Standard field types

OPNsense comes with a collection of standard field types, which can be used to perform standard field type validations. These field types can be found in /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/ and usually decent from the BaseField type.

This paragraph aims to provide an overview of the types included by default and their use.


When using lists, the Multiple (Y/N) keyword defines if there may be more than one item selected at a time.


The xml keyword Required can be used to mark a field as being required.


The basic field type to describe a container of objects, such as a list of addresses.


This type can’t be nested, only one level of ArrayField types is supported, you can use ModelRelationField to describe master-detail constructions.


Returns and validates system (user) groups (found in System ‣ Access ‣ Groups)


Select and validate authentication providers, maintained in System ‣ Access ‣ Servers.


An integer sequence, which automatically increments on every new item of the same type in the same level.


Validate if a given string contains a valid base64 decodable value.


Boolean field, where 0 means false and 1 is defined as true


List of (comma) separated values, which can be validated using a regex.


Option list with system certificates defined in System ‣ Trust, use the Type keyword to distinct between the available options (ca, crl, cert), defaults to cert.


Select available configd actions, supports filters to limit the number of choices. For example, the example below only shows actions which have a description.

<command type="ConfigdActionsField">


Select and validate countries in the world.


Validate if the input contains an email address.


Check if hostnames are valid (optionally allows IP addresses as well)


Validate if the input contains an integere value, optionally constrained by minimum and maximum values.


Option list with interfaces defined in Interfaces ‣ Assignments, supports filters. The example below shows a list of non-dhcp active interfaces, for which multiple items may be selected, but at least one should be. It defaults to lan

<interfaces type="InterfaceField">


A construct to validate against a json dataset retreived via configd, such as

<program type="JsonKeyValueStoreField">
  <ConfigdPopulateAct>syslog list applications</ConfigdPopulateAct>

In which case syslog list applications is called to retrieved options, which is valid for 20 seconds (TTL) before fetching again.


Read-only pointer to legacy config data, reads (single) property from the legacy configuration and returns its content when it exists (null if xml item doesn’t exist).

The following example would read the enabled property from the config xml, which resides in <ipsec><enabled>1</enabled></ipsec>

<enabled type="LegacyLinkField">


Values stored into this fieldtype will be discarded without further notice, which practically means the target structure will always contain an empty field as long as its used as a pointer. When functionality migrates to mvc, you can switch the type and supply migration code to load the initial values.


Define relations to other nodes in the model, such as to point the attribute pipe to a pipe node in the TrafficShaper model.

<pipe type="ModelRelationField">


Validate if the value is a valid network address (IPv4, IPv6), special net or alias. Predefined special networks contain the following choices:

  • any
    • any network

  • (self)
    • This firewall

  • [interface]
    • Interface network, where interface is one of lan, wan, opt[XX] (e.g. opt1, opt2)

  • [interface]ip
    • Interface address

All network/host type aliases (including, but not limited to GeoIP) defined in Firewall -> Aliases are also valid choices.


Validate if the value is a valid network address (IPv4, IPv6).


Validate input to be of numeric type.


Validate against a static list of options.


Check if the input contains a valid portnumber or (optionally) predefined service name. Can be a range when EnableRanges is set to Y.


List field type to validate if the provided value is a valid protocol name as defined by /etc/protocols (e.g. TCP, UDP) extended with the any option.


Validate regular text using a regex.


Generate unique id numbers.


Write only text fields, can be used to store passwords


Validate if the input contains a valid URL.