Messages

[docs are wrong.]

[solved]

del url is not del_state it's delstate, docs are wrong.

Code (php) Select Expand

    $del_url  = $opnsense_host . "/api/diagnostics/firewall/delState";
query states first

Code (php) Select Expand

    $query_url = $opnsense_host . "/api/diagnostics/firewall/query_states";

get response

Code (json) Select Expand

{
  "label": "21d61fb65e9a253dc46b79181dc7044c",
  "descr": "Default allow LAN to any rule",
  "nat_addr": "",
  "nat_port": "",
  "gateway": "",
  "iface": "all",
  "proto": "udp",
  "ipproto": "ipv4",
  "flags": [],
  "direction": "in",
  "dst_addr": "185.211.73.104",
  "dst_port": "41677",
  "src_addr": "192.168.2.189",
  "src_port": "3232",
  "state": "MULTIPLE:MULTIPLE",
  "age": "32:21:44",
  "expires": "00:00:58",
  "pkts": {
    "out": 18123,
    "in": 24102
  },
  "bytes": {
    "out": 2349563,
    "in": 2946399
  },
  "rule": 59,
  "id": "09048e6900000000/f1c4a296",
  "interface": "all"
}

id field:

Code (php) Select Expand

  "id": "09048e6900000000/f1c4a296",
is actually the stateid and creator id (anemic docs, non existent/wrong.)

Code (php) Select Expand

                list($stateid, $creatorid) = explode('/', $full_id);
pass as url params (anemic docs, non existent/wrong, says post, wrong.)

Code (php) Select Expand

$del_url_full = $del_url . '/' . $stateid . '/' . $creatorid;
$ch = curl_init($del_url_full);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_USERPWD, $opnsense_key . ':' . $opnsense_secret);
curl_setopt($ch, CURLOPT_POSTFIELDS, '');
$del_resp = curl_exec($ch);
curl_close($ch);
attention; setting length, despite blank body (not mentioned in docs/non existent/wrong.)

Code (php) Select Expand

                curl_setopt($ch, CURLOPT_POSTFIELDS, '');
and by parsing through and deleting this way you can purge the states by ip.

Code (php) Select Expand

function purgeStatesByIP($opnsense_host, $opnsense_key, $opnsense_secret, $ip) {
    // Query all states
    $query_url = $opnsense_host . "/api/diagnostics/firewall/query_states";

    $ch = curl_init($query_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_USERPWD, $opnsense_key . ':' . $opnsense_secret);
    $resp = curl_exec($ch);
    curl_close($ch);

    if (!$resp) {
        throw new Exception("Failed to query states.");
    }

    $states = json_decode($resp, true);

    if (!is_array($states)) {
        throw new Exception("Invalid response: " . $resp);
    }

    $del_url = $opnsense_host . "/api/diagnostics/firewall/delState";
    $deleted = [];

    foreach ($states as $state) {
        if ($state['src_addr'] === $ip || $state['dst_addr'] === $ip) {
            // Split the "id" field into stateid + creatorid
            list($stateid, $creatorid) = explode('/', $state['id']);
            $del_url_full = $del_url . '/' . $stateid . '/' . $creatorid;

            $ch = curl_init($del_url_full);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_USERPWD, $opnsense_key . ':' . $opnsense_secret);
            curl_setopt($ch, CURLOPT_POSTFIELDS, ''); // Required even if empty
            $del_resp = curl_exec($ch);
            curl_close($ch);

            $deleted[] = [
                'state' => $state,
                'response' => $del_resp
            ];
        }
    }

    return $deleted;
}

// Example usage:
try {
    $deletedStates = purgeStatesByIP(
        "https://firewall.example.com",
        "your_api_key",
        "your_api_secret",
        "185.211.73.104"
    );

    echo "Deleted " . count($deletedStates) . " states.\n";
    foreach ($deletedStates as $d) {
        echo " - " . $d['state']['src_addr'] . " → " . $d['state']['dst_addr'] . "\n";
    }
} catch (Exception $e) {
    echo "Error: " . $e->getMessage() . "\n";
}


hope this helps someone...

https://docs.opnsense.org/development/api/core/diagnostics.html
this page needs serious work
issue since 2021

https://github.com/opnsense/core/blob/d9ea39fdbda543b9c73ee6e228747cdaff5a56e3/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/FirewallController.php#L282

https://github.com/opnsense/core/blob/d9ea39fdbda543b9c73ee6e228747cdaff5a56e3/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php#L96C88-L96C100

https://github.com/opnsense/core/blob/d9ea39fdbda543b9c73ee6e228747cdaff5a56e3/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/FirewallController.php#L244

well it seems it's all boiled down to one thing

https://docs.opnsense.org/development/api/core/diagnostics.html



https://forum.opnsense.org/index.php?topic=31706.0

how to operate this api

the documentation on it is... well, it's totally non existent.

so...
does anyone have a clue how this works?

Hi all,

I've recently switched to updating my OPNsense firewall via the API, adding/removing IPs from an alias and refreshing the rules proactively rather than polling. My floating firewall rule drops all packets to/from IPs in that alias.

The problem is that even with API-driven updates, the firewall can take upwards of 20 minutes to actually reflect changes. I've seen similar reports in:

https://www.reddit.com/r/OPNsenseFirewall/comments/13l6alq/opnsense_states/
https://forum.opnsense.org/index.php?topic=31995.0
https://forum.opnsense.org/index.php?topic=21074.0
https://forum.opnsense.org/index.php?topic=30962.0
https://forum.opnsense.org/index.php?topic=38305.0
https://forum.opnsense.org/index.php?topic=31706.0
https://github.com/opnsense/core/issues/6404

From what I understand, using flush_states or kill_states via the API can force a refresh, but both seem to disconnect all active connections, which isn't a viable solution for me.

My question:

Is there a way to force a single firewall state (or a set of states related to a specific IP) to refresh without dropping all other connections?

I haven't found any official documentation on this, so any guidance, undocumented API endpoints, or workarounds would be greatly appreciated.

Thanks!

this install hasn't been running long, and after a recent power failure, dns simply refuses to work
key points are as such, i understand ping is different to dns but just bear with me...

i am using latest opnsense
i am using ADGUARD dns filter for the dns server
the network is a dual NAT setup, with OPNSENSE as gateway for the devices in this room, and the ISP router "outside" this network serving as another gateway, traffic is DMZ'd through to OPNSENSE for hosting etc, it's a bit funky but it's been working great for the past decade or so and preserves the standard ISP wifi network for friends/family as they find my filtering excessive - but i digress;

ADGUARD: 192.168.2.241
OPNSENSE: 192.168.2.254
PC: 192.168.2.38
WAN: 192.168.0.30

adguard can ping 8.8.8.8
opnsense can ping 8.8.8.8
proxmox can ping 8.8.8.8
dns is set to 8.8.8.8 in proxmox dns section
adguard upstream dns is set to 8.8.8.8 (and a few others)
PC gateway is set to opnsense
PC dns is set to adguard
dhcp is turned off on the router (no conflict)
all DNS servers/forwarding is turned OFF in opnsense

yet nothing can resolve any hostname...

using DIG command from ADGUARD:

Code Select Expand

adguard:~# dig @8.8.8.8 google.com

; <<>> DiG 9.16.15-Debian <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

using PING command from ADGUARD:

Code Select Expand

adguard:~# ping google.com
ping: google.com: Temporary failure in name resolution

if i set PC dns server to 8.8.8.8 directly, it works (And is how i can post this thread) but nothing else on the server is functioning
but setting this directly in the proxmox host etc seems to do nothing, i'm unsure what the problem is...

using tracert command from PC with 8.8.8.8 set directly:

Code Select Expand

tracert google.com

Tracing route to google.com [142.250.178.14]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.2.254
  2     2 ms     2 ms     3 ms  192.168.0.1
  3    13 ms    10 ms     8 ms  10.112.32.117
  4    11 ms    12 ms    10 ms  wolv-core-2a-xe-0017-0.network.virginmedia.net [80.3.145.73]
  5     *        *        *     Request timed out.
  6    21 ms    20 ms    18 ms  tcl5-ic-4-ae5-0.network.virginmedia.net [62.252.192.246]
  7    19 ms    21 ms    20 ms  host-62-252-5.117.not-set-yet.virginmedia.net.5.252.62.in-addr.arpa [62.252.5.117]
  8    18 ms    20 ms    17 ms  216.239.49.185
  9    18 ms    19 ms    16 ms  142.250.215.125
10    20 ms    18 ms    15 ms  lhr48s27-in-f14.1e100.net [142.250.178.14]

Trace complete.

using traceroute from ADGUARD:

Code Select Expand

adguard:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1  192.168.2.254 (192.168.2.254)  0.336 ms  0.297 ms  0.264 ms
2  192.168.0.1 (192.168.0.1)  2.486 ms  3.055 ms  3.387 ms
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

using IP route show on ADGUARD

Code Select Expand

adguard:~# ip route show
default via 192.168.2.254 dev eth0 onlink
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.241


opnsense interface overview (LAN):

Code Select Expand

Status up
MAC address ba:01:25:4a:a0:71
MTU 1500
IPv4 address 192.168.2.254/24
IPv4 gateway 192.168.2.254
Media 10Gbase-T <full-duplex>
In/out packets 700615 / 2247726 (387.00 MB / 2.59 GB)
In/out packets (pass) 695789 / 2247726 (386.74 MB / 2.59 GB)
In/out packets (block) 271254 / 0 (5 KB / 0 bytes)
In/out errors 0 / 0
Collisions 0


opnsense interface overview (WAN)

Code Select Expand

Status up
DHCP
up   
MAC address e2:d6:90:93:e4:b8
MTU 1500
IPv4 address 192.168.0.30/24
IPv4 gateway 192.168.0.1
IPv6 link-local fe80::e0d6:90ff:fe93:e4b8/64
DNS servers 194.168.4.100
194.168.8.100
8.8.8.8
8.8.4.4
Media 10Gbase-T <full-duplex>
In/out packets 2178354 / 677061 (2.54 GB / 382.25 MB)
In/out packets (pass) 2172327 / 677056 (2.54 GB / 382.25 MB)
In/out packets (block) 2664361 / 5 (6 KB / 369 bytes)
In/out errors 0 / 0
Collisions 0

using DIG command direct to 8.8.8.8 from PROXMOX:

Code Select Expand

bugz000:~# dig @8.8.8.8 google.com

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


using ping from another proxmox container to ADGUARD

Code Select Expand

httpd:~# ping 192.168.2.241
PING 192.168.2.241 (192.168.2.241) 56(84) bytes of data.
64 bytes from 192.168.2.241: icmp_seq=1 ttl=64 time=0.192 ms
64 bytes from 192.168.2.241: icmp_seq=2 ttl=64 time=0.074 ms
64 bytes from 192.168.2.241: icmp_seq=3 ttl=64 time=0.061 ms
64 bytes from 192.168.2.241: icmp_seq=4 ttl=64 time=0.062 ms
64 bytes from 192.168.2.241: icmp_seq=5 ttl=64 time=0.060 ms
64 bytes from 192.168.2.241: icmp_seq=6 ttl=64 time=0.039 ms
64 bytes from 192.168.2.241: icmp_seq=7 ttl=64 time=0.064 ms
64 bytes from 192.168.2.241: icmp_seq=8 ttl=64 time=0.070 ms
64 bytes from 192.168.2.241: icmp_seq=9 ttl=64 time=0.081 ms
64 bytes from 192.168.2.241: icmp_seq=10 ttl=64 time=0.062 ms
64 bytes from 192.168.2.241: icmp_seq=11 ttl=64 time=0.069 ms
64 bytes from 192.168.2.241: icmp_seq=12 ttl=64 time=0.077 ms


















i am almost certain i am lacking needed information to fix this issue, so please direct me to what information you need and i'll get it for you

standing by for replies as i'm out of ideas at this point - my gut feeling tells me something in the opnsense config is blocking dns which is why i'm posting here
this is because ADGUARD has been running for upwards of 6 months, and has existed much longer, it has "survived" several reboots and power failures... and this opnsense container is quite a new addition never being subject to a power failure until now - i used opnsense in the past but incredibly slow NAT speeds caused me to move back to openwrt - but it seems the fault has been fixed and i can get full line speed with suricata and crowdsec which is fantastic, but only after a power failure has this new fault appeared

thankyou all in advance <3