Topics

This is tested on CentOS but should be easily portable to other unix systems. Prerequisites are an OPNsense admin user with an API key, which does not require interactive login or a known password. It does not produce output when successful, so when called from cron it will email root with errors. Binaries needed are date, curl, gzip and find.

Bart...

#!/usr/bin/bash

# Change API key and secret, number of days to keep backups, the path to your backups and the hostname for your firewall

key="api key for backup user"
secret="api secret for backup user"
daystokeep=3
destination="/path/to/firewall/backups"
fwhost="firewall.fqdn"

date=$(date +%Y-%m-%d)

result=$(/usr/bin/curl -I -s -k -u "$key":"$secret" https://$fwhost/api/backup/backup/download | head -1)

if [[ $result != *"200"* ]]; then
   echo "Result of the HTTP request is $result"
   exit 1
fi

/usr/bin/curl -s -k -u "$key":"$secret" https://$fwhost/api/backup/backup/download > $date.xml

error=$?

if [ $error -gt 0 ]; then
   echo "Curl returned error number $error"
   exit 1
fi

/usr/bin/gzip $date.xml

mv $date.xml.gz $destination
/usr/bin/find $destination/* -mtime +$daystokeep -exec rm {} \;

Brace yourselves for new users  8) https://tech.slashdot.org/story/17/02/04/0522249/opnsense-171-released-based-on-freebsd-11

The more the merrier, obviously

Bart...

These are the last log lines:

openvpn[53655]: OpenVPN 2.3.11 amd64-portbld-freebsd10.2 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 17 2016
openvpn[53655]: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09
openvpn[59622]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
openvpn[59622]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
openvpn[13821]: RESOLVE: Cannot resolve host address: <WAN IPv6 address>: hostname nor servname provided, or not known
openvpn[13821]: Exiting due to fatal error

I've added the WAN IP to /etc/hosts with the short name and FQDN of the firewall. I've also added ::1 localhost but the error persists.

Bart...

I have OPNsense and a number of internal hosts powered from a UPS. One of the host has a USB connection to the UPS and runs a script on loss of mains power for a graceful shutdown. This script shuts down the other hosts powered by the UPS.

Is there a way to include a remote shutdown of OPNsense in this script? Either through SSH, an API call, SNMP or some other means?

Bart...

There has been some recent media coverage on IPv6 RA  frequency: http://www.theregister.co.uk/2016/02/16/ietf_rfc_7772/ http://hardware.slashdot.org/story/16/02/16/1547239/ietfs-tips-for-network-admins-on-how-to-avoid-draining-smartphone-batteries

I changed the minimum/maximum advertisements intervals in /var/etc/radvd.conf from 5 and 20 seconds to 225 and 300 seconds respectively. Unfortunately these values are reset to 5 and 20 when the RA daemon starts. This was confirmed by radvdump, which shows multicast every 15 seconds.

Is there a way to change this behaviour? If only because a lower frequency would benefit the environment.

Thanks,

Bart...

This script follows on from the example in the 'Using the API Howto' wiki entry. https://wiki.opnsense.org/index.php/Howto_use_the_API

Replace the redacted api_key and api_secret strings with your own and set the URL of your OPNsense instance as well as your name/email address.

It requires an MTA (set to localhost in the script) and can be run from cron. Tested with Python 2.7.5-34 on CentOS 7.