How do I install OPNsense MCP Server?

Install OPNsense MCP Server with a single command: npx mdskills install vespo92/opnsensemcp. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support OPNsense MCP Server?

OPNsense MCP Server works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

OPNsense MCP Server

Name: OPNsense MCP Server: AI Agent Skill
Rating: 8 (1 reviews)
Author: vespo92

Verified

Productivity & TasksIntermediate

A Model Context Protocol (MCP) server for comprehensive OPNsense firewall management. This server enables AI assistants like Claude to directly manage firewall configurations, diagnose network issues, and automate complex networking tasks. - Complete CRUD operations for firewall rules - Proper handling of API-created "automation rules" - Inter-VLAN routing configuration - Batch rule creation and m

by @vespo920Updated 2/24/2026

Add this skill

npx mdskills install vespo92/opnsensemcp

Fork & Edit

Skill Advisor8.0

Comprehensive MCP server with 50+ well-documented tools for OPNsense firewall management and diagnostics

+Provides extensive firewall, NAT, and network diagnostic capabilities with clear examples
+Includes strong setup documentation with multiple installation methods and configuration samples
+Offers appropriate tooling with auto-fix features for common networking issues
-Requires broad permissions (filesystem write, shell execution) that create significant security exposure

SKILL.md

Edit in Browser

1# OPNsense MCP Server
2 
3[![npm version](https://badge.fury.io/js/opnsense-mcp-server.svg)](https://www.npmjs.com/package/opnsense-mcp-server)
4[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
5 
6A Model Context Protocol (MCP) server for comprehensive OPNsense firewall management. This server enables AI assistants like Claude to directly manage firewall configurations, diagnose network issues, and automate complex networking tasks.
7 
8## Features
9 
10### 🔥 Firewall Management
11- Complete CRUD operations for firewall rules
12- Proper handling of API-created "automation rules"
13- Inter-VLAN routing configuration
14- Batch rule creation and management
15- Enhanced persistence with multiple fallback methods
16 
17### 🌐 NAT Configuration (SSH-based)
18- Outbound NAT rule management
19- NAT mode control (automatic/hybrid/manual/disabled)
20- No-NAT exception rules for inter-VLAN traffic
21- Automated DMZ NAT issue resolution
22- Direct XML configuration manipulation
23 
24### 🔍 Network Diagnostics
25- Comprehensive routing analysis
26- ARP table inspection with vendor identification
27- Interface configuration management
28- Network connectivity troubleshooting
29- Auto-fix capabilities for common issues
30 
31### 🖥️ SSH/CLI Execution
32- Direct command execution on OPNsense
33- Configuration file manipulation
34- System-level operations not available via API
35- Service management and restarts
36 
37### 📊 Additional Capabilities
38- VLAN management
39- DHCP lease viewing and management
40- DNS blocklist configuration
41- HAProxy load balancer support
42- Configuration backup and restore
43- Infrastructure as Code support
44 
45## Installation
46 
47### Prerequisites
48- Node.js 18+ or Bun 1.0+
49- OPNsense firewall (v24.7+ recommended)
50- API credentials for OPNsense
51- SSH access (optional, for advanced features)
52 
53### Quick Start with npm
54 
551. Install the package:
56```bash
57npm install -g opnsense-mcp-server
58```
59 
602. Create a `.env` file with your credentials:
61```bash
62# Required
63OPNSENSE_HOST=https://your-opnsense-host:port
64OPNSENSE_API_KEY=your-api-key
65OPNSENSE_API_SECRET=your-api-secret
66OPNSENSE_VERIFY_SSL=false
67 
68# Optional - for SSH features
69OPNSENSE_SSH_HOST=your-opnsense-host
70OPNSENSE_SSH_USERNAME=root
71OPNSENSE_SSH_PASSWORD=your-password
72# Or use SSH key
73# OPNSENSE_SSH_KEY_PATH=~/.ssh/id_rsa
74```
75 
763. Start the MCP server:
77```bash
78opnsense-mcp-server
79```
80 
81### Quick Start with Bun (Faster)
82 
83[Bun](https://bun.sh) provides significantly faster startup times and better performance.
84 
851. Install Bun (if not already installed):
86```bash
87curl -fsSL https://bun.sh/install | bash
88```
89 
902. Clone and install:
91```bash
92git clone https://github.com/vespo92/OPNSenseMCP.git
93cd OPNSenseMCP
94bun install
95```
96 
973. Create your `.env` file (same as npm version above)
98 
994. Run with Bun:
100```bash
101# Development with hot reload
102bun run dev:bun
103 
104# Production
105bun run start:bun
106```
107 
108### Using Bun with Claude Desktop
109 
110```json
111{
112  "mcpServers": {
113    "opnsense": {
114      "command": "bun",
115      "args": ["run", "/path/to/OPNSenseMCP/src/index.ts"],
116      "env": {
117        "OPNSENSE_HOST": "https://your-opnsense:port",
118        "OPNSENSE_API_KEY": "your-key",
119        "OPNSENSE_API_SECRET": "your-secret",
120        "OPNSENSE_VERIFY_SSL": "false"
121      }
122    }
123  }
124}
125```
126 
127## Usage with Claude Desktop (npm)
128 
129Add to your Claude Desktop configuration (`claude_desktop_config.json`):
130 
131```json
132{
133  "mcpServers": {
134    "opnsense": {
135      "command": "npx",
136      "args": ["opnsense-mcp-server"],
137      "env": {
138        "OPNSENSE_HOST": "https://your-opnsense:port",
139        "OPNSENSE_API_KEY": "your-key",
140        "OPNSENSE_API_SECRET": "your-secret",
141        "OPNSENSE_VERIFY_SSL": "false"
142      }
143    }
144  }
145}
146```
147 
148## Common Use Cases
149 
150### Fix DMZ NAT Issues
151```javascript
152// Automatically fix DMZ to LAN routing
153await mcp.call('nat_fix_dmz', {
154  dmzNetwork: '10.0.6.0/24',
155  lanNetwork: '10.0.0.0/24'
156});
157```
158 
159### Create Firewall Rules
160```javascript
161// Allow NFS from DMZ to NAS
162await mcp.call('firewall_create_rule', {
163  action: 'pass',
164  interface: 'opt8',
165  source: '10.0.6.0/24',
166  destination: '10.0.0.14/32',
167  protocol: 'tcp',
168  destination_port: '2049',
169  description: 'Allow NFS from DMZ'
170});
171```
172 
173### Diagnose Routing Issues
174```javascript
175// Run comprehensive routing diagnostics
176await mcp.call('routing_diagnostics', {
177  sourceNetwork: '10.0.6.0/24',
178  destNetwork: '10.0.0.0/24'
179});
180```
181 
182### Execute CLI Commands
183```javascript
184// Run any OPNsense CLI command
185await mcp.call('system_execute_command', {
186  command: 'pfctl -s state | grep 10.0.6'
187});
188```
189 
190## MCP Tools Reference
191 
192The server provides 50+ MCP tools organized by category:
193 
194### Firewall Tools
195- `firewall_list_rules` - List all firewall rules
196- `firewall_create_rule` - Create a new rule
197- `firewall_update_rule` - Update existing rule
198- `firewall_delete_rule` - Delete a rule
199- `firewall_apply_changes` - Apply pending changes
200 
201### NAT Tools
202- `nat_list_outbound` - List outbound NAT rules
203- `nat_set_mode` - Set NAT mode
204- `nat_create_outbound_rule` - Create NAT rule
205- `nat_fix_dmz` - Fix DMZ NAT issues
206- `nat_analyze_config` - Analyze NAT configuration
207 
208### Network Tools
209- `arp_list` - List ARP table entries
210- `routing_diagnostics` - Diagnose routing issues
211- `routing_fix_all` - Auto-fix routing problems
212- `interface_list` - List network interfaces
213- `vlan_create` - Create VLAN
214 
215### System Tools
216- `system_execute_command` - Execute CLI command
217- `backup_create` - Create configuration backup
218- `service_restart` - Restart a service
219 
220For a complete list, see [docs/api/mcp-tools.md](docs/api/mcp-tools.md).
221 
222## Documentation
223 
224- [Quick Start Guide](docs/guides/quick-start.md)
225- [Configuration Guide](docs/guides/configuration.md)
226- [NAT Management](docs/features/nat.md)
227- [SSH/CLI Execution](docs/features/ssh.md)
228- [Firewall Rules](docs/features/firewall.md)
229- [Troubleshooting](docs/guides/troubleshooting.md)
230 
231## Testing
232 
233The repository includes comprehensive testing utilities:
234 
235```bash
236# Test NAT functionality
237npx tsx scripts/test/test-nat-ssh.ts
238 
239# Test firewall rules
240npx tsx scripts/test/test-rules.ts
241 
242# Test routing diagnostics
243npx tsx scripts/test/test-routing.ts
244 
245# Run all tests
246npm test
247```
248 
249## Development
250 
251### Building from Source
252```bash
253git clone https://github.com/vespo92/OPNSenseMCP.git
254cd OPNSenseMCP
255npm install
256npm run build
257```
258 
259### Project Structure
260```
261OPNSenseMCP/
262├── src/                 # Source code
263│   ├── api/            # API client
264│   ├── resources/      # Resource implementations
265│   └── index.ts        # MCP server entry
266├── docs/               # Documentation
267├── scripts/            # Utility scripts
268│   ├── test/          # Test scripts
269│   ├── debug/         # Debug utilities
270│   └── fixes/         # Fix scripts
271└── dist/               # Build output
272```
273 
274## Troubleshooting
275 
276### API Authentication Failed
277- Verify API key and secret are correct
278- Ensure API access is enabled in OPNsense
279- Check firewall rules allow API access
280 
281### SSH Connection Failed
282- Verify SSH credentials in `.env`
283- Ensure SSH is enabled on OPNsense
284- Check user has appropriate privileges
285 
286### NAT Features Not Working
287- NAT management requires SSH access
288- Add SSH credentials to environment variables
289- Test with: `npx tsx scripts/test/test-nat-ssh.ts`
290 
291## Contributing
292 
293Contributions are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
294 
295## License
296 
297This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
298 
299## Support
300 
301- **Issues**: [GitHub Issues](https://github.com/vespo92/OPNSenseMCP/issues)
302- **Discussions**: [GitHub Discussions](https://github.com/vespo92/OPNSenseMCP/discussions)
303- **Documentation**: [Full Documentation](docs/)
304 
305## Acknowledgments
306 
307- Built for use with [Anthropic's Claude](https://claude.ai)
308- Implements the [Model Context Protocol](https://modelcontextprotocol.io)
309- Designed for [OPNsense](https://opnsense.org) firewall
310 
311---
312 
313**Version**: 0.8.2 | **Status**: Production Ready | **Last Updated**: August 2025
314

Full transparency — inspect the skill content before installing.