ARCHITECTURE.mdā¢17.8 kB
# OPNSense MCP Server - Architecture Documentation
## šļø System Overview
The OPNSense MCP Server is a Model Context Protocol (MCP) implementation that provides programmatic access to OPNsense firewall management. It bridges the gap between AI assistants and network infrastructure management through a standardized protocol.
### Core Capabilities
- **Firewall Management**: Rules, aliases, NAT configuration
- **Network Configuration**: VLANs, interfaces, routing
- **Service Management**: DHCP, DNS, HAProxy load balancing
- **Infrastructure as Code**: Declarative resource management
- **Backup & Recovery**: Configuration snapshots and restoration
- **Macro Recording**: Capture and replay operation sequences
## š Architecture Layers
```
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā MCP Client Layer ā
ā (Claude, VS Code, Custom Clients) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā
āāāāāāāāā¼āāāāāāāāā
ā MCP Protocol ā
ā (JSON-RPC) ā
āāāāāāāāā¬āāāāāāāāā
ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Transport Layer ā
ā āāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāā ā
ā ā STDIO ā ā SSE ā ā
ā ā Transport ā ā Transport ā ā
ā āāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Server Core ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā
ā ā Request Router ā ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā
ā āāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāāā ā
ā ā Tool Handler ā ā Resource Handler ā ā
ā āāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāāā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Business Logic ā
ā āāāāāāāāāāāāā āāāāāāāāāāāā āāāāāāāāāāāāāāā ā
ā ā Resources ā ā IaC ā ā Macros ā ā
ā ā (CRUD) ā ā Engine ā ā Recorder ā ā
ā āāāāāāāāāāāāā āāāāāāāāāāāā āāāāāāāāāāāāāāā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Service Layer ā
ā āāāāāāāāāāāāā āāāāāāāāāāāā āāāāāāāāāāāāāāā ā
ā ā Cache ā ā State ā ā Backup ā ā
ā ā Manager ā ā Store ā ā Manager ā ā
ā āāāāāāāāāāāāā āāāāāāāāāāāā āāāāāāāāāāāāāāā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā API Layer ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā
ā ā OPNSense API Client ā ā
ā ā (Authentication, Request/Response) ā ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā
āāāāāāāāā¼āāāāāāāāā
ā OPNsense ā
ā Firewall ā
āāāāāāāāāāāāāāāāāā
```
## š§ Component Architecture
### 1. Transport Layer
Handles communication between MCP clients and the server.
```typescript
TransportManager
āāā StdioServerTransport // CLI-based communication
āāā SSETransportServer // HTTP/SSE for web clients
āāā Express Server // HTTP endpoint management
```
**Key Features:**
- Multi-transport support (STDIO, SSE)
- Automatic transport selection based on environment
- Connection lifecycle management
- Error recovery and reconnection
### 2. Server Core
Central request processing and routing.
```typescript
OPNSenseMCPServer
āāā Request Router
ā āāā Tool Requests ā Tool Handlers
ā āāā Resource Requests ā Resource Handlers
ā āāā System Requests ā System Handlers
āāā Tool Registry
ā āāā VLAN Tools
ā āāā Firewall Tools
ā āāā Service Tools
ā āāā IaC Tools
āāā Resource Registry
āāā Static Resources
āāā Dynamic Resources
```
### 3. Resource Management
CRUD operations for OPNsense entities.
```typescript
Resources/
āāā Network/
ā āāā VlanResource // VLAN management
ā āāā ArpTableResource // ARP table operations
ā āāā InterfaceResource // Network interfaces
āāā Firewall/
ā āāā FirewallRuleResource // Rule management
ā āāā AliasResource // Alias management
āāā Services/
ā āāā DhcpLeaseResource // DHCP leases
ā āāā DnsBlocklistResource // DNS filtering
ā āāā HAProxyResource // Load balancer config
āāā Base Classes/
āāā IaCResource // IaC base functionality
āāā BaseResource // Common resource patterns
```
### 4. Infrastructure as Code (IaC)
Declarative resource management system.
```typescript
IaC System/
āāā ResourceRegistry // Type registration
āāā DeploymentPlanner // Dependency resolution
āāā ExecutionEngine // Apply/destroy operations
āāā ResourceStateStore // State persistence
āāā Current State
āāā Desired State
āāā State Diff
```
**Workflow:**
1. Parse resource definitions
2. Build dependency graph
3. Plan execution order
4. Execute changes
5. Update state
6. Verify convergence
### 5. Caching System
Performance optimization through intelligent caching.
```typescript
CacheManager/
āāā EnhancedCacheManager // Advanced features
ā āāā TTL Management
ā āāā Size Limits
ā āāā Compression (TODO)
ā āāā Statistics
āāā MCPCacheManager // Basic caching
āāā In-memory Store
āāā Invalidation Rules
```
**Cache Strategies:**
- API response caching (5-minute TTL)
- Resource state caching
- Macro execution caching
- Lazy invalidation on writes
### 6. State Management
Persistent state for IaC and system configuration.
```typescript
StateStore/
āāā File-based Persistence
āāā Encryption (TODO)
āāā Versioning
āāā Migration Support
```
### 7. API Client
OPNsense API communication layer.
```typescript
OPNSenseAPIClient/
āāā Authentication
ā āāā API Key/Secret
ā āāā Session Management
āāā Request Builder
ā āāā URL Construction
ā āāā Parameter Encoding
ā āāā Header Management
āāā Response Handler
āāā Error Detection
āāā Data Transformation
āāā Retry Logic
```
## š Data Flow
### Tool Execution Flow
```mermaid
sequenceDiagram
Client->>MCP Server: Tool Request
MCP Server->>Tool Handler: Route Request
Tool Handler->>Validator: Validate Args
Validator-->>Tool Handler: Valid/Invalid
Tool Handler->>API Client: API Call
API Client->>OPNsense: HTTP Request
OPNsense-->>API Client: Response
API Client-->>Tool Handler: Parsed Data
Tool Handler->>Cache: Store Result
Tool Handler-->>MCP Server: Tool Response
MCP Server-->>Client: Result
```
### IaC Deployment Flow
```mermaid
sequenceDiagram
Client->>IaC Engine: Deploy Resources
IaC Engine->>Planner: Create Plan
Planner->>State Store: Get Current State
State Store-->>Planner: Current State
Planner-->>IaC Engine: Execution Plan
loop For Each Resource
IaC Engine->>Resource: Apply Changes
Resource->>API Client: API Calls
API Client->>OPNsense: Configure
OPNsense-->>API Client: Success
Resource-->>IaC Engine: Applied
IaC Engine->>State Store: Update State
end
IaC Engine-->>Client: Deployment Complete
```
## šļø Directory Structure
```
src/
āāā api/ # API client implementation
ā āāā client.ts # Main API client
ā āāā auth.ts # Authentication logic
āāā cache/ # Caching implementations
ā āāā manager.ts # Basic cache
ā āāā enhanced-manager.ts # Advanced features
āāā db/ # Database operations
ā āāā network-query/ # Network data queries
āāā deployment/ # IaC deployment
ā āāā planner.ts # Deployment planning
āāā execution/ # IaC execution
ā āāā engine.ts # Execution engine
āāā macro/ # Macro system
ā āāā recorder.ts # Operation recording
ā āāā generator.ts # Code generation
ā āāā analyzer.ts # Macro analysis
āāā resources/ # Resource implementations
ā āāā base.ts # Base classes
ā āāā network/ # Network resources
ā āāā firewall/ # Firewall resources
ā āāā services/ # Service resources
ā āāā registry.ts # Resource registry
āāā state/ # State management
ā āāā store.ts # State persistence
āāā tools/ # MCP tool definitions
ā āāā vlan.ts # VLAN tools
ā āāā firewall.ts # Firewall tools
ā āāā iac.ts # IaC tools
āāā transports/ # Transport implementations
ā āāā SSETransportServer.ts
ā āāā TransportManager.ts
āāā utils/ # Utilities
ā āāā logger.ts # Logging
ā āāā validation.ts # Input validation
āāā index.ts # Main entry point
```
## š Security Architecture
### Authentication Flow
```
Client ā MCP Server ā API Client ā OPNsense
(MCP Auth) (API Keys) (HTTPS)
```
### Security Layers
1. **Transport Security**: TLS/SSL for API communication
2. **Authentication**: API key/secret pairs
3. **Authorization**: Role-based permissions in OPNsense
4. **Input Validation**: Zod schemas for all inputs
5. **State Protection**: Encryption for sensitive data (planned)
6. **Audit Logging**: All operations logged with context
## š Deployment Architecture
### Standalone Deployment
```
āāāāāāāāāāāāāāā
ā Client ā
āāāāāāāā¬āāāāāāā
ā STDIO
āāāāāāāā¼āāāāāāā
ā MCP Server ā
āāāāāāāā¬āāāāāāā
ā HTTPS
āāāāāāāā¼āāāāāāā
ā OPNsense ā
āāāāāāāāāāāāāāā
```
### Container Deployment
```
āāāāāāāāāāāāāāā
ā Client ā
āāāāāāāā¬āāāāāāā
ā HTTP/SSE
āāāāāāāā¼āāāāāāā
ā Docker ā
ā āāāāāāāāāāā ā
ā ā MCP ā ā
ā ā Server ā ā
ā āāāāāāāāāāā ā
āāāāāāāā¬āāāāāāā
ā HTTPS
āāāāāāāā¼āāāāāāā
ā OPNsense ā
āāāāāāāāāāāāāāā
```
### High Availability Setup
```
āāāāāāāāāāāā
ā Load ā
ā Balancer ā
āāāāāā¬āāāāāā
ā
āāāāāāāāāā“āāāāāāāāā
ā ā
āāāāā¼āāāā āāāāā¼āāāā
ā MCP ā ā MCP ā
ā Node1 ā ā Node2 ā
āāāāā¬āāāā āāāāā¬āāāā
ā ā
āāāāāāāāāā¬āāāāāāāāā
ā
āāāāāāāā¼āāāāāāā
ā OPNsense ā
ā Cluster ā
āāāāāāāāāāāāāāā
```
## šÆ Design Patterns
### 1. Repository Pattern
Resources act as repositories for domain entities.
```typescript
class VlanResource {
async list(): Promise<Vlan[]>
async get(id: string): Promise<Vlan>
async create(data: VlanInput): Promise<Vlan>
async update(id: string, data: Partial<Vlan>): Promise<Vlan>
async delete(id: string): Promise<void>
}
```
### 2. Strategy Pattern
Different caching strategies for different data types.
```typescript
interface CacheStrategy {
shouldCache(key: string): boolean
getTTL(key: string): number
invalidate(pattern: string): void
}
```
### 3. Command Pattern
Macro recording captures operations as commands.
```typescript
interface Command {
execute(): Promise<Result>
undo(): Promise<void>
serialize(): object
}
```
### 4. Factory Pattern
Resource registry creates resources dynamically.
```typescript
class ResourceRegistry {
register(type: string, factory: ResourceFactory): void
create(type: string, props: any): Resource
}
```
## š Performance Considerations
### Optimization Strategies
1. **Connection Pooling**: Reuse API connections
2. **Request Batching**: Combine multiple API calls
3. **Caching**: Multi-level cache hierarchy
4. **Lazy Loading**: Load resources on demand
5. **Compression**: Compress large payloads (planned)
### Bottlenecks & Solutions
| Bottleneck | Current Solution | Future Improvement |
|------------|-----------------|-------------------|
| API Rate Limits | Request throttling | Request batching |
| Large State Files | File-based storage | Database backend |
| Memory Usage | TTL-based eviction | LRU cache |
| Network Latency | Response caching | Edge deployment |
## š Extension Points
### Adding New Resources
1. Create resource class extending `IaCResource`
2. Define Zod schema for validation
3. Implement `toAPIPayload()` and `fromAPIResponse()`
4. Register in resource registry
5. Add corresponding MCP tools
### Adding New Transports
1. Implement Transport interface
2. Handle connection lifecycle
3. Register in TransportManager
4. Configure in environment variables
### Adding New Cache Strategies
1. Implement CacheStrategy interface
2. Define TTL and invalidation rules
3. Register in CacheManager
4. Configure via settings
## š¦ Future Architecture Enhancements
### Planned Improvements
1. **Event-Driven Architecture**: WebSocket subscriptions for real-time updates
2. **Plugin System**: Dynamic loading of custom resources
3. **Distributed State**: Redis/etcd for shared state
4. **GraphQL API**: Alternative query interface
5. **Observability**: OpenTelemetry integration
6. **Multi-tenancy**: Isolated resource namespaces
---
*This architecture document provides a comprehensive overview of the OPNSense MCP Server's design, components, and patterns.*