OPNsense Firewalls
The OPNsense module manages your firewall infrastructure. It provides real-time monitoring, update management, and configuration backups for all OPNsense installations.
Overview
Host Table
| Column | Description |
|---|---|
| Customer | Assigned customer |
| Hostname | Name of the firewall |
| OPNsense Version | Installed OPNsense version |
| Agent Version | DATAZONE Agent version |
| WAN IP | Public WAN address |
| Uptime | Time since last reboot |
| CPU / RAM / Disk | Current utilization as progress bars |
| Last Response | Timestamp of the last agent heartbeat |
| Last Config Change | Timestamp of the last configuration change |
| Gateways | Status of configured gateways (color-coded) |
| WebUI | Direct link to the OPNsense web interface |
Status Detection
A firewall is considered offline if no heartbeat is received within twice the heartbeat interval. The heartbeat interval is reported by the agent (heartbeat_interval) and the offline detection is calculated as heartbeat_interval x 2. Default: 2x 30s = 60s.
Dynamic Detection
Unlike the other modules (fixed 120s timeout), the OPNsense offline detection dynamically adapts to the actual heartbeat interval of the agent.
Adding a Host
Via Agent (recommended)
- Install the agent on the OPNsense appliance (see Agent Installation)
- The agent automatically detects that the system is FreeBSD/OPNsense
- The firewall appears in the OPNsense module
Manual (API-based)
- Click Add Firewall
- Enter the following details:
- Customer - Assign to a customer
- Hostname - Display name
- Host - IP address or FQDN
- API Key and API Secret - OPNsense API credentials
Setting Up API Access
In the OPNsense web interface under System > Access > Users, you can create API keys. The user requires read permissions for the desired areas.
Detail Modal
Click on a firewall in the table to open the detail modal.
The detail modal contains 9 main tabs at the top. The Overview tab additionally contains 7 sub-tabs for detailed system information.
Main Tabs
| Tab | Icon | Description |
|---|---|---|
| Overview | Monitor | System information with sub-tabs (see below) |
| Checks | ClipboardCheck | Health check results and status |
| Jobs | ListTodo | Running and completed tasks |
| Shell | Terminal | Remote terminal to the OPNsense shell |
| Log | FileText | Execution logs for all actions |
| Groups | Tags | Manage group membership |
| Updates | RefreshCw | Update history and schedules |
| Agent | Cpu | Agent status, logs, and management |
| Delete | Trash2 | Remove firewall from DATAZONE Control |
Tab: Overview
The overview shows the most important metrics (CPU, RAM, Disk, Uptime) as cards at the top. Below are editable fields (Name, Customer, Description) and the sub-tab navigation.
Sub-tab: Hardware
- CPU model, cores, clock speed
- RAM size and utilization
- Disks with size and usage
- BIOS information
Sub-tab: Interfaces
- All network interfaces with status (UP/DOWN)
- Interface name (WAN, LAN, OPT1, etc.)
- IP addresses (IPv4 and IPv6)
- Throughput and packet statistics
- VLAN configurations
Sub-tab: VPN
Overview of all VPN connections, divided into three sections:
OpenVPN:
- Server and client instances with status (up/down)
- Connected clients per server
- Throughput and connection duration
- Descriptions from the OPNsense config.xml
IPsec:
- Phase 1 and Phase 2 tunnels
- Connection status and uptime
- Remote gateway and local/remote subnets
WireGuard:
- Peers with status and last handshake
- Allowed IPs and endpoint information
- Transferred data per peer
Sub-tab: Routes (since v1.3.0)
- Complete routing table of the firewall
- Destination network, gateway, interface
- Metric and flags
- Static and dynamic routes
Sub-tab: Certificates (since v1.3.0)
- ACME certificates (Let's Encrypt) and self-signed SSL certificates
- Expiration date with color highlighting (red when expiring soon)
- Certificate details: Common Name, issuer, serial number
- Cache interval: 6 hours
Sub-tab: Services (since v1.3.0)
Two sections:
OPNsense Services:
- All configured OPNsense services with status (Running/Stopped)
- Start and stop services directly from the interface
Nginx Virtual Hosts (if Nginx plugin is installed):
- Configured Nginx server entries
- Server name, port, SSL status
- Upstream configurations
- Cache interval: 1 hour
Sub-tab: Backups
- List of configuration backups (config.xml)
- Backup timestamps
- Change descriptions
- Backup size
Unbound DNS Statistics (since v1.3.0)
In the overview, Unbound DNS statistics are displayed as cards (if Unbound is active):
- Total number of queries
- Cache hit rate
- Top queried domains
Tab: Checks
Shows all health checks assigned to this firewall with their current status:
- OK (green), Warning (yellow), Critical (red), Unknown (gray)
- Last check result and timestamp
- Direct link to check configuration
See Health Checks for details.
Tab: Jobs
Overview of all running and completed tasks:
- Task type (Update, Script, Backup, etc.)
- Status (Pending, Running, Completed, Failed)
- Start time and duration
- Expandable result details
Tab: Shell
Remote terminal to the OPNsense shell directly in the browser. Uses the agent for a secure WebSocket connection.
- Full interactive terminal
- FreeBSD shell (csh/sh)
- Root access
Tab: Log
Chronological execution logs of all actions on this firewall:
- Timestamp, action, user
- Result (success/failure)
- Expandable detail output
Tab: Groups
Manage group membership for this firewall:
- Current groups with colored badges
- Add/remove groups
See Groups.
Tab: Updates
- Update history with date, type, and result
- Configured update schedules
- Next scheduled update
Tab: Agent
- Agent status (Online/Offline) and version
- View agent configuration
- View agent logs
- Restart agent
Tab: Delete
Permanently remove the firewall from DATAZONE Control.
Warning
This action cannot be undone. The agent on the firewall will not be uninstalled.
VPN Management (since v2.2.3)
The OPNsense module provides a centralized management interface for WireGuard VPN directly in DATAZONE Control. Accessible via the VPN tab in the OPNsense module view (next to the host table).
VPN Overview
The VPN table shows all VPN instances across all firewalls. The view aggregates WireGuard, OpenVPN, and IPsec tunnels centrally in one table.
| Column | Description |
|---|---|
| Customer | Assigned customer |
| Firewall | Name of the firewall |
| Instance | Name of the VPN instance |
| Type | WG RW (Road Warrior), WG S2S (Site-to-Site), OpenVPN, IPsec |
| Interface | WireGuard interface (wg0, wg1, etc.) |
| Port | Listening port |
| Tunnel Network | IP range of the tunnel |
| Peers | Number of configured peers |
| Active Peers | Number of currently connected peers |
| Status | Online/Offline |
Type Filter: Filter by VPN type (All, WireGuard, OpenVPN, IPsec) with counter badges.
WireGuard Instances
Create New Instance
Click New Instance to create a WireGuard instance on a firewall:
| Field | Description |
|---|---|
| Firewall | Target firewall (online + API-ready only) |
| Name | Name of the WireGuard instance |
| Port | Listening port (default: 51820) |
| Tunnel Network | IP address and subnet (e.g., 10.10.10.1/24) |
| DNS for Clients | DNS server for client configurations |
| Create WAN Rule | Creates a UDP firewall rule on the WAN interface |
| Allow-All on WireGuard Interface | Allows all traffic through the tunnel |
Separate Firewall Rules
The WAN rule (open port) and the Allow-All rule (allow traffic) can be controlled independently. This lets you open the port but manually restrict traffic on the WireGuard interface in OPNsense.
Add Peer
Click on an instance and select Add Peer:
| Field | Description |
|---|---|
| Name | Name of the peer (e.g., employee name) |
| Tunnel IP | IP address of the peer in the tunnel network |
| DNS | DNS server for the peer |
| MTU | Only if different from 1420 |
| Split Tunnel | Route only specific networks through the tunnel (LAN subnets auto-detected) |
After creation, a client configuration with QR code is displayed that can be imported directly into WireGuard apps.
Private Key
The peer's private key is only displayed once after creation. It cannot be retrieved again. Save the configuration or scan the QR code immediately.
Tunnel Mode
| Mode | Description |
|---|---|
| Full Tunnel | All traffic is routed through the VPN tunnel (0.0.0.0/0, ::/0) |
| Split Tunnel | Only specific networks are routed. LAN subnets of the firewall are automatically suggested and can be added with a click. |
Instance Detail
Click on a VPN instance to open the detail modal.
WireGuard Instances:
- Instance name, interface, type badge, and status
- Associated firewall with direct link
- Peer table with status, name, allowed IPs, endpoint, last handshake, and traffic (RX/TX)
- Enable/disable instance
- View settings (name, interface, port, tunnel network, UUIDs)
IPsec Instances:
- Phase 2/Child-SA table with local and remote networks
- Encryption and hash details
- Remote gateway, IKE version, DH group, lifetime, NAT-T status
Peer Actions
The following actions are available for each WireGuard peer:
| Action | Description |
|---|---|
| Enable/Disable | Temporarily disable the peer without deleting it |
| Edit Allowed IPs | Change the allowed IP ranges for the peer |
| Configuration/QR Code | Show client configuration (only available immediately after creation) |
| Delete | Permanently remove the peer |
Edit Allowed IPs:
- Chip-based management with add/remove
- Quick buttons for common ranges:
0.0.0.0/0,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - Free-text input for any IP range
Site-to-Site Wizard (since v2.2.3)
The Site-to-Site Wizard automatically creates a WireGuard tunnel between two OPNsense firewalls in three steps:
Step 1: Select Firewalls
- Choose two online firewalls with API readiness
- Detected LAN subnets are displayed automatically
Step 2: Configuration
| Field | Description |
|---|---|
| Tunnel Subnet | Point-to-point network (default: 10.10.99.0/30) |
| Port | WireGuard port on both sides (default: 51821) |
| Connection Mode | Equal, A=Primary, or B=Primary |
| Endpoints | IP or DNS name (depends on connection mode) |
| Networks A → B / B → A | Which local subnets to route through the tunnel |
| WAN Rule | Open UDP port on both firewalls |
| Allow-All | Allow all tunnel traffic |
Step 3: Summary and Execution
The wizard automatically performs:
- Key generation on both firewalls
- Create WireGuard instances with generated keys
- Add peers on both sides with PSK (Pre-Shared Key)
- Create firewall rules (if enabled)
Connection Mode (since v2.2.10)
| Mode | Description |
|---|---|
| Equal | Both firewalls have static IPs. Either side can initiate the connection. Both get endpoint + keepalive configured. |
| A = Primary | Firewall A has a static IP (headquarters). Firewall B (branch office, dynamic IP) connects to A. Only A needs an endpoint. B gets PersistentKeepalive=25. |
| B = Primary | Reversed: B has a static IP, A connects to B. |
Dynamic IP
Use the Primary mode when one site doesn't have a static IP. The secondary site always connects to the primary and keeps the tunnel alive with PersistentKeepalive.
Deleting a Site-to-Site Connection
In the instance detail modal of an S2S connection, the entire Site-to-Site link can be deleted. This automatically:
- Removes WireGuard instances on both firewalls
- Deletes peers on both sides
- Removes associated firewall rules (WAN + Allow-All)
Firewall Rules (since v2.3.0)
The OPNsense module provides centralized management for firewall rules, aliases, categories, and NAT rules directly in DATAZONE Control. Accessible via the Rules tab in the OPNsense module view.
Overview
The Rules overview shows all firewalls with their rule count, broken down by type (Pass, Block, Reject).
Click on a firewall to open the rule editor. It contains 5 tabs:
| Tab | Description |
|---|---|
| Rules | Filter rules (main rules) |
| Aliases | Manage aliases |
| Categories | Manage categories |
| NAT Source | Outbound NAT rules (Source NAT) |
| NAT Port Forward | Port forwarding rules |
Commit Workflow
All changes to rules, aliases, and NAT rules are saved locally first. Only by clicking Commit are the changes applied to the firewall. Use Discard to discard uncommitted changes.
Filter Rules (Rules)
The Rules tab shows all firewall rules of the selected firewall with visual status indicators.
Filtering and Searching
- Action filter: All, Pass, Block, Reject
- Interface filter: Dropdown with all available interfaces
- Category filter: Dropdown with all configured categories
- Free-text search: Searches all visible columns
Rule Display
Each rule shows the following information:
| Field | Description |
|---|---|
| # | Sequence number (order) |
| Active | Enabled/Disabled (toggle) |
| Action | Pass (green), Block (red), or Reject (orange) |
| Direction | In or Out |
| Interface | Network interface (WAN, LAN, etc.) |
| Protocol | TCP, UDP, ICMP, etc. |
| Source | Source address or alias (with NOT indicator) |
| Destination | Destination address or alias (with NOT indicator) |
| Gateway | Assigned gateway |
| Log | Whether the rule is logged |
| Categories | Assigned categories as colored chips |
| Description | Free-text description |
Creating Rules
Click Add Rule to create a new rule. Optionally select a template:
| Template | Description |
|---|---|
| Empty | Empty rule for manual configuration |
| Allow HTTP/HTTPS | Allow web traffic (port 80/443) |
| Allow SSH | Allow SSH access (port 22) |
| Allow DNS | Allow DNS queries (port 53) |
| Allow ICMP | Allow ping |
| Allow SMTP | Allow email sending (port 25/587) |
| Allow WireGuard | Allow WireGuard VPN |
| Allow OpenVPN | Allow OpenVPN |
| Allow IPsec | Allow IPsec VPN |
| Block All | Block all traffic |
Editing Rules
The edit form is divided into sections:
Organization:
- Enabled/Disabled
- Assign categories
- Description
Interface:
- Interface selection (including "Floating (all)" for all interfaces)
- Invert interface (NOT)
Filter:
- Quick rule (optimized processing)
- Action: Pass, Block, Reject
- Direction: In, Out
- IP Version: IPv4, IPv6, IPv4+IPv6
- Protocol: Any, TCP, UDP, TCP/UDP, ICMP, ESP, AH, GRE, IGMP, PIM, OSPF
Source:
- Source address via network selector (see below)
- Invert source (NOT)
- Source port
Destination:
- Destination address via network selector
- Invert destination (NOT)
- Destination port
Advanced:
- Gateway selection
- Enable logging
Network Selector
The network selector is an intelligent dropdown that groups different address types:
| Group | Options |
|---|---|
| General | any (any address), (self) (firewall itself) |
| Interface Addresses | IP address of each interface (e.g., LAN address, WAN address) |
| Interface Networks | Subnet of each interface (e.g., LAN net, WAN net) |
| Aliases | All configured aliases |
| Single Host or Network | Manual input of an IP/subnet |
Reordering Rules
The order of rules determines processing priority. Use the arrow buttons (up/down) to reorder rules.
Protected Rules
Rules with DATAZONE-PROTECT in the description are protected and cannot be edited or deleted. These are automatically created by DATAZONE Control (e.g., WireGuard WAN rules).
Aliases
Aliases are named groups of IP addresses, networks, or URLs that can be used in firewall rules. They greatly simplify rule management.
Alias Types
| Type | Description | Example |
|---|---|---|
| Host(s) | Individual IP addresses or hostnames | 192.168.1.100, server.example.com |
| Network(s) | IP subnets in CIDR notation | 192.168.1.0/24, 10.0.0.0/8 |
| URL Table (IPs) | URL providing an IP list | Blocklist URLs |
| URL Table | URL providing a mixed list | External filter lists |
| GeoIP | Country-based IP ranges | Country codes |
| External | Externally managed aliases | External sources |
Creating/Editing Aliases
| Field | Description |
|---|---|
| Name | Unique name (letters, numbers, underscore only) |
| Type | Alias type (see above) |
| Description | Optional description |
| Content | IP addresses, networks, or URLs (one per line) |
| Categories | Optional category assignment |
| Protocol Filter | Any, IPv4, or IPv6 (for URL types) |
| Update Interval | Refresh frequency for URL-based aliases |
Using Aliases in Rules
Created aliases automatically appear in the network selector of firewall rules under the "Aliases" group.
Categories
Categories are used to organize firewall rules and aliases. They can be color-coded.
- Create: Set name and color
- Edit: Change name and color
- Delete: Remove category (assignments are resolved)
Categories are displayed as colored chips in the rule and alias overview.
NAT Source (Outbound NAT)
Outbound NAT rules control source address translation for outgoing traffic.
Templates
| Template | Description |
|---|---|
| Empty | Empty rule |
| Outbound LAN | Standard NAT for LAN traffic |
| Outbound All Interfaces | NAT for all interfaces |
Rule Fields
| Field | Description |
|---|---|
| Enabled | Enable/disable rule |
| Interface | Outgoing interface |
| IP Version | IPv4, IPv6, or both |
| Protocol | Network protocol |
| Source | Source network (with NOT and network selector) |
| Destination | Destination network (with NOT and network selector) |
| Destination Port | Destination port |
| Target IP (Translation) | Translated source address |
| Target Port (Translation) | Translated source port |
| Log | Enable logging |
| Description | Free-text description |
NAT Port Forward
Port forward rules redirect incoming traffic to internal servers.
Templates
| Template | Description |
|---|---|
| Empty | Empty rule |
| Port Forward HTTP | HTTP forwarding (port 80) |
| Port Forward HTTPS | HTTPS forwarding (port 443) |
| Port Forward RDP | RDP forwarding (port 3389) |
| Port Forward SSH | SSH forwarding (port 22) |
Rule Fields
| Field | Description |
|---|---|
| Enabled | Enable/disable rule |
| Interface | Incoming interface (typically: WAN) |
| IP Version | IPv4, IPv6, or both |
| Protocol | Network protocol |
| Source | Source address (with NOT and network selector) |
| Source Port | Source port |
| Destination | External destination address (with NOT and network selector) |
| External Port | Port on the interface (public port) |
| Target IP (Redirect) | Internal server (IP address) |
| Internal Port | Port on the internal server |
| Log | Enable logging |
| Description | Free-text description |
Example: Forward a Web Server
To make an internal web server (192.168.1.100:443) publicly accessible, create a port forward rule on the WAN interface with external port 443 and target IP 192.168.1.100, internal port 443.
Context Menu
Right-clicking on a firewall in the table provides quick actions:
- Open Details - Show the detail modal
- Open WebUI - Open the OPNsense web interface in a new tab
- Open Shell - Start a remote terminal
- Start Tunnel - Quick access to tunnel templates
- Start Update - Trigger a firmware update
- Run Script - Execute a script from the library
Tunnel Templates
| Template | Target Port | Description |
|---|---|---|
| OPNsense WebUI | 443 | Access to the web interface |
| Agent SSH | 22 | SSH via the agent |
| SSH | 22 | Direct SSH access |
| VNC | 5900 | VNC remote access |
| HTTP | 80 | HTTP forwarding |
| Custom | Any | Any port |
Update Schedules
| Type | Description |
|---|---|
| System Update | OPNsense firmware update without reboot |
| Update + Reboot | Update followed by a reboot with optional health check |
Health Check After Reboot
For update schedules with reboot, additional options can be configured:
| Option | Description | Default |
|---|---|---|
| Health check enabled | After reboot, check whether the firewall is reachable again | Yes |
| Health check timeout | Maximum wait time for the agent heartbeat after reboot | 600 seconds |
| Auto-reboot | Automatic reboot after the update | No |
Schedules can be configured as one-time or recurring (daily, weekly, monthly, cron). See Update Schedules.
Additional Actions
| Action | Description |
|---|---|
| Backup | Create a configuration backup (config.xml) |
| Config Sync | Synchronize configuration between HA firewalls |