List all DNS host overrides (A/AAAA/CNAME records) configured in Unbound

Add a DNS host override (A/AAAA/CNAME record) to Unbound. Run opnsense_dns_apply afterwards to activate.

Delete a DNS host override by UUID. Run opnsense_dns_apply afterwards to activate.

List all DNS-over-TLS forwarding servers configured in Unbound

Add a DNS forwarding server (DNS-over-TLS). Run opnsense_dns_apply afterwards to activate.

Delete a DNS forwarding entry by UUID. Run opnsense_dns_apply afterwards to activate.

List all domain overrides (used for domain blocking) in Unbound

Block a domain by adding a domain override with an empty server. Run opnsense_dns_apply afterwards to activate.

Unblock a domain by deleting its domain override. Run opnsense_dns_apply afterwards to activate.

Flush the Unbound DNS resolver cache

Dump the current Unbound DNS cache for diagnostic purposes

Apply pending DNS/Unbound configuration changes (reconfigure service)

Flush all cached DNS entries for a specific domain/zone. Use this to clear stale SERVFAIL or outdated records for a domain. Restarts Unbound to ensure complete cache clearing.

Search the Unbound DNS cache for entries matching a domain. Useful for diagnosing cached SERVFAIL, stale records, or verifying cache state.

Get Unbound DNS resolver statistics: query counts, cache hits/misses, uptime, and memory usage

Dump the Unbound infrastructure cache showing upstream server RTT, EDNS support, and lame delegation status. Useful for diagnosing upstream DNS connectivity issues.

Get the Unbound DNSBL (DNS blocklist) configuration: enabled flag, selected built-in source IDs, custom URLs, NX-domain mode, allowlist. Read-only.

List all available built-in DNSBL block-list sources (curated feeds like AdGuard, EasyList, hagezi, Steven Black, etc.) with their internal IDs and selected state. Read-only.

Update the Unbound DNSBL configuration: enable/disable, select multiple built-in source IDs, set custom blocklist URLs, configure NX-domain mode. After this, call opnsense_dns_apply to activate. DESTRUCTIVE: requires explicit confirmation.

List all firewall filter rules

Add a new firewall filter rule. Run opnsense_fw_apply afterwards to activate.

Update an existing firewall filter rule by UUID. Run opnsense_fw_apply afterwards to activate.

Delete a firewall filter rule by UUID. Run opnsense_fw_apply afterwards to activate.

Enable or disable a firewall rule by UUID. Run opnsense_fw_apply afterwards to activate.

List all firewall aliases (host groups, networks, ports, URLs)

Create, update, or delete a firewall alias. Run opnsense_fw_apply afterwards to activate.

Apply pending firewall configuration changes

Change the sequence (ordering) of a firewall filter rule by UUID. Rules with lower sequence values are evaluated first. Use this to enforce whitelist-before-deny ordering. Run opnsense_fw_apply afterwards to activate.

Audit firewall filter rules for description hygiene. Returns rules whose description does not match the given regex (default: '^#\d+:' — issue-reference prefix) and rules with empty descriptions. Read-only.

Show the ARP table (IP-to-MAC mappings). Optionally filter by IP, MAC, or interface.

Show the routing table

Ping a host from the OPNsense firewall

Run a traceroute from the OPNsense firewall to a destination

Perform a DNS lookup from the OPNsense firewall

Perform a reverse DNS lookup (IP to hostname) from the OPNsense firewall

List active firewall connection tracking states

Retrieve recent firewall log entries

Get system status information (CPU, memory, uptime, disk, versions)

Retrieve recent OPNsense system log entries (kernel, generic system events).

Retrieve recent OPNsense gateway monitoring (dpinger) log entries — useful for WAN/gateway health debugging.

Retrieve recent OPNsense routing daemon log entries.

Retrieve recent Unbound DNS resolver log entries.

List all network interface names and their device mappings

Get detailed configuration for a specific network interface (IP addresses, status, MTU, etc.)

Get traffic statistics for all interfaces (bytes, packets, errors, collisions)

Assign an existing VLAN or NIC device to a free optN slot via SSH. Requires OPNSENSE_SSH_ENABLED=true and the opnsense-helpers/if_assign.php script installed on the target host. Fills the gap where the OPNsense REST API has no 'Interfaces → Assignments' endpoint.

Configure IPv4/IPv6 on an already-assigned optN slot via SSH. Supports static, dhcp, dhcp6, track6, and 'none'. Requires OPNSENSE_SSH_ENABLED=true and the opnsense-helpers/if_configure.php script installed on the target host.

List all current DHCPv4 leases. Supports both Kea DHCP (default on modern OPNsense) and ISC DHCP (legacy) backends — auto-detects which is active.

Search DHCPv4 leases by IP address, MAC address, or hostname. Supports both Kea DHCP and ISC DHCP (legacy) backends — auto-detects which is active.

List all static DHCP mappings (MAC-to-IP reservations). Supports both Kea DHCP and ISC DHCP (legacy) backends — auto-detected.

Add a static DHCP mapping (MAC-to-IP reservation). Supports both Kea DHCP and ISC DHCP (legacy) backends — auto-detected. Requires DHCP service restart to take effect.

Delete a static DHCP mapping by UUID. Supports both Kea DHCP and ISC DHCP (legacy) backends — auto-detected.

List all Kea DHCPv4 subnets with their pools, options, and reservation counts.

Get detailed configuration of a specific Kea DHCPv4 subnet by UUID.

Create a new Kea DHCPv4 subnet. Run opnsense_kea_apply afterwards to activate.

Update an existing Kea DHCPv4 subnet. Run opnsense_kea_apply afterwards to activate.

Delete a Kea DHCPv4 subnet by UUID. Run opnsense_kea_apply afterwards to activate.

Apply pending Kea DHCP configuration changes (reconfigure service). Run after subnet or reservation changes.

Get system status information (hostname, versions, CPU, memory, uptime, disk usage)

List all configuration backups stored on the OPNsense filesystem with timestamps, descriptions, and file sizes

Download an OPNsense configuration backup as XML. Downloads the current running config if no backup_id is specified.

Revert OPNsense configuration to a previous backup. DESTRUCTIVE: replaces the running config with the specified backup.

List all certificates in the OPNsense trust store with their refids, descriptions, and validity dates

List all services and their running status

Start, stop, or restart a service by name

List all ACME accounts (Let's Encrypt, ZeroSSL, etc.) configured in the os-acme-client plugin

Register a new ACME account with a certificate authority (Let's Encrypt, ZeroSSL, etc.). Run opnsense_acme_apply afterwards.

Delete an ACME account by UUID. Run opnsense_acme_apply afterwards.

Trigger registration of an ACME account with its certificate authority. Use after adding an account to verify it registers successfully.

List all configured ACME challenge/validation methods (DNS-01, HTTP-01, etc.)

Add a DNS-01 challenge configuration for automated certificate validation. For Cloudflare, use the dedicated dns_cf_* fields instead of dns_environment. Run opnsense_acme_apply afterwards.

Update an existing ACME challenge/validation by UUID. Use to change credentials or settings. Run opnsense_acme_apply afterwards.

Delete an ACME challenge/validation method by UUID. Run opnsense_acme_apply afterwards.

List all ACME certificates and their status (issued, pending, expired)

Create a new ACME certificate request. Requires an account and challenge to be configured first. Run opnsense_acme_apply afterwards.

Delete an ACME certificate by UUID. Run opnsense_acme_apply afterwards.

Trigger immediate renewal/signing of an ACME certificate by UUID

Get or update ACME service settings (enable/disable, environment, auto-renewal, log level). When called with no parameters, returns current settings. Run opnsense_acme_apply afterwards when updating.

Apply pending ACME configuration changes (reconfigure service)

Get firmware version, architecture, and update status of the OPNsense system

Check for available firmware upgrades and their status (running, pending, done). Reads the cached state — call 'opnsense_firmware_check' first if the cache may be stale.

Trigger a background firmware repository check to refresh the cached upgrade status. After calling this, wait briefly and then call 'opnsense_firmware_status' to see fresh upgrade info.

List all available and installed OPNsense plugins with their versions and status

Install an OPNsense plugin package by name (e.g. 'os-acme-client'). May require a service restart.

Remove an installed OPNsense plugin package. DESTRUCTIVE: requires explicit confirmation.

Trigger an OPNsense system upgrade based on what 'opnsense_firmware_status' reports (minor packages, or a major-series jump such as 24.7 → 25.1). Long-running: poll progress with 'opnsense_firmware_upgrade_status'. A reboot is typically required afterwards. DESTRUCTIVE: requires explicit confirmation.

Get the progress/log of a currently running or last completed firmware upgrade (long-running operation status).

Reboot the OPNsense system. Causes a network outage on the firewall and any services it provides (DNS, DHCP, VPN). DESTRUCTIVE: requires explicit confirmation.

List all configured static routes

Add a static route. The gateway parameter must be a gateway name from opnsense_route_gateway_list. Run opnsense_route_apply afterwards to activate.

Update an existing static route. Run opnsense_route_apply afterwards to activate.

Delete a static route. Run opnsense_route_apply afterwards to activate.

Apply static route configuration changes (reconfigure routing)

List all available gateways (used as targets for static routes)

Get live gateway monitor status: per-gateway online/offline state, RTT (delay), packet loss, stddev, monitor IP, and monitor_disable flag. Read-only — complements opnsense_route_gateway_list (which only returns config).

Update an existing gateway's settings (toggle monitoring, set monitor IP, change weight/priority, enable/disable). Round-trips current config and only overrides explicitly provided fields. After updating, call opnsense_route_gateway_apply to activate the change. DESTRUCTIVE: requires explicit confirmation.

Apply pending gateway configuration changes (calls /api/routing/settings/reconfigure). Required after opnsense_route_gateway_update for changes to take effect. May briefly affect WAN connectivity. DESTRUCTIVE: requires explicit confirmation.

List all configured 802.1Q VLAN interfaces (parent interface, VLAN tag, description, priority)

Create a new 802.1Q VLAN interface on a parent interface. After create, run opnsense_if_assign to bind the VLAN to a logical interface (opt1, opt2, ...) and opnsense_if_configure to assign an IP.

Update an existing VLAN interface by UUID. Only provided fields are changed.