OPNsense Firewalls
The OPNsense module manages your firewall infrastructure. It provides real-time monitoring, update management, and configuration backups for all OPNsense installations.
Overview
Host Table
| Column | Description |
|---|---|
| Customer | Assigned customer |
| Hostname | Name of the firewall |
| OPNsense Version | Installed OPNsense version |
| Agent Version | DATAZONE Agent version |
| WAN IP | Public WAN address |
| Uptime | Time since last reboot |
| CPU / RAM / Disk | Current utilization as progress bars |
| Last Response | Timestamp of the last agent heartbeat |
| Last Config Change | Timestamp of the last configuration change |
| Gateways | Status of configured gateways (color-coded) |
| WebUI | Direct link to the OPNsense web interface |
Status Detection
A firewall is considered offline if no heartbeat is received within twice the heartbeat interval. The heartbeat interval is reported by the agent (heartbeat_interval) and the offline detection is calculated as heartbeat_interval x 2. Default: 2x 30s = 60s.
Dynamic Detection
Unlike the other modules (fixed 120s timeout), the OPNsense offline detection dynamically adapts to the actual heartbeat interval of the agent.
Adding a Host
Via Agent (recommended)
- Install the agent on the OPNsense appliance (see Agent Installation)
- The agent automatically detects that the system is FreeBSD/OPNsense
- The firewall appears in the OPNsense module
Manual (API-based)
- Click Add Firewall
- Enter the following details:
- Customer - Assign to a customer
- Hostname - Display name
- Host - IP address or FQDN
- API Key and API Secret - OPNsense API credentials
Setting Up API Access
In the OPNsense web interface under System > Access > Users, you can create API keys. The user requires read permissions for the desired areas.
Detail Modal
Click on a firewall in the table to open the detail modal.
The detail modal contains 9 main tabs at the top. The Overview tab additionally contains 7 sub-tabs for detailed system information.
Main Tabs
| Tab | Icon | Description |
|---|---|---|
| Overview | Monitor | System information with sub-tabs (see below) |
| Checks | ClipboardCheck | Health check results and status |
| Jobs | ListTodo | Running and completed tasks |
| Shell | Terminal | Remote terminal to the OPNsense shell |
| Log | FileText | Execution logs for all actions |
| Groups | Tags | Manage group membership |
| Updates | RefreshCw | Update history and schedules |
| Agent | Cpu | Agent status, logs, and management |
| Delete | Trash2 | Remove firewall from DATAZONE Control |
Tab: Overview
The overview shows the most important metrics (CPU, RAM, Disk, Uptime) as cards at the top. Below are editable fields (Name, Customer, Description) and the sub-tab navigation.
Sub-tab: Hardware
- CPU model, cores, clock speed
- RAM size and utilization
- Disks with size and usage
- BIOS information
Sub-tab: Interfaces
- All network interfaces with status (UP/DOWN)
- Interface name (WAN, LAN, OPT1, etc.)
- IP addresses (IPv4 and IPv6)
- Throughput and packet statistics
- VLAN configurations
Sub-tab: VPN
Overview of all VPN connections, divided into three sections:
OpenVPN:
- Server and client instances with status (up/down)
- Connected clients per server
- Throughput and connection duration
- Descriptions from the OPNsense config.xml
IPsec:
- Phase 1 and Phase 2 tunnels
- Connection status and uptime
- Remote gateway and local/remote subnets
WireGuard:
- Peers with status and last handshake
- Allowed IPs and endpoint information
- Transferred data per peer
Sub-tab: Routes (since v1.3.0)
- Complete routing table of the firewall
- Destination network, gateway, interface
- Metric and flags
- Static and dynamic routes
Sub-tab: Certificates (since v1.3.0)
- ACME certificates (Let's Encrypt) and self-signed SSL certificates
- Expiration date with color highlighting (red when expiring soon)
- Certificate details: Common Name, issuer, serial number
- Cache interval: 6 hours
Sub-tab: Services (since v1.3.0)
Two sections:
OPNsense Services:
- All configured OPNsense services with status (Running/Stopped)
- Start and stop services directly from the interface
Nginx Virtual Hosts (if Nginx plugin is installed):
- Configured Nginx server entries
- Server name, port, SSL status
- Upstream configurations
- Cache interval: 1 hour
Sub-tab: Backups
- List of configuration backups (config.xml)
- Backup timestamps
- Change descriptions
- Backup size
Unbound DNS Statistics (since v1.3.0)
In the overview, Unbound DNS statistics are displayed as cards (if Unbound is active):
- Total number of queries
- Cache hit rate
- Top queried domains
Tab: Checks
Shows all health checks assigned to this firewall with their current status:
- OK (green), Warning (yellow), Critical (red), Unknown (gray)
- Last check result and timestamp
- Direct link to check configuration
See Health Checks for details.
Tab: Jobs
Overview of all running and completed tasks:
- Task type (Update, Script, Backup, etc.)
- Status (Pending, Running, Completed, Failed)
- Start time and duration
- Expandable result details
Tab: Shell
Remote terminal to the OPNsense shell directly in the browser. Uses the agent for a secure WebSocket connection.
- Full interactive terminal
- FreeBSD shell (csh/sh)
- Root access
Tab: Log
Chronological execution logs of all actions on this firewall:
- Timestamp, action, user
- Result (success/failure)
- Expandable detail output
Tab: Groups
Manage group membership for this firewall:
- Current groups with colored badges
- Add/remove groups
See Groups.
Tab: Updates
- Update history with date, type, and result
- Configured update schedules
- Next scheduled update
Tab: Agent
- Agent status (Online/Offline) and version
- View agent configuration
- View agent logs
- Restart agent
Tab: Delete
Permanently remove the firewall from DATAZONE Control.
Warning
This action cannot be undone. The agent on the firewall will not be uninstalled.
Context Menu
Right-clicking on a firewall in the table provides quick actions:
- Open Details - Show the detail modal
- Open WebUI - Open the OPNsense web interface in a new tab
- Open Shell - Start a remote terminal
- Start Tunnel - Quick access to tunnel templates
- Start Update - Trigger a firmware update
- Run Script - Execute a script from the library
Tunnel Templates
| Template | Target Port | Description |
|---|---|---|
| OPNsense WebUI | 443 | Access to the web interface |
| Agent SSH | 22 | SSH via the agent |
| SSH | 22 | Direct SSH access |
| VNC | 5900 | VNC remote access |
| HTTP | 80 | HTTP forwarding |
| Custom | Any | Any port |
Update Schedules
| Type | Description |
|---|---|
| System Update | OPNsense firmware update without reboot |
| Update + Reboot | Update followed by a reboot with optional health check |
Health Check After Reboot
For update schedules with reboot, additional options can be configured:
| Option | Description | Default |
|---|---|---|
| Health check enabled | After reboot, check whether the firewall is reachable again | Yes |
| Health check timeout | Maximum wait time for the agent heartbeat after reboot | 600 seconds |
| Auto-reboot | Automatic reboot after the update | No |
Schedules can be configured as one-time or recurring (daily, weekly, monthly, cron). See Update Schedules.
Additional Actions
| Action | Description |
|---|---|
| Backup | Create a configuration backup (config.xml) |
| Config Sync | Synchronize configuration between HA firewalls |