Guide: Controlling OpenWrt Firewall Rules from Home Assistant

This is a step-by-step guide for enabling and disabling a firewall rule for a specific IP address using OpenWrt and Home Assistant. This method does not require an OpenWrt password in HA and also allows easy rule control from the OpenWrt GUI. It’s been tested on Home Assistant 2024.10.4 (with Supervisor) running on a Debian 12 server and OpenWrt 23.05.

Most of this info is from the Home Assistant and OpenWrt forums. Thanks to all those people sharing their knowledge and developing the software.

Openwrt:

It is assumed you have the Openwrt firewall rule already set up with a static IP address for the device involved.

1. Install packages:

luci-app-commands
conntrack

Reload the browser’s LuCi page to update the menu.

2. From a command line, log into the router using SSH and execute:

uci show firewall

Find the rule you want to control and make a note of that rule number and device IP address.

3. In LuCi bring up the System/Custom Commands page, select the “Configure” tab and click “Add”.

Enter a description and the entry below in the “Command” field for both the enable and disable strings. Replace <rule #> with the number you noted above and <IP Address> with the IP. Select “Public Access” for both rules.

Note: “Public Access” custom commands links need access to the OpenWrt IP address but there is no authentication required. They do require a specific URL with an embedded code to run.

4. Enable firewall rule command entry:

/bin/sh -c "uci set firewall.@rule[<rule #>].enabled=1 && uci commit firewall && service firewall restart &>/dev/null"

5. Disable firewall rule command entry:

/bin/sh -c "uci set firewall.@rule[<rule #>].enabled=0 && uci commit firewall && service firewall restart &>/dev/null && conntrack -D -s <IP Address> &>/dev/null && conntrack -D -d <IP Address> &>/dev/null"

You can enable/disable multiple rules within these entries by adding additional commands separated by “&&”.

Your commands should look like these examples if you’re referencing rule 1 and IP 10.0.0.10:

Enable rule example:

/bin/sh -c "uci set firewall.@rule[1].enabled=1 && uci commit firewall && service firewall restart &>/dev/null"

Disable rule example:

/bin/sh -c "uci set firewall.@rule[1].enabled=0 && uci commit firewall && service firewall restart &>/dev/null && conntrack -D -s 10.0.0.10 &>/dev/null && conntrack -D -d 10.0.0.10 &>/dev/null"

Click “Save & Apply”

Select the “Dashboard” tab and click on “Run” for each command to verify they run successfully and turn on and off your firewall rule. Next select “Link” for each command. You’ll copy the “display result” links shown for use in your HA config file.

Note: If you later add rules to your firewall that change the number of the firewall rule you’ve specified in your custom command, that command must be edited to reflect that change.

On your Home Assistant server:

6. If Curl isn’t installed in your HA server enter the following on a command line (Ubuntu or Debian):

sudo apt update
sudo apt install curl

In Home Assistant:

7. Edit your configuration.yaml file “command_line” section (or create one).

In this example “command_on” disables the firewall rule and allows Internet access. Command_off enables the firewall rule and blocks Internet access.

command_line:
 - switch:
      name: Your Switch Name
      command_on: "curl -k '<Your disable link from above>' &>/dev/null"
      command_off: "curl -k '<Your enable link from above>' &>/dev/null"

Your entry should look something like this:

command_line:

  -switch:
      name: Robot Vac Internet
      command_on: "curl -k 'https://10.0.0.1/cgi-bin/luci/command/cfg094344s' &>/dev/null"
      command_off: "curl -k 'https://10.0.0.1/cgi-bin/luci/command/cfg0a4344s' &>/dev/null"

After restarting HA you can create automations or add the new entity to your dashboard.

8. If you’d like to replace the default dashboard lighting bolts controls with a slider switch, add a “customize:” section to your configuration.yaml file:

homeassistant:
  customize:
    switch.your_switch_name:
    assumed_state: false

Home Assistant must be restarted for this customize entry to take effect.

Please let me know about any errors or typos in this guide.

There is a ssh integration for home assistant so maybe it would be better to incorporate this in that integration.
Just a suggestion.

And just an opinion that i have to write.
As I guy that have my local network on openwrt routers I would really like that people who have a knowledge and skill get their heads together and make some proper integration for openwrt routers. For start. There are obviously people with knowledge doing their little projects here and there.
Ie. there are several openwrt integration official and unofficial but not single one is working properly or is very hard to implement in some easy way.

Router monitoring.
Netdata is the best option I found so far, but it is a lot of work getting data you need in home assistant, make template sensors and get all of this into graphs.
I’m not it professional nor I have a single day experience in it sector. I’m just using this as my personal hobby. But gnu/linux is hell of a hobby to have.

I specifically chose this method because it adds controls to the OpenWrt GUI for easy enabling and disabling of firewall rules. Perhaps you can write a guide for the same thing using SSH.

First i will have to get comfortable with openwrt firewall, and I’m not. As you probably know openwrt switched from iptables to nftables. And there is a lot of learning curve to it.

I just want to point few things out.
Openwrt is really something. There are so many ways that you can get data for everything you can think of. And that way suppress many even maybe all commercial solutions there are out there. But there is drawback. Do it your self. To do it, you have to master it, to master it, it takes time and a lot of learning. Especially scripting.

If you want bandwidth monitor for every interface, sure, for router, sure, for every device connected to router, sure, no problem. And list goes on. As I see it possibilities are endless.
I’m still learning about everything and I’m not ready to do some tasks that I’m not ready for.

I don’t look at open source projects that way at all. Home Assistant and OpenWrt are amazing gifts the community has been given by people who owe us nothing.

If we want to do any of the millions of things that the developers haven’t conceived of or users haven’t documented, of course we have to invest time and effort. A drawback would be not being able to do those things at all.

I agree with you that those are truly amazing gifts. But what I wanted to point out is that there are other smart people using those systems. There is no need that everyone is just working on its small project when all those knowledge and experience can be used for something bigger.

This is somehow blessing and curse of open source. Anyone can work on their small project and ignore everyone else. Maybe this small project will tomorrow became something big, maybe it wont. This is how probably all this started.

But when there is something big going on, than, in my opinion people that have experience and knowledge should put some effort to make it better for common good.

Its just my opinion.

I’ve provided free tech support for non-profits and individuals for many years. The quickest way to get me to walk away was to be told that I should put their priorities over my own. I suspect it works the same way for open source developers who donate their time and effort for this community’s benefit.

And that is perfectly fine. We all have bills to pay. But, home assistant became big thing. When you go to sites selling various smart tech many of them are advertising their products as working with home assistant.

And that is the moment when people who developed it can say, ok we made it.

But as for OpenWrt goes, they should use this wave because it will help them and their deveopers to get some serious funding. I can send openwrt some funds, but this is insignificantly. As I saw many people are struggling with their wifi as many routers are connected to some cloud, have advertisement, spy software, bloatware, you name it.

And this is a chance and the big one for Openwrt to became mainstream. All it needs is proper integration in home assistant. As both systems are linux based this shouldn’t be a problem.