Supports containerized deployment for easy installation and management of the MCP server.
Enables natural language control of pfSense firewalls with multiple access levels for monitoring, security rule modification, system administration, compliance auditing, and emergency response.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@pfSense MCP Servershow me the current firewall rules"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
pfSense Enhanced MCP Server
A Model Context Protocol (MCP) server for managing pfSense firewalls through Claude Desktop, Claude Code, and other MCP-compatible clients. Verified against the pfSense REST API v2 PHP source code for production accuracy.
Supported pfSense Versions
pfSense Version | REST API Package | Status |
pfSense CE 2.8.1 | Verified | |
pfSense Plus 25.11 | Verified | |
pfSense CE 2.8.0 | Supported | |
pfSense Plus 24.11 | Supported | |
pfSense CE 26.03 | Not yet available | Pending REST API package build |
Requires the pfSense REST API v2 package by jaredhendrickson13.
Related MCP server: MCP Server UniFi
Quick Start
1. Install pfSense REST API Package
SSH into your pfSense box and install the package for your version:
# pfSense CE 2.8.1
pkg-static add https://github.com/pfrest/pfSense-pkg-RESTAPI/releases/latest/download/pfSense-2.8.1-pkg-RESTAPI.pkg
# pfSense Plus 25.11
pkg-static -C /dev/null add https://github.com/pfrest/pfSense-pkg-RESTAPI/releases/latest/download/pfSense-25.11-pkg-RESTAPI.pkgThen in the pfSense web UI: System > REST API to enable it, and System > User Manager > [your user] to generate an API key.
2. Setup MCP Server
git clone https://github.com/gensecaihq/pfsense-mcp-server.git
cd pfsense-mcp-server
pip install -r requirements.txt
cp .env.example .env
# Edit .env with your pfSense URL and API key3. Configure Claude Desktop
Add to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json on macOS):
{
"mcpServers": {
"pfsense": {
"command": "python",
"args": ["-m", "src.main"],
"cwd": "/path/to/pfsense-mcp-server",
"env": {
"PFSENSE_URL": "https://your-pfsense.local",
"PFSENSE_API_KEY": "your-api-key",
"PFSENSE_VERSION": "CE_2_8_0",
"AUTH_METHOD": "api_key",
"VERIFY_SSL": "true"
}
}
}
}4. Start the Server
# stdio mode (default — for Claude Desktop / Claude Code)
python -m src.main
# HTTP mode (for remote access, requires MCP_API_KEY for bearer auth)
python -m src.main -t streamable-http --port 3000MCP Tools (41 total)
Firewall Rules (9 tools)
Tool | Description |
| Search rules with filtering by interface, source IP, port, type, description |
| Find all block/reject rules |
| Create rule with position control and validation |
| Update an existing rule by ID |
| Delete a rule by ID |
| Reorder a rule to a new position |
| Explicitly trigger pf filter reload |
| Block multiple IPs with a single apply |
| Read the compiled pf ruleset (/tmp/rules.debug) |
Aliases (5 tools)
Tool | Description |
| Search aliases by name, type, or contained IP |
| Create a new alias (host, network, port, url) |
| Update an existing alias |
| Delete an alias |
| Add or remove addresses from an alias |
NAT Port Forwards (4 tools)
Tool | Description |
| Search port forward rules |
| Create a port forward with validation |
| Update a port forward |
| Delete a port forward |
DHCP (7 tools)
Tool | Description |
| Search active DHCP leases |
| Search static DHCP reservations |
| Create a static mapping |
| Update a static mapping |
| Delete a static mapping |
| Get DHCP server configuration |
| Update DHCP server settings |
Services (2 tools)
Tool | Description |
| List services with status filtering |
| Start, stop, or restart a service by name |
Logs & Monitoring (3 tools)
Tool | Description |
| Get firewall log entries (max 50 lines) |
| Group blocked traffic by source IP with threat scoring |
| Search logs for a specific IP address |
System (4 tools)
Tool | Description |
| Get CPU, memory, disk, and version info |
| Search network interfaces |
| Find interfaces by status (up/down) |
| Get ARP table (IP-to-MAC mappings) |
Utility (7 tools)
Tool | Description |
| Follow a HATEOAS link |
| Toggle HATEOAS link inclusion |
| Re-query endpoint to get fresh IDs |
| Look up object by field value |
| Get REST API settings |
| Test connection and feature availability |
API Endpoint Coverage
Category | Endpoints | Operations |
Firewall Rules |
| Full CRUD + apply |
Aliases |
| Full CRUD + append/remove |
NAT |
| Full CRUD |
DHCP Leases |
| Read |
DHCP Static Mappings |
| Full CRUD |
DHCP Server Config |
| Read + Update |
Services |
| Read + Control |
Firewall Logs |
| Read (text-based filtering) |
System Logs |
| Read |
System Status |
| Read |
Interfaces |
| Read |
ARP Table |
| Read |
Diagnostics |
| Execute |
API Settings |
| Read |
Not Yet Implemented
Routing — static routes, gateways, gateway groups
VPN — OpenVPN servers/clients, IPsec, WireGuard
DNS — resolver/forwarder config, host overrides
Certificates — CA, certificate, CSR management
Users — user/group CRUD, LDAP/RADIUS
NAT Outbound / 1:1 — outbound NAT rules
Advanced — schedules, traffic shaper, virtual IPs
Architecture
src/
main.py Entry point (argparse, connection test, mcp.run())
server.py FastMCP instance + API client singleton
client.py HTTP client for pfSense REST API v2
models.py Enums, dataclasses (QueryFilter, SortOptions, etc.)
helpers.py Validation, pagination, safety guards
middleware.py Bearer auth middleware for HTTP transport
tools/
firewall.py 9 tools
aliases.py 5 tools
nat.py 4 tools
dhcp.py 7 tools
services.py 2 tools
logs.py 3 tools
system.py 4 tools
utility.py 7 toolsEnvironment Variables
Variable | Required | Default | Description |
| Yes |
| pfSense URL |
| Yes (for api_key auth) | — | REST API key |
| No |
|
|
| No |
|
|
| No |
| Verify SSL certificates |
| No |
| Include HATEOAS links in responses |
| No |
|
|
| No |
|
|
| No |
| Bind address for HTTP mode |
| No |
| Port for HTTP mode |
| Required for HTTP mode | — | Bearer token for HTTP transport auth |
Docker
# Build
docker build -t pfsense-mcp .
# Run in stdio mode
docker run --rm -e PFSENSE_URL=https://pfsense.local -e PFSENSE_API_KEY=your-key pfsense-mcp
# Run in HTTP mode (docker-compose)
docker compose upThe docker-compose.yml runs in streamable-http mode on port 3000 with bearer auth.
Testing
# Run all 223 tests
python -m pytest tests/ -v
# With coverage
python -m pytest tests/ --cov=src --cov-report=term-missing
# Only tool tests
python -m pytest tests/tools/ -v
# Only client tests
python -m pytest tests/test_api_client.py -vSafety Guards
Page size capped at 200 — prevents pfSense PHP memory exhaustion
Log lines capped at 50 — same reason
Port format validation — rejects
"53 853"which crashes the pf compilerIP validation — validates addresses before sending to API
Log type allowlist — prevents path traversal via log endpoint
Bearer auth required for HTTP transport mode (fail-closed)
Control parameters in JSON body — verified against pfSense API PHP source
Known Limitations
Firewall log API only exposes raw
textfield; per-field filtering is done client-sideHATEOAS toggle is a global API setting, not per-request (the tools toggle a local session flag)
pfSense object IDs are non-persistent array indices that change after deletions
Log retrieval is capped at 50 lines per request to prevent PHP memory exhaustion
Community & Contributions
We Need Your Help!
This MCP server has been verified against the pfSense REST API v2 PHP source code, but real-world testing across diverse pfSense environments is essential. Whether you're a pfSense veteran, Python developer, or GenAI enthusiast, there are many ways to contribute.
How You Can Help
Testing & Feedback
Test with your pfSense setup and report what works (and what doesn't)
Share use cases — tell us how you're using the MCP tools
Performance feedback across different network sizes
Bug Reports & Issues
Open an issue with detailed reproduction steps
Suggest new MCP tools or API integrations
Help improve documentation based on real-world usage
Code Contributions
Add tools for missing endpoint categories (VPN, routing, DNS, certificates)
Add support for pfSense packages (Snort, Suricata, HAProxy)
Improve test coverage for edge cases
Performance optimizations
Documentation
Real-world example prompts that work well with Claude
Integration guides for other MCP clients
Video tutorials for setup and usage
Getting Started as a Contributor
Fork the repository and create a feature branch
Run the test suite:
python -m pytest tests/ -vUpdate tests for any new features
Submit a pull request with a clear description
Ideas for Contributions
High Priority
VPN status and configuration tools (OpenVPN, IPsec, WireGuard)
Routing and gateway management
DNS resolver/forwarder configuration
Certificate management
Medium Priority
Support for pfSense packages (Snort, ntopng, FreeRADIUS)
Multi-pfSense instance management
GraphQL API integration
Enhanced log parsing and analysis
Stay Connected
GitHub Issues: Report bugs and request features
Pull Requests: Contribute code and documentation
Releases: Follow for updates
License
MIT License — see LICENSE for details.
Acknowledgments
jaredhendrickson13 / pfrest for the pfSense REST API v2 package
JeremiahChurch for the production-tested modular rewrite (PR #5, 217 tests)
shawnpetersen for discovering the correct API v2 endpoint paths (PR #3)
Netgate for pfSense
FastMCP for the MCP framework
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.