How to setup and manage 18+ OpnSense centralized

Started by Schroeffu, April 29, 2018, 02:59:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 29, 2018, 02:59:36 PM
Hi all,

i have a use-case where 18+ locations needs to be connected to their local DSL connection for white proxy internet usage. A Firewall like OpnSense should work as a WebProxy for all the users on site. In Future maybe the guest-wifi-coupon solution will be added for guests. This locations are connected to each other through MPLS but the standard internet browser traffic should not go via main location due to bandwith limitations when everybody is streaming ;-) So means, 18+ OpnSense's needs to be managed  cenralized and with automated roll-outs of their configs.

Is the API ready to use to configure OpnSense after installation? In that case an ansible playbook can do it. A CLI is easyier but a fully working API will do it too.

If not, whats the way to configure & manage 18+ OpnSense Installations? For sure i  dont want click through 18+ WebUIs for any change.. ;-)

So, whats the best practice here :-)?

Best Regards
April 29, 2018, 05:42:19 PM #1
Quote from: Schroeffu on April 29, 2018, 02:59:36 PM
Hi all,

i have a use-case where 18+ locations needs to be connected to their local DSL connection for white proxy internet usage. A Firewall like OpnSense should work as a WebProxy for all the users on site. In Future maybe the guest-wifi-coupon solution will be added for guests. This locations are connected to each other through MPLS but the standard internet browser traffic should not go via main location due to bandwith limitations when everybody is streaming ;-) So means, 18+ OpnSense's needs to be managed  cenralized and with automated roll-outs of their configs.

Quote from: Schroeffu on April 29, 2018, 02:59:36 PM
Is the API ready to use to configure OpnSense after installation? In that case an ansible playbook can do it. A CLI is easyier but a fully working API will do it too.
The API is available for some core things (captive portal, proxy, ips, static routes) and most plugins. Most things in core is not API capable. If the page you open has the "/ui" prefix, there is very likely an API behind.

Quote from: Schroeffu on April 29, 2018, 02:59:36 PM
If not, whats the way to configure & manage 18+ OpnSense Installations? For sure i  dont want click through 18+ WebUIs for any change.. ;-)
API if possible, generate and upload the config.xml, edit config.xml remotely and update the services using a cron job or use something like selenium.

Quote from: Schroeffu on April 29, 2018, 02:59:36 PM
So, whats the best practice here :-)?
If possible, use the API - it is the most simple way to work (single HTTP request).
May 01, 2018, 03:36:11 AM #2
Thanks for the answer.

Most sites do have the /ui in their URL. But where is the API Documentation?

I only could find a very basic example at https://docs.opnsense.org/development/how-tos/api.html
May 01, 2018, 10:15:16 AM #3
There is no API documentation. You can find the endpoints and how to use them with the network tab of the developer tools of the browser.
May 01, 2018, 11:15:04 AM #4
Your best chance is to scrape the source code. I have compiled a list of api commands from the source code here.

If you have PowerShell you can take a look at my PowerShell Module PS_OPnsense that's in the works. It's purpose is to automate OPNsense management. PowerShell Core 6 is cross-platform as well. If you are looking for specific functionality I might be able to include that.

There are some ruby and cli api clients out there as well.
May 07, 2018, 01:20:58 PM #5
I'm facing the same problem, i'm currently trying to integrate OPNSense at my new company but i'm probably going roll back to something more integrable with Ansible like CentOS + FirewallD or Shorewall because the API is not complete and/or there is no CLI to create rules and nat.
My second problem is that the hotplug of Virtio NIC seems not working under OPNSense, because of FreeBSD i suppose.
May 07, 2018, 06:53:39 PM #6
Quote from: fabian on May 01, 2018, 10:15:16 AM
There is no API documentation. You can find the endpoints and how to use them with the network tab of the developer tools of the browser.

That's no longer true. ;)

https://docs.opnsense.org/development/api.html
May 16, 2018, 09:39:33 PM #7 Last Edit: May 16, 2018, 09:45:09 PM by JohnDoe17
I am very, very interested in this topic as well.  Have you been able to make any progress on this front using the API?

Question for Opnsense developer's:  What would it take to make this use case a higher priority?  Do you accept private contracts to prioritize work?  Or, in other words, what drives the priorities for developing new features?

Thanks!
May 17, 2018, 07:49:41 AM #8
The API effort is a huge task so we prioritise by user requests, usability and (unfortunately) technically sensible ordering. Sometimes we cannot add an API on top of a subsystem that does not adhere to a proper way of modelling its input and output.

Meanwhile work has started to write an API for the firewall aliases which should hit 18.7. :)

If you are willing to help move things along quicker please contact project@opnsense.org


Thank you,
Franco
Print
Go Up Pages1
User actions