How to setup and manage 18+ OpnSense centralized

[Schroeffu]

Hi all,

i have a use-case where 18+ locations needs to be connected to their local DSL connection for white proxy internet usage. A Firewall like OpnSense should work as a WebProxy for all the users on site. In Future maybe the guest-wifi-coupon solution will be added for guests. This locations are connected to each other through MPLS but the standard internet browser traffic should not go via main location due to bandwith limitations when everybody is streaming ;-) So means, 18+ OpnSense's needs to be managed  cenralized and with automated roll-outs of their configs.

Is the API ready to use to configure OpnSense after installation? In that case an ansible playbook can do it. A CLI is easyier but a fully working API will do it too.

If not, whats the way to configure & manage 18+ OpnSense Installations? For sure i  dont want click through 18+ WebUIs for any change.. ;-)

So, whats the best practice here :-)?

Best Regards

[fabian]

Hi all,

i have a use-case where 18+ locations needs to be connected to their local DSL connection for white proxy internet usage. A Firewall like OpnSense should work as a WebProxy for all the users on site. In Future maybe the guest-wifi-coupon solution will be added for guests. This locations are connected to each other through MPLS but the standard internet browser traffic should not go via main location due to bandwith limitations when everybody is streaming ;-) So means, 18+ OpnSense's needs to be managed  cenralized and with automated roll-outs of their configs.

Is the API ready to use to configure OpnSense after installation? In that case an ansible playbook can do it. A CLI is easyier but a fully working API will do it too.

The API is available for some core things (captive portal, proxy, ips, static routes) and most plugins. Most things in core is not API capable. If the page you open has the "/ui" prefix, there is very likely an API behind.

If not, whats the way to configure & manage 18+ OpnSense Installations? For sure i  dont want click through 18+ WebUIs for any change.. ;-)

API if possible, generate and upload the config.xml, edit config.xml remotely and update the services using a cron job or use something like selenium.

So, whats the best practice here :-)?

If possible, use the API - it is the most simple way to work (single HTTP request).

[Schroeffu]

Thanks for the answer.

Most sites do have the /ui in their URL. But where is the API Documentation?

I only could find a very basic example at https://docs.opnsense.org/development/how-tos/api.html

[fabian]

There is no API documentation. You can find the endpoints and how to use them with the network tab of the developer tools of the browser.

[fvanroie]

Your best chance is to scrape the source code. I have compiled a list of api commands from the source code here.

If you have PowerShell you can take a look at my PowerShell Module PS_OPnsense that's in the works. It's purpose is to automate OPNsense management. PowerShell Core 6 is cross-platform as well. If you are looking for specific functionality I might be able to include that.

There are some ruby and cli api clients out there as well.

[chris968]

I'm facing the same problem, i'm currently trying to integrate OPNSense at my new company but i'm probably going roll back to something more integrable with Ansible like CentOS + FirewallD or Shorewall because the API is not complete and/or there is no CLI to create rules and nat.
My second problem is that the hotplug of Virtio NIC seems not working under OPNSense, because of FreeBSD i suppose.

[franco]

There is no API documentation. You can find the endpoints and how to use them with the network tab of the developer tools of the browser.

That's no longer true.

https://docs.opnsense.org/development/api.html

[JohnDoe17]

I am very, very interested in this topic as well.  Have you been able to make any progress on this front using the API?

Question for Opnsense developer's:  What would it take to make this use case a higher priority?  Do you accept private contracts to prioritize work?  Or, in other words, what drives the priorities for developing new features?

Thanks!

[franco]

The API effort is a huge task so we prioritise by user requests, usability and (unfortunately) technically sensible ordering. Sometimes we cannot add an API on top of a subsystem that does not adhere to a proper way of modelling its input and output.

Meanwhile work has started to write an API for the firewall aliases which should hit 18.7.

If you are willing to help move things along quicker please contact project@opnsense.org


Thank you,
Franco