Automating configuration of OPNsense without the API

[jakobsen-lrz]

Hello,

i hope this is the right forum for this question, but i have a bit of a problem. I need a way to configure a Firewall using scripts and automation, but some things (AuthServers, Gateways, dhcpd, router advertisements, and Interface Assignments) cant be configured using the API.

What is the most elegant way to configure these other things using a script? The only way that i found, was using a php script that includes config.inc, and running that through the php interpreter.

Thanks.

[Monviech (Cedrik)]

So far not all components have an API yet but thats the long term goal, some features like Router Advertisements are migrated to MVC as we speak: https://opnsense.org/roadmap/



Maybe here you can find some inspiration how to automate non api components?
https://github.com/O-X-L/ansible-opnsense

[bimbar]

I dream of a direct CLI interface to the configuration like for example juniper or fortinet.

[Monviech (Cedrik)]

Other people dream about full OpenAPI spec. This would go hand in hand with the dream of a unified CLI.

There was somebody a while ago on github who wanted to parse all API endpoints and describe them via OpenAPI spec, and there were some PRs in the docs repo around improving the parsing.

But I dont know if anything happened afterwards.

Im the guy who prefers a GUI, while I was working with juniper devices I had like a folder where I stored many known good configurations so I knew where to look, but all in all a GUI is simpler. Only thing I miss is the commit revert timed feature.

[bimbar]

CLI mainly for quick setup via copy&paste of snippets.

[Seimus]

I am a CLI guy ;)
Reason is I do sometimes a hardware level tshooting on ASICs/bus on CISCO hardware, this is possible only via CLI with the knowledge of the architecture.

But for OPNsense as it never had CLI in first place, its better to finish APIs for everything, this will give you more than if they started CLI definitions from 0.

Regards,
S.

[lgrant]

Please forgive me if this makes no sense, because I am still trying to understand the problem.

Could you work on an exported XML configuration file, then reload it? If, for example, you have a standard configuration that you want to apply to a bunch of routers, with customization of names, IP addresses, etc., you might configure the standard configuration via the GUI, download it, then modify it with an XML tool like XSLT or XQuery. If you were just changing names, it should not be too bad. If you are changing the number of interfaces, it would be a little trickier, because you would have to generate new XML code in the right place.

BTW, on of the coolest products (I don't remember what it was) had an XML configuration, and if the had an upgrade that changed the configuration files in not-backward-compatible ways, they would ship an XML stylesheet (XSLT) with the update to upgrade the old configuration file.

The FreeBSD way is that configuration is done view files (usually rc.conf), rather than commands. Even sysctl, which modifies tuning variables view the sysctl command, has a sysctl.conf that sets up the initial sysctl commands.

I am thinking about how this concept could apply to OPNsense. It is a little trickier with an XML file, because the nature of rc.conf is that stuff can pretty much be in any order, and you can use the sysrc command to add stuff to the bottom of the file. Since XML files have structure, you can't just insert lines any old place.

Perhaps I just need to go to bed.

[Patrick M. Hausen]

You can always brute force edit the XML configuration. For an example you can have a look at my (currently neglected, because I switched to an Apple silicon Mac) Vagrant project:

https://github.com/punktDe/vagrant-opnsense

Or you write what you want to do in PHP and use a proper XML library. I am not much of a PHP developer and I managed to achieve everything I needed with sed and friends.