Controlling OPNsense Firewall Rules from HomeAssistant

[giscus[bot]]

Controlling OPNsense Firewall Rules from HomeAssistant

I’ve been running OPNsense for a few months now and absolutely love it. It can do basically everything I want/need and does it with a relatively easy to understand interface (with some exceptions). It also has a good API. I talked more about OPNsense in a previous post so I’m not going to revisit a discussion again of OPNsense itself. But in this post, we’re going to talk about being able to remote turn on and off firewall rules…from HomeAssistant!

https://blog.fuzzymistborn.com/opnsense-firewall/

[VossiVersuchtsMal]

Hello,
I wanted to test your configuration, but somehow it no longer works in the current Home Assistant version. Can you update your information again please :)
Regards

[FuzzyMistborn]

Yeah I noticed recently it's not working. I haven't had a chance to go back and figure out what's wrong. I don't think it's an issue with HomeAssistant, I think it's something that changed on the opnsense end.

[FuzzyMistborn]

Ok working on this a bit more, it looks like this are a bit inverted. I changed the following:

1. I swapped "Pass" to "Block" for action
2. When the rule is "enabled" in Opnsense it allows traffic through. When it's disabled, it blocks traffic (ie the opposite of what you'd think)

Let me know if those solve your problem. If they do then I'll update the post.

[VossiVersuchtsMal]

HI @FuzzyMistborn
Thanks for your feedback.

Everything is fine on the firewall side and I can make the adjustments, but there is a problem with your script.
When just copying and pasting, it no longer understands the rest_command and does not want to load the script.

Here is my error message. Since I use SSL I have added another line, but even without and only with your information in the configuration.yaml the following happens at the restart/reload Home Assist

Cannot quick reload all YAML configurations because the configuration is not valid: Invalid config for [rest_command]: expected a dictionary for dictionary value @ data['rest_command']['method']. Got 'post' expected a dictionary for dictionary value @ data['rest_command']['password']. Got 'LgxXQxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxlcGRIK' expected a dictionary for dictionary value @ data['rest_command']['ssh_rule_apply']. Got None expected a dictionary for dictionary value @ data['rest_command']['ssh_rule_toggle']. Got None expected a dictionary for dictionary value @ data['rest_command']['url']. Got 'http://OPNSENSE_URL/api/firewall/filter/apply' expected a dictionary for dictionary value @ data['rest_command']['username']. Got 'XxxxxxxxxxxxxxxxxxxxxxxxxxiCrq' expected a dictionary for dictionary value @ data['rest_command']['verify_ssl']. Got False. (See /config/configuration.yaml, line 18).

resr_command starts at line 18....

regards

[FuzzyMistborn]

Can you share your config? I'm guessing you have something wrong/missing quotes.

[VossiVersuchtsMal]

Hi,

sorry for the delay.

---

Loads default set of integrations. Do not remove.

default_config:

Load frontend themes from the themes folder

frontend:
themes: !include_dir_merge_named themes

Text to speech

tts:

• platform: google_translate

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

Example configuration.yaml

rest_command:
ssh_rule_toggle:
url: "https://192.168.1.254:4443/api/firewall/filter/toggleRule/5d7e11fa-d5c4-4744-a118-7a55516824a3"
method: "post"
username: !secret opnsense_user
password: !secret opnsense_key
verify_ssl: false

ssh_rule_apply:
url: "https://192.168.1.254:4443/api/firewall/filter/apply"
verify_ssl: false
method: "post"
username: !secret opnsense_user
password: !secret opnsense_key

binary_sensor:

• platform: rest
  name: SSH Firewall Rule
  scan_interval: 30
  device_class: connectivity
  verify_ssl: false
  resource: "https://192.168.1.254:4443/api/firewall/filter/getRule/5d7e11fa-d5c4-4744-a118-7a55516824a3"
  username: !secret opnsense_user
  password: !secret opnsense_key
  value_template: "{{ value_json.rule.enabled }}"

script:
remote_ssh_firewall:
alias: Toggle Remote SSH
sequence:
- service: rest_command.ssh_rule_toggle
- service: rest_command.ssh_rule_apply

Hope you see anything.

Error Message again:
Cannot quick reload all YAML configurations because the configuration is not valid: Invalid config for [rest_command]: expected a dictionary for dictionary value @ data['rest_command']['method']. Got 'post' expected a dictionary for dictionary value @ data['rest_command']['password']. Got 'LgxXQ6V351x4Mt2RTLi2P+lvqpCKXo6J9RB8tJMCcBeNZaMUmsvuOmKHoGKsdpZVUeqmhdoiPnlcGRIK' expected a dictionary for dictionary value @ data['rest_command']['ssh_rule_apply']. Got None expected a dictionary for dictionary value @ data['rest_command']['ssh_rule_toggle']. Got None expected a dictionary for dictionary value @ data['rest_command']['url']. Got 'https://192.168.1.254:4443/api/firewall/filter/apply' expected a dictionary for dictionary value @ data['rest_command']['username']. Got 'XJb6QLpIgEVGdZZVXZMmTK3hB5qUKN34azxPZr6dOwyqU5pdFU0LHvdHIJK0BaOItO0Lu1+cnhZJiCrq' expected a dictionary for dictionary value @ data['rest_command']['verify_ssl']. Got False. (See /config/configuration.yaml, line 18).

Vossi

[VossiVersuchtsMal]

...running OPNsense 23.7.7_3

[VossiVersuchtsMal]

interesting.. now it´s worked for me

rest_command:
ssh_rule_toggle:
url: "https://192.168.1.254:4443/api/firewall/filter/toggleRule/5d7e11fa-d5c4-4744-a118-7a55516824a3"
method: "post"
username: !secret opnsense_user
password: !secret opnsense_key
verify_ssl: false

ssh_rule_apply:
url: "https://192.168.1.254:4443/api/firewall/filter/apply"
verify_ssl: false
method: "post"
username: !secret opnsense_user
password: !secret opnsense_key

binary_sensor:

• platform: rest
  name: iPad Tablet enable disable
  scan_interval: 30
  device_class: connectivity
  verify_ssl: false
  resource: "https://192.168.1.254:4443/api/firewall/filter/getRule/5d7e11fa-d5c4-4744-a118-7a55516824a3"
  username: !secret opnsense_user
  password: !secret opnsense_key
  value_template: "{{ value_json.rule.enabled }}"

script:
remote_ssh_firewall:
alias: Toggle Remote SSH
sequence:
- service: rest_command.ssh_rule_toggle
- service: rest_command.ssh_rule_apply

switch:

• platform: template
  switches:
  remote_ssh:
  friendly_name: "iPad Tablet enable disable"
  value_template: "{{ is_state('binary_sensor.ssh_firewall_rule', 'on') }}"
  turn_on:
  service: script.remote_ssh_firewall
  turn_off:
  service: script.remote_ssh_firewall

[VossiVersuchtsMal]

However, I have one last thing...
The switch in the HA works so far and in the OPNsense everything is also operated as it should, but the switch in the OPNsense goes back to inactive after 10 seconds and I no longer have a current status that is displayed... Do you have a solution for this?

Regards

[adg9876ad9g6]

Same problem here. Did you find any solution for the status? The binary_sensor shows the right status, but not the switch..

Thanks

[VossiVersuchtsMal]

Hi,
I have not found a solution.
...I haven't looked any further because I find it relatively time-consuming to integrate the individual devices again and again.... I just want to be able to block the kids' access to the Internet from time to time...

I have therefore only merged the displays:
type: entities
entities:

• binary_sensor.amazon_firetv_enable_disable
• entity: switch.remote_firetv
• binary_sensor.ipad_tablet_enable_disable
• entity: switch.remote_ipad_tablet
• binary_sensor.samsung_tablet_enable_disable
• entity: switch.remote_samsung_tablet
  title: OPNSense Rules

I'm not really familiar with the design in HA yet, so it remains an open construction site for now.
Otherwise, I would convert the switch into a button and display the respective status behind it.

[alexdelprete]

You don't need any of this if you use this HA integration: https://github.com/travisghansen/hass-opnsense

You can automate many things, Filter Rules included, they will be available as binary switches in HA. :)

[FuzzyMistborn]

I'll have to look into that, thanks for pointing it out! Don't think the HASS plugin was available when I was figuring all this out, or it wasn't as functional.

[VossiVersuchtsMal]

Hello alexdelprete,

you are right that HA has this plugin. I also use it, but more to display the status of my OPNsense.

Unfortunately, I can't use the plugin the way I need it. The aim is to switch an automated filter off or on, which is not possible. Here there are firewall rules that are as clear as I do not want to switch.
Otherwise the plugin is really cool.

Thanks for your suggestion.
Vossi

[alexdelprete]

I don't understand why you use Automation Filter rules when you have HA and a full integration (hass-opnsense). :)

If I remember correctly, the Automation Filter rules were part of os-firewall plugin (integrated in core since 24.1) to have the possibility to manage the rules via API.

Now that you have a FULL integration that integrates all needed APIs (and more, via XMLRPC if API is not available), you can simply use standard Filter Rules and automate them through HA, since they will be exposed as HA entities.

You can enable/disable anything through HA, without having to define rules in the automation section of OPNsense, simply define the rules in the standard rules section of OPNsense, and they will be available in HA as entities.

Alessandro

[VossiVersuchtsMal]

;)
I just checked again...
Yes, I can also do it via the rules...
At that time I also had a cell phone app with which I wanted to control it, but of course... after I switched to HA it's really a great way to control everything via it... there are just too many options with HA...

thanks for your tip.
Vossi

[alexdelprete]

At that time

The integration has developed greatly in latest 2 months, since @Snuffy2 joined the project, he made an incredible job and you can control rules and many more things leveraging HA as an automation platform.

Glad to have helped, cheers.

Alessandro