Best practice for migrating to automated firewall rules via API/script?

Started by Cipher, May 12, 2026, 08:04:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 12, 2026, 08:04:25 PM
Hi everyone,

I'm currently automating my OPNsense firewall configuration using the API and a Bash script that creates VLAN firewall rules automatically (LAN, Guest, Media, IoT, etc.).

The script is working now, including:

* creating rules via `/api/firewall/filter/addRule`
* creating schedules via `/api/firewall/schedules/addItem`
* applying changes with `/api/firewall/filter/reconfigure`

My question is about best practice before moving fully to automation.

At the moment I already have manually created firewall rules in OPNsense.
The script creates new rules in addition to the existing ones.

What is the recommended approach?

1. Keep the old/manual rules and add the scripted rules beside them
2. Remove the old rules first and let the script become the single source of truth
3. Use categories/tags and migrate gradually
4. Another recommended method?

I'm especially interested in:

* avoiding duplicate/conflicting rules
* keeping rule order predictable
* managing schedules correctly
* avoiding problems during future script reruns

Environment:

* OPNsense 26.1.7_1
* VLAN-based network segmentation
* API automation with Bash + curl

Any advice from people already automating OPNsense firewall management would be appreciated.

Thanks!
Happy Owner DEC3862
A network is only as strong as its weakest linkā€”build wisely, secure thoroughly, and optimize endlessly.
Print
Go Up Pages1
User actions