The OPNSense MCP Server enables Infrastructure as Code (IaC) management of OPNsense firewalls through comprehensive API integration. With this server, you can:
Configure OPNsense Connection: Set up host, API key, and secret for firewall communication
Test Connectivity: Verify API connection and authentication
Manage VLANs: List, create, update, delete, and retrieve VLAN details
Control Firewall Rules: List, create, update, delete, enable/disable, and search rules; supports predefined rule presets
Handle Backups: Create, list, and restore configuration backups
Network Operations: Retrieve available network interfaces and configure isolated networks
DNS Management: Manage DNS blocklists
IaC Integration: Declaratively manage OPNsense infrastructure using JSON or JavaScript
Provides tools for managing OPNSense firewalls, including VLAN creation and management, firewall rule configuration, network interface queries, and DHCP lease management
Implements an audit database for tracking changes made through the OPNSense MCP server
Used as an optional cache layer for improved performance in Phase 3 of the OPNSense MCP server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@OPNSense MCP Serverlist all firewall rules and show me any that allow traffic from the DMZ"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
OPNsense MCP Server
A Model Context Protocol (MCP) server for comprehensive OPNsense firewall management. This server enables AI assistants like Claude to directly manage firewall configurations, diagnose network issues, and automate complex networking tasks.
Features
π₯ Firewall Management
Complete CRUD operations for firewall rules
Proper handling of API-created "automation rules"
Inter-VLAN routing configuration
Batch rule creation and management
Enhanced persistence with multiple fallback methods
π NAT Configuration (SSH-based)
Outbound NAT rule management
NAT mode control (automatic/hybrid/manual/disabled)
No-NAT exception rules for inter-VLAN traffic
Automated DMZ NAT issue resolution
Direct XML configuration manipulation
π Network Diagnostics
Comprehensive routing analysis
ARP table inspection with vendor identification
Interface configuration management
Network connectivity troubleshooting
Auto-fix capabilities for common issues
π₯οΈ SSH/CLI Execution
Direct command execution on OPNsense
Configuration file manipulation
System-level operations not available via API
Service management and restarts
π Additional Capabilities
VLAN management
DHCP lease viewing and management
DNS blocklist configuration
HAProxy load balancer support
Configuration backup and restore
Infrastructure as Code support
Related MCP server: Code Analysis MCP Server
Installation
Prerequisites
Node.js 18+ or Bun 1.0+
OPNsense firewall (v24.7+ recommended)
API credentials for OPNsense
SSH access (optional, for advanced features)
Quick Start with npm
Install the package:
npm install -g opnsense-mcp-serverCreate a
.envfile with your credentials:
# Required
OPNSENSE_HOST=https://your-opnsense-host:port
OPNSENSE_API_KEY=your-api-key
OPNSENSE_API_SECRET=your-api-secret
OPNSENSE_VERIFY_SSL=false
# Optional - for SSH features
OPNSENSE_SSH_HOST=your-opnsense-host
OPNSENSE_SSH_USERNAME=root
OPNSENSE_SSH_PASSWORD=your-password
# Or use SSH key
# OPNSENSE_SSH_KEY_PATH=~/.ssh/id_rsaStart the MCP server:
opnsense-mcp-serverQuick Start with Bun (Faster)
Bun provides significantly faster startup times and better performance.
Install Bun (if not already installed):
curl -fsSL https://bun.sh/install | bashClone and install:
git clone https://github.com/vespo92/OPNSenseMCP.git
cd OPNSenseMCP
bun installCreate your
.envfile (same as npm version above)Run with Bun:
# Development with hot reload
bun run dev:bun
# Production
bun run start:bunUsing Bun with Claude Desktop
{
"mcpServers": {
"opnsense": {
"command": "bun",
"args": ["run", "/path/to/OPNSenseMCP/src/index.ts"],
"env": {
"OPNSENSE_HOST": "https://your-opnsense:port",
"OPNSENSE_API_KEY": "your-key",
"OPNSENSE_API_SECRET": "your-secret",
"OPNSENSE_VERIFY_SSL": "false"
}
}
}
}Usage with Claude Desktop (npm)
Add to your Claude Desktop configuration (claude_desktop_config.json):
{
"mcpServers": {
"opnsense": {
"command": "npx",
"args": ["opnsense-mcp-server"],
"env": {
"OPNSENSE_HOST": "https://your-opnsense:port",
"OPNSENSE_API_KEY": "your-key",
"OPNSENSE_API_SECRET": "your-secret",
"OPNSENSE_VERIFY_SSL": "false"
}
}
}
}Common Use Cases
Fix DMZ NAT Issues
// Automatically fix DMZ to LAN routing
await mcp.call('nat_fix_dmz', {
dmzNetwork: '10.0.6.0/24',
lanNetwork: '10.0.0.0/24'
});Create Firewall Rules
// Allow NFS from DMZ to NAS
await mcp.call('firewall_create_rule', {
action: 'pass',
interface: 'opt8',
source: '10.0.6.0/24',
destination: '10.0.0.14/32',
protocol: 'tcp',
destination_port: '2049',
description: 'Allow NFS from DMZ'
});Diagnose Routing Issues
// Run comprehensive routing diagnostics
await mcp.call('routing_diagnostics', {
sourceNetwork: '10.0.6.0/24',
destNetwork: '10.0.0.0/24'
});Execute CLI Commands
// Run any OPNsense CLI command
await mcp.call('system_execute_command', {
command: 'pfctl -s state | grep 10.0.6'
});MCP Tools Reference
The server provides 50+ MCP tools organized by category:
Firewall Tools
firewall_list_rules- List all firewall rulesfirewall_create_rule- Create a new rulefirewall_update_rule- Update existing rulefirewall_delete_rule- Delete a rulefirewall_apply_changes- Apply pending changes
NAT Tools
nat_list_outbound- List outbound NAT rulesnat_set_mode- Set NAT modenat_create_outbound_rule- Create NAT rulenat_fix_dmz- Fix DMZ NAT issuesnat_analyze_config- Analyze NAT configuration
Network Tools
arp_list- List ARP table entriesrouting_diagnostics- Diagnose routing issuesrouting_fix_all- Auto-fix routing problemsinterface_list- List network interfacesvlan_create- Create VLAN
System Tools
system_execute_command- Execute CLI commandbackup_create- Create configuration backupservice_restart- Restart a service
For a complete list, see docs/api/mcp-tools.md.
Documentation
Testing
The repository includes comprehensive testing utilities:
# Test NAT functionality
npx tsx scripts/test/test-nat-ssh.ts
# Test firewall rules
npx tsx scripts/test/test-rules.ts
# Test routing diagnostics
npx tsx scripts/test/test-routing.ts
# Run all tests
npm testDevelopment
Building from Source
git clone https://github.com/vespo92/OPNSenseMCP.git
cd OPNSenseMCP
npm install
npm run buildProject Structure
OPNSenseMCP/
βββ src/ # Source code
β βββ api/ # API client
β βββ resources/ # Resource implementations
β βββ index.ts # MCP server entry
βββ docs/ # Documentation
βββ scripts/ # Utility scripts
β βββ test/ # Test scripts
β βββ debug/ # Debug utilities
β βββ fixes/ # Fix scripts
βββ dist/ # Build outputTroubleshooting
API Authentication Failed
Verify API key and secret are correct
Ensure API access is enabled in OPNsense
Check firewall rules allow API access
SSH Connection Failed
Verify SSH credentials in
.envEnsure SSH is enabled on OPNsense
Check user has appropriate privileges
NAT Features Not Working
NAT management requires SSH access
Add SSH credentials to environment variables
Test with:
npx tsx scripts/test/test-nat-ssh.ts
Contributing
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Support
Issues: GitHub Issues
Discussions: GitHub Discussions
Documentation: Full Documentation
Acknowledgments
Built for use with Anthropic's Claude
Implements the Model Context Protocol
Designed for OPNsense firewall
Version: 0.8.2 | Status: Production Ready | Last Updated: August 2025