Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| OPNSENSE_URL | Yes | OPNsense base URL (e.g. https://192.168.1.1) | |
| OPNSENSE_API_KEY | Yes | API key for authentication | |
| OPNSENSE_TIMEOUT | No | Request timeout in milliseconds | 30000 |
| OPNSENSE_API_SECRET | Yes | API secret for authentication | |
| OPNSENSE_VERIFY_SSL | No | Set to false for self-signed certificates | true |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| opnsense_dns_list_overrides | List all DNS host overrides (A/AAAA/CNAME records) configured in Unbound |
| opnsense_dns_add_override | Add a DNS host override (A/AAAA/CNAME record) to Unbound. Run opnsense_dns_apply afterwards to activate. |
| opnsense_dns_delete_override | Delete a DNS host override by UUID. Run opnsense_dns_apply afterwards to activate. |
| opnsense_dns_list_forwards | List all DNS-over-TLS forwarding servers configured in Unbound |
| opnsense_dns_add_forward | Add a DNS forwarding server (DNS-over-TLS). Run opnsense_dns_apply afterwards to activate. |
| opnsense_dns_delete_forward | Delete a DNS forwarding entry by UUID. Run opnsense_dns_apply afterwards to activate. |
| opnsense_dns_list_blocklist | List all domain overrides (used for domain blocking) in Unbound |
| opnsense_dns_block_domain | Block a domain by adding a domain override with an empty server. Run opnsense_dns_apply afterwards to activate. |
| opnsense_dns_unblock_domain | Unblock a domain by deleting its domain override. Run opnsense_dns_apply afterwards to activate. |
| opnsense_dns_flush_cache | Flush the Unbound DNS cache and DNSBL data |
| opnsense_dns_diagnostics | Dump the current Unbound DNS cache for diagnostic purposes |
| opnsense_dns_apply | Apply pending DNS/Unbound configuration changes (reconfigure service) |
| opnsense_fw_list_rules | List all firewall filter rules |
| opnsense_fw_add_rule | Add a new firewall filter rule. Run opnsense_fw_apply afterwards to activate. |
| opnsense_fw_update_rule | Update an existing firewall filter rule by UUID. Run opnsense_fw_apply afterwards to activate. |
| opnsense_fw_delete_rule | Delete a firewall filter rule by UUID. Run opnsense_fw_apply afterwards to activate. |
| opnsense_fw_toggle_rule | Enable or disable a firewall rule by UUID. Run opnsense_fw_apply afterwards to activate. |
| opnsense_fw_list_aliases | List all firewall aliases (host groups, networks, ports, URLs) |
| opnsense_fw_manage_alias | Create, update, or delete a firewall alias. Run opnsense_fw_apply afterwards to activate. |
| opnsense_fw_apply | Apply pending firewall configuration changes |
| opnsense_diag_arp_table | Show the ARP table (IP-to-MAC mappings). Optionally filter by IP, MAC, or interface. |
| opnsense_diag_routes | Show the routing table |
| opnsense_diag_ping | Ping a host from the OPNsense firewall |
| opnsense_diag_traceroute | Run a traceroute from the OPNsense firewall to a destination |
| opnsense_diag_dns_lookup | Perform a DNS lookup from the OPNsense firewall |
| opnsense_diag_reverse_dns | Perform a reverse DNS lookup (IP to hostname) from the OPNsense firewall |
| opnsense_diag_fw_states | List active firewall connection tracking states |
| opnsense_diag_fw_logs | Retrieve recent firewall log entries |
| opnsense_diag_system_info | Get system status information (CPU, memory, uptime, disk, versions) |
| opnsense_if_list | List all network interface names and their device mappings |
| opnsense_if_get | Get detailed configuration for a specific network interface (IP addresses, status, MTU, etc.) |
| opnsense_if_stats | Get traffic statistics for all interfaces (bytes, packets, errors, collisions) |
| opnsense_dhcp_list_leases | List all current DHCPv4 leases |
| opnsense_dhcp_find_lease | Search DHCPv4 leases by IP address, MAC address, or hostname |
| opnsense_dhcp_list_static | List all static DHCP mappings (MAC-to-IP reservations). Supports both Kea DHCP and ISC DHCP (legacy) backends — auto-detected. |
| opnsense_dhcp_add_static | Add a static DHCP mapping (MAC-to-IP reservation). Supports both Kea DHCP and ISC DHCP (legacy) backends — auto-detected. Requires DHCP service restart to take effect. |
| opnsense_dhcp_delete_static | Delete a static DHCP mapping by UUID. Supports both Kea DHCP and ISC DHCP (legacy) backends — auto-detected. |
| opnsense_sys_info | Get system status information (hostname, versions, CPU, memory, uptime, disk usage) |
| opnsense_sys_backup_list | List all configuration backups stored on the OPNsense filesystem with timestamps, descriptions, and file sizes |
| opnsense_sys_backup_download | Download an OPNsense configuration backup as XML. Downloads the current running config if no backup_id is specified. |
| opnsense_sys_backup_revert | Revert OPNsense configuration to a previous backup. DESTRUCTIVE: replaces the running config with the specified backup. |
| opnsense_sys_list_certs | List all certificates in the OPNsense trust store with their refids, descriptions, and validity dates |
| opnsense_svc_list | List all services and their running status |
| opnsense_svc_control | Start, stop, or restart a service by name |
| opnsense_acme_list_accounts | List all ACME accounts (Let's Encrypt, ZeroSSL, etc.) configured in the os-acme-client plugin |
| opnsense_acme_add_account | Register a new ACME account with a certificate authority (Let's Encrypt, ZeroSSL, etc.). Run opnsense_acme_apply afterwards. |
| opnsense_acme_delete_account | Delete an ACME account by UUID. Run opnsense_acme_apply afterwards. |
| opnsense_acme_register_account | Trigger registration of an ACME account with its certificate authority. Use after adding an account to verify it registers successfully. |
| opnsense_acme_list_challenges | List all configured ACME challenge/validation methods (DNS-01, HTTP-01, etc.) |
| opnsense_acme_add_challenge | Add a DNS-01 challenge configuration for automated certificate validation. For Cloudflare, use the dedicated dns_cf_* fields instead of dns_environment. Run opnsense_acme_apply afterwards. |
| opnsense_acme_update_challenge | Update an existing ACME challenge/validation by UUID. Use to change credentials or settings. Run opnsense_acme_apply afterwards. |
| opnsense_acme_delete_challenge | Delete an ACME challenge/validation method by UUID. Run opnsense_acme_apply afterwards. |
| opnsense_acme_list_certs | List all ACME certificates and their status (issued, pending, expired) |
| opnsense_acme_create_cert | Create a new ACME certificate request. Requires an account and challenge to be configured first. Run opnsense_acme_apply afterwards. |
| opnsense_acme_delete_cert | Delete an ACME certificate by UUID. Run opnsense_acme_apply afterwards. |
| opnsense_acme_renew_cert | Trigger immediate renewal/signing of an ACME certificate by UUID |
| opnsense_acme_settings | Get or update ACME service settings (enable/disable, environment, auto-renewal, log level). When called with no parameters, returns current settings. Run opnsense_acme_apply afterwards when updating. |
| opnsense_acme_apply | Apply pending ACME configuration changes (reconfigure service) |
| opnsense_firmware_info | Get firmware version, architecture, and update status of the OPNsense system |
| opnsense_firmware_status | Check for available firmware upgrades and their status (running, pending, done) |
| opnsense_firmware_list_plugins | List all available and installed OPNsense plugins with their versions and status |
| opnsense_firmware_install | Install an OPNsense plugin package by name (e.g. 'os-acme-client'). May require a service restart. |
| opnsense_firmware_remove | Remove an installed OPNsense plugin package. DESTRUCTIVE: requires explicit confirmation. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |