - und das bringt mich zu meiner zweite Frage: an was kann das liegen?

Ich habe absolut nichts an den Bootstrap-DNS-Server geändert, der Adguard-DNS funktioniert ja - nur der Rest eben nicht.

Danke euch für eure Zeit und schönen Tag!

Aktuelle CFG (Ausschnitt):

Code Select Expand

http:
  pprof:
    port: 6060
    enabled: false
  address: <OPNSENSE_IP>:3000
  session_ttl: 720h
users:
  - name: <AGH_USER>
    password: <AGH_PASSWORD>
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - <OPNSENSE_IP>
    - <VLAN_A>
    - <VLAN_B>
    - <VLAN_C>
    - <VLAN_D>
    - <VLAN_E>
    - <VLAN_F>
    - 127.0.0.1
  port: 53
  anonymize_client_ip: false
  ratelimit: 20
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - '[/*.<LOCALDOMAIN>/]127.0.0.1:<UNBOUND_PORT>'
    - 127.0.0.1:<UNBOUND_PORT>
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  fallback_dns: []
  upstream_mode: load_balance
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 2s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 127.0.0.1:<UNBOUND_PORT>
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
  hostsfile_enabled: true
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  dir_path: ""
  ignored: []
  interval: 24h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  dir_path: ""
  ignored: []
  interval: 24h
  enabled: true
filters:
  - enabled: false
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: false
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_48.txt
    name: HaGeZi's Pro Blocklist
    id: 1742110114
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
    name: OISD Blocklist Big
    id: 1742110115
whitelist_filters: []
user_rules:
  - <REDACTED>
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: Local
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    ecosia: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites:
    - domain: <CLIENT>.<LOCALDOMAIN>
      answer: <ANSWER>
  safe_fs_patterns:
    - /usr/local/AdGuardHome/userfilters/*
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log:
  enabled: true
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 29



[.localhub]

Hi, just wanted to know if someone could tell me what I need to if wanted to route all internal DNS-requests (xyz.localhub) to unbound (overrides) and the rest to Proton's DNS server (10.2.0.1)? Thank you!

 I've got a setup with two working WG ProtonVPN-tunnels, but I am facing DNS leaks. This is due to the fact that I need unbound to resolve my local domain (.localhub), obv. because Proton's DNS server can't do that. For external requests, I'm using DNS over TLS towards Cloudflares' DNS servers.

As of now, I'm working with overrides, so e.g. "test.localhub" would have an A-entry with value 10.0.0.99.

I have two question in that regard;

1) Can someone please tell me why clients in my network, that use this WG tunnel have issues browsing e.g. with Reddit? (as an example: if not logged in, I can't access Reddit due to "security issues" -> Reddit tells me I need to login to do anything. In contrast, when I start the native ProtonVPN client on my PC and connect to to the same ProtonVPN server, it's working fine without any issues)

2) What do I need to do, so that opnSense can distinguish between a local DNS request (basically *.localhub) and an outbound DNS request? (assuming this would prevent DNS leaks and prevent occasional "browsing issues" like mentioned with Reddit)

Thanks for your time, have a great day!

i've came up with pings initially, following https://forum.opnsense.org/index.php?topic=38485.0. but, tbh, i thought there should be a more "straight-forward" approach as the tunnel status information is already available in a system widget (as mention below; online/offline).

so that's why i was asking how to get this (.. already available) tunnel status information into monit to tell it "if tunnel wg1 status changes from online to offline -> restart wg1".

thanks for your answer, i've set it up like described in the link below.

Hi there,

can someone please tell me how to get the WG tunnel status information (online/offline as shown in the dashboard widget) into monit for further action?

Background: I want monit, if a tunnel goes from online to offline, to restart that tunnel. Monit is already set up, the defined (execute) are tested and should work.

OK, i understood it that way that all hosts of a certain internal domain (.zzz) are forwarded to a specific dns server. Thanks for clarification.

[What I don't understand:]

Hi mate, of course I can live with CloudFlare as I've set them for DoT - just wanted to understand what's happening. In that matter, many thanks for your time and reply.

I got it working for my Guest VLAN (where I can run such tests w/o any interruption). In fact..

1) I provide a specific domain for all clients in that Guest VLAN (zzzguest)
2) I configured unbound to forward requests of that domain (zzzguest) towards the tunnel DNS IP of ProtonVPN

What I don't understand: in unbound, via DOT, I've two entries for CloudFlare (1.0.0.2 and 1.1.1.2). Currently, the domain is empty (what equals "fetch all domains"). If I set this to my standard domain (zzz), I can't resolve anything. Even after multiple dns-flushes.

Hi there,

I need some help regarding the following; I have set up a WG ProtonVPN tunnel, that works fine. So basically I followed the official docs, with one difference -> I'm not routing particular clients over the tunnel, but a whole VLAN.

Now, while browsing https://ip.me/ it shows the correct IP, but https://dnsleaktest.com/ tells me that DNS requests are answered by Cloudflare, not ProtonVPN.

opnSense's DNS is unbound, which is actually configured to use Cloudflares' 1.1.1.1 and 1.1.1.2, but unbound is not(!) listening on the affected VLAN.

KEA is serving as DHCP and offers 10.2.0.1 (ProtonVPNs' tunnel DNS) and 1.1.1.1 (because if I remove the latter, resolving doesn't work at all). I'm aware that DNS offerings are not sequential, but random.

What's even more curious is, that in the live view I can see DNS requests being made towards 10.2.0.1.

Can you point me into a direction where I could search for issues?

Thanks in advance!