OPNsense MCP Server

A Model Context Protocol (MCP) server for comprehensive OPNsense firewall management. This server enables AI assistants like Claude to directly manage firewall configurations, diagnose network issues, and automate complex networking tasks.

Features

🔥 Firewall Management

• Complete CRUD operations for firewall rules

• Proper handling of API-created "automation rules"

• Inter-VLAN routing configuration

• Batch rule creation and management

• Enhanced persistence with multiple fallback methods

🌐 NAT Configuration (SSH-based)

• Outbound NAT rule management

• NAT mode control (automatic/hybrid/manual/disabled)

• No-NAT exception rules for inter-VLAN traffic

• Automated DMZ NAT issue resolution

• Direct XML configuration manipulation

🔍 Network Diagnostics

• Comprehensive routing analysis

• ARP table inspection with vendor identification

• Interface configuration management

• Network connectivity troubleshooting

• Auto-fix capabilities for common issues

🖥️ SSH/CLI Execution

• Direct command execution on OPNsense

• Configuration file manipulation

• System-level operations not available via API

• Service management and restarts

📊 Additional Capabilities

• VLAN management

• DHCP lease viewing and management

• DNS blocklist configuration

• HAProxy load balancer support

• Configuration backup and restore

• Infrastructure as Code support

Installation

Prerequisites

• Node.js 18+ and npm

• OPNsense firewall (v24.7+ recommended)

• API credentials for OPNsense

• SSH access (optional, for advanced features)

Quick Start

1. Install the package:

2. Create a .env file with your credentials:

3. Start the MCP server:

Usage with Claude Desktop

Add to your Claude Desktop configuration (claude_desktop_config.json):

Common Use Cases

Fix DMZ NAT Issues

Create Firewall Rules

Diagnose Routing Issues

Execute CLI Commands

MCP Tools Reference

The server provides 50+ MCP tools organized by category:

Firewall Tools

• firewall_list_rules - List all firewall rules

• firewall_create_rule - Create a new rule

• firewall_update_rule - Update existing rule

• firewall_delete_rule - Delete a rule

• firewall_apply_changes - Apply pending changes

NAT Tools

• nat_list_outbound - List outbound NAT rules

• nat_set_mode - Set NAT mode

• nat_create_outbound_rule - Create NAT rule

• nat_fix_dmz - Fix DMZ NAT issues

• nat_analyze_config - Analyze NAT configuration

Network Tools

• arp_list - List ARP table entries

• routing_diagnostics - Diagnose routing issues

• routing_fix_all - Auto-fix routing problems

• interface_list - List network interfaces

• vlan_create - Create VLAN

System Tools

• system_execute_command - Execute CLI command

• backup_create - Create configuration backup

• service_restart - Restart a service

For a complete list, see docs/api/mcp-tools.md.

Documentation

• Quick Start Guide

• Configuration Guide

• NAT Management

• SSH/CLI Execution

• Firewall Rules

• Troubleshooting

Testing

The repository includes comprehensive testing utilities:

Development

Building from Source

Project Structure

Troubleshooting

API Authentication Failed

• Verify API key and secret are correct

• Ensure API access is enabled in OPNsense

• Check firewall rules allow API access

SSH Connection Failed

• Verify SSH credentials in .env

• Ensure SSH is enabled on OPNsense

• Check user has appropriate privileges

NAT Features Not Working

• NAT management requires SSH access

• Add SSH credentials to environment variables

• Test with: npx tsx scripts/test/test-nat-ssh.ts

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

• Issues: GitHub Issues

• Discussions: GitHub Discussions

• Documentation: Full Documentation

Acknowledgments

• Built for use with Anthropic's Claude

• Implements the Model Context Protocol

• Designed for OPNsense firewall

Version: 0.8.2 | Status: Production Ready | Last Updated: August 2025