Join OPNsense with Home Assistant!
hass-opnsense uses the OPNsense REST API and built-in xmlrpc service to integrate OPNsense with Home Assistant.
In most cases, a plugin is currently required to be installed on the OPNsense router for this to work properly.
A Discord server to discuss the integration is available, please click the Discord badge at the beginning of the page for the invite link.
This integration replaces the built-in OPNsense integration which only provides device_tracker functionality. Be sure to remove any associated configuration for the built-in integration before installing this replacement.
In most cases, use of the integration requires a plugin installed on OPNsense.
In most cases, use of the integration requires an OPNsense plugin made available on mimugmail repository: https://www.routerperformance.net/opnsense-repo/. See Granular Sync Options below for more details.
- Open an SSH session on OPNsense and issue the following commands:
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
pkg update
There are two ways to do it:
- In OPNsense web UI, go to
System -> Firmware -> Pluginsand install pluginos-homeassistant-maxit
OR
- In an OPNsense SSH session:
pkg install os-homeassistant-maxit
In Home Assistant, add this repository to the HACS installation or clone the directory manually.
In HACS, add this as a custom repository:
https://github.com/travisghansen/hass-opnsense.
| STEP 1 | STEP 2 |
|---|---|
 |
 |
Then go to the HACS integrations page, search for OPNsense integration for Home Assistant and install it by clicking on 3 dots on the right side and select Download and click on Download on popup window.
Once the integration is installed be sure to restart Home Assistant. Restart option available under Developer tools.
| Developer Tools Page | Restart Home Assistant Popup |
|---|---|
 |
 |
Copy the contents of the custom_components folder to the Home Assistant config/custom_components folder and restart Home Assistant.
Configuration is managed entirely from the Home Assistant UI. Simply go to Configuration -> Integrations -> Add Integration and search for OPNsense in the search box. If it isn't in the list (well-known HA issue), do a 'hard-refresh' of the browser (ctrl-F5) then open the list again.
The official and simplest recommendation is that the service user to be created has the admin role.
In OPNsense, create a new admin role user (or choose an existing admin user) and create an API key associated to the user. When creating the API key, OPNsense will download the file containing the API key and API secret to the computer. It will be in the download folder.
Either at the time of install or in the integration options, Granular Sync Options can be enabled. There, choose the categories to sync with HA as desired. If enabled:
-
The OPNsense user can have more narrow permissions
-
If a category that requires the OPNsense plugin isn't selected, the plugin on the OPNsense router isn't needed
At minimum, the following permissions are required. The list of what other permissions are needed for the Granular Sync Options and for the Actions can be reviewed here.
-
Lobby: Dashboard
-
Status: Interfaces
-
System: Firmware
| Option | Required | Default | Description |
|---|---|---|---|
| URL | X | The full URL to the OPNsense UI (ie: https://192.168.1.1). Supported format is <scheme>://<ip or host>[:<port>] |
|
| Verify SSL Certificate | True | If the SSL certificate should be verified or not (if receiving an SSL error, try unchecking this) | |
| API Key | X | The API key of the OPNsense usercreated previously | |
| API Secret | X | The API secret of the API key | |
| Firewall Name | A custom name to be used for entity naming (if blank: use the OPNsense hostname) |
||
| Enable Granular Sync Options | False | See Granular Sync Options |
| Option | Required | Default | Description |
|---|---|---|---|
| Scan Interval (seconds) | 30 | Scan interval to use for state polling | |
| Enable Device Tracker | False | Enable the device tracker integration using OPNsense ARP table | |
| Device Tracker Scan Interval (seconds) | 60 | Scan interval to use for ARP updates | |
| Device Tracker Consider Home (seconds) | 0 | Seconds to wait until marking a device as not home after not being seen: * 0 - Disabled (if device is not present during any given scan interval it is considered away) * > 0 - Should be a multiple of the configured scan interval |
|
| Enable Granular Sync Options | False | See Granular Sync Options |
Many entities are created by hass-opnsense for statistics etc. Due to the volume of entities, many are disabled by default. If something is missing, be sure to review the disabled entities as it is probably there.
-
CARP Status (enabled/disabled)
-
System Notices present (the circle icon in the upper right of the UI)
-
Firmware updates available
-
System details (name, version, temp, boottime, etc.)
-
pfstate details
-
CPU details (usage, load, cores)
-
mbuf details
-
Memory details
-
Filesystem usage
-
Interface details (status, stats, pps, kbs, etc. [speeds are based on the
Scan Interval (seconds)config option]) -
Gateways details (status, delay, stddev, loss)
-
CARP Interface status
-
DHCP Leases
-
VPN server stats and Wireguard client stats
-
Certificates
All of the switches are disabled by default
-
Filter Rules - enable/disable rules
-
NAT Port Forward Rules - enable/disable rules
-
NAT Outbound Rules - enable/disable rules
-
Services - start/stop services (services must be enabled before they can be started)
-
VPN Servers and Clients - enable/disable instances
ScannerEntity entries are created for the OPNsense ARP table. This feature is disabled by default and can be enabled in the Options.
Note that by default FreeBSD/OPNsense, uses a max age of 20 minutes for ARP entries (sysctl net.link.ether.inet.max_age). This can be lowered in OPNsense from System -> Advanced -> System Tunables if desired.
Also note that if AdGuard Home is being used, DNS queries may get throttled causing issues with the tracker. See below for details.
action: opnsense.close_notice
data:
# default is to clear all notices
# id: <some id>
action: opnsense.system_halt
action: opnsense.system_reboot
action: opnsense.start_service
data:
service_name: "dpinger"
action: opnsense.stop_service
data:
service_name: "dpinger"
action: opnsense.restart_service
data:
service_name: "dpinger"
# only_if_running: false
action: opnsense.send_wol
data:
interface: lan
mac: "B9:7B:A6:46:B3:8B"
action: opnsense.reload_interface
data:
interface: wan
action: opnsense.kill_states
data:
ip_address: 192.168.0.100
# Will optionally return the number of states dropped for each client
action: opnsense.generate_vouchers
data:
validity: "14400" # seconds
expirytime: "2419200" # seconds. 0 for never
count: 1
vouchergroup: Home Assistant
voucher_server: Voucher Server # Only needed if more than 1 Voucher Server
# Returns the vouchers as action response data
action: opnsense.toggle_alias
data:
alias: "iphones"
toggle_on_off: "toggle"
How to use action response data in an HA script or automation
If you partially or fully change the OPNsense hardware, it will require a removal and reinstall of this integration. This is to ensure changed interfaces, services, gateways, etc. are accounted for and don't leave duplicate or non-functioning entities.
As mentioned here using AdGuard Home can lead to problems with the plugin. Setting the Ratelimit in AdGuard Home to 0 will resolve this problem.