// SCAN REPORT

OPNSense MCP Server

196 tools. 121 can modify or destroy data without limits.

23 destructive tools with no built-in limits. Policy required.

Last updated:

121 can modify or destroy data
75 read-only
196 tools total

Community server · catalogue entry verified 11/06/2026

How to control OPNSense MCP Server ↓

TOOL MAP

Read (75) Write / Execute (98) Destructive / Financial (23)

MOST DANGEROUS TOOLS

Critical Risk
Destructive · High acme_delete_action The tool irreversibly removes an ACME automation action from the OPNSense firewall configuration. Destructive · High acme_revoke_certificate Certificate revocation is an irreversible action that permanently invalidates a certificate's trust status. Destructive · High cert_delete Certificate deletion is an irreversible operation that destroys data and cannot be undone without certificate re-issuance. Destructive · High delete_firewall_rule Deleting firewall rules is a destructive action that cannot be undone without manual restoration.

121 of OPNSense MCP Server's 196 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

HOW TO CONTROL OPNSENSE MCP SERVER

PolicyLayer is an MCP gateway — it sits between your AI agents and OPNSense MCP Server, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "acme_delete_action": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "macro_start_recording": {
    "limits": [
      {
        "counter": "macro_start_recording_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "acme_get_settings": {
    "limits": [
      {
        "counter": "acme_get_settings_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register OPNSense MCP Server — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON OPNSENSE →

Free to start. No card required.

ALL 196 OPNSENSE MCP SERVER TOOLS

DESTRUCTIVE 23 tools
Destructive acme_delete_action Delete an ACME automation action Destructive acme_revoke_certificate Revoke a certificate Destructive cert_delete Delete a certificate Destructive delete_firewall_rule Delete a firewall rule Destructive delete_vlan Delete a VLAN Destructive firewall_delete_rule Delete a firewall rule Destructive haproxy_acl_delete Delete an HAProxy ACL Destructive haproxy_action_delete Delete an HAProxy action Destructive haproxy_backend_delete Delete an HAProxy backend Destructive haproxy_frontend_delete Delete an HAProxy frontend Destructive haproxy_server_delete Delete an HAProxy server Destructive iac_destroy_deployment Destroy deployed resources Destructive macro_delete Delete a saved macro Destructive monit_delete_alert Delete a Monit alert recipient Destructive monit_delete_service Delete a Monit monitored service Destructive monit_delete_test Delete a Monit test Destructive nat_cleanup_dmz_fix Remove all MCP-created NAT fix rules Destructive nat_delete_outbound_rule Delete an outbound NAT rule by description (SSH mode) or UUID (API mode) Destructive nat_delete_port_forward Delete a port forward rule Destructive remove_dnsbl_subscription Remove a DNSBL subscription list. Deletes the entry if no lists remain. Destructive traffic_delete_pipe Delete a traffic shaper pipe Destructive unblock_domain Remove a domain from the DNS blocklist Destructive restore_backup Restore a configuration backup
EXECUTE 33 tools
Execute acme_renew_certificate Trigger manual renewal of a specific certificate Execute cli_execute Execute a CLI command on OPNsense for advanced configuration Execute haproxy_service_control Control HAProxy service (start, stop, restart, reload) Execute ids_restart Restart IDS/IPS service Execute ids_start Start IDS/IPS service Execute ids_stop Stop IDS/IPS service Execute routing_diagnostics Run comprehensive inter-VLAN routing diagnostics Execute ssh_batch_execute Execute multiple commands in sequence via SSH Execute ssh_execute Execute arbitrary command via SSH on OPNsense (full CLI access) Execute acme_sign_certificate Issue/sign a certificate (initial creation or re-issue) Execute cert_letsencrypt_request Request a Let\ Execute cli_check_nfs Check NFS connectivity from DMZ Execute cli_fix_dmz_routing Comprehensive DMZ routing fix via CLI Execute cli_fix_interface_blocking Fix interface blocking settings via CLI (for DMZ routing issues) Execute cli_reload_firewall Reload firewall rules via CLI Execute ids_block_ip Block an IP address detected by IDS Execute macro_play Play a saved macro Execute nat_quick_fix_dmz Quick fix for DMZ NAT issue with minimal configuration Execute routing_fix_all Automatically fix all detected inter-VLAN routing issues Execute ssh_check_nfs_connectivity Check NFS connectivity from OPNsense Execute ssh_fix_dmz_routing Apply comprehensive DMZ routing fix via SSH Execute ssh_fix_interface_blocking Fix interface blocking settings via SSH (resolves DMZ routing issues) Execute ssh_quick_dmz_fix Apply quick DMZ fix (streamlined version) Execute ssh_reload_firewall Reload firewall rules via SSH Execute ssh_test_vlan_connectivity Test connectivity between VLANs Execute cli_apply_changes Apply all configuration changes via CLI Execute firewall_apply_changes Apply pending firewall changes Execute iac_apply_deployment Apply a deployment plan Execute iac_plan_deployment Plan infrastructure deployment changes Execute macro_generate_tool Generate an MCP tool definition from a macro Execute nat_apply_changes Apply NAT configuration changes Execute openvpn_disconnect_client Disconnect a specific VPN client Execute traffic_apply_changes Apply traffic shaper changes
WRITE 65 tools
Write macro_start_recording Start recording API calls to create a macro Write macro_stop_recording Stop recording and save the macro Write block_multiple_domains Block multiple domains at once Write firewall_toggle_rule Toggle a firewall rule enabled/disabled Write group_devices Group devices together (e.g., all devices belonging to one person) Write nat_fix_dmz Fix DMZ NAT issue - adds no-NAT rules for inter-VLAN traffic Write toggle_blocklist_entry Enable/disable a DNS blocklist entry Write toggle_firewall_rule Toggle firewall rule enabled/disabled Write acme_add_action Create a new ACME automation action (restart HAProxy, restart web UI, SFTP upload, SSH command, etc.) Write acme_update_certificate Update certificate settings (renewal interval, restart actions, enable/disable, description) Write add_dnsbl_subscription Add a DNSBL subscription list (e.g. OISD, Hagezi, Abuse.ch ThreatFox) Write apply_blocklist_category Apply a predefined category of domain blocks Write applyResource Apply a single resource (create, update, or delete) Write block_domain Add a domain to the DNS blocklist Write cert_generate_csr Generate a Certificate Signing Request Write cert_import Import a certificate Write configure Configure OPNsense connection Write create_backup Create a configuration backup Write create_firewall_preset Create a firewall rule from a preset Write create_firewall_rule Create a new firewall rule Write create_vlan Create a new VLAN Write firewall_create_rule Create a new firewall rule Write firewall_update_rule Update an existing firewall rule Write haproxy_acl_create Create an ACL for HAProxy frontend. Supports all OPNsense HAProxy ACL expression types including SNI matching Write haproxy_acl_update Update an existing HAProxy ACL Write haproxy_action_create Create an action for HAProxy frontend. Supports all OPNsense HAProxy action types including tcp-request for SN Write haproxy_action_update Update an existing HAProxy action Write haproxy_backend_create Create a new HAProxy backend Write haproxy_backend_update Update an existing HAProxy backend configuration Write haproxy_certificate_create Create a certificate for HAProxy Write haproxy_frontend_create Create a new HAProxy frontend Write haproxy_frontend_update Update an existing HAProxy frontend configuration Write haproxy_server_add Add a server to an HAProxy backend Write haproxy_server_update Update an existing HAProxy server Write ids_disable_rule_set Disable a rule set Write ids_enable_rule_set Enable a rule set Write ids_update_rules Update IDS/IPS rule sets Write interface_configure_dmz Configure DMZ interface for inter-VLAN routing Write interface_enable_intervlan_all Enable inter-VLAN routing on all interfaces Write interface_enable_intervlan_routing Enable inter-VLAN routing on a specific interface Write interface_update_config Update interface configuration Write macro_import Import macros from a file Write monit_add_alert Add a new Monit alert recipient (email address for notifications) Write monit_add_service Add a new Monit monitored service (process, host, custom script, filesystem, network, etc.) Write monit_add_test Add a new Monit test condition (CPU, memory, disk, custom, etc.) Write monit_update_alert Update an existing Monit alert recipient Write monit_update_service Update an existing Monit service Write monit_update_test Update an existing Monit test Write nat_create_outbound_rule Create an outbound NAT rule Write nat_create_port_forward Create a port forward rule Write nat_set_mode Set NAT mode (automatic, hybrid, manual, disabled) Write openvpn_create_server Create a new OpenVPN server instance Write routing_create_intervlan_rules Create firewall rules for inter-VLAN routing Write ssh_enable_intervlan_routing Enable inter-VLAN routing via SSH Write ssh_restore_config Restore OPNsense configuration via SSH Write system_enable_intervlan_routing Enable inter-VLAN routing at the system level Write system_update_firewall_settings Update system firewall settings Write traffic_create_pipe Create a traffic shaper pipe Write traffic_create_queue Create a traffic shaper queue Write traffic_create_rule Create a traffic shaper rule Write traffic_update_pipe Update a traffic shaper pipe Write update_device_name Update friendly name for a device Write update_dnsbl_subscription Update a DNSBL subscription entry (change lists, enable/disable, update description) Write update_firewall_rule Update a firewall rule Write update_vlan Update VLAN description
READ 75 tools
Read acme_get_settings Get full ACME/Let\ Read cert_check_expiry Check certificate expiration status Read cert_get Get certificate details Read cert_letsencrypt_renew Renew a Let\ Read cert_list List all certificates Read cli_show_routing Show routing table via CLI Read find_arp_by_hostname Find ARP entries by hostname pattern Read find_arp_by_interface Find ARP entries on specific interface Read find_arp_by_ip Find ARP entries by IP address or subnet Read find_arp_by_mac Find ARP entries by MAC address Read find_device_by_mac Find device by MAC address Read find_device_by_name Find devices by hostname pattern Read find_devices_on_vlan Find devices on specific VLAN Read find_firewall_rules Find firewall rules by description Read firewall_get_rule Get a specific firewall rule by UUID Read firewall_list_rules List all firewall rules Read get_arp_stats Get ARP table statistics Read get_devices_by_interface Group devices by network interface Read get_firewall_rule Get firewall rule details Read get_guest_devices Get all devices on guest network (VLAN 4) Read get_interfaces List available network interfaces Read get_vlan Get VLAN details Read haproxy_backend_get Get detailed information about a specific HAProxy backend by UUID Read haproxy_backend_health Get health status of a specific backend Read haproxy_backend_list List all HAProxy backends Read haproxy_certificate_list List available certificates for HAProxy Read haproxy_frontend_get Get detailed information about a specific HAProxy frontend by UUID Read haproxy_frontend_list List all HAProxy frontends Read haproxy_stats Get HAProxy statistics Read iac_list_resource_types List available resource types Read ids_get_alert Get detailed alert information Read ids_get_statistics Get IDS/IPS statistics Read ids_get_status Get IDS/IPS service status Read ids_list_alerts List recent IDS alerts Read ids_list_rule_sets List available rule sets Read interface_get_config Get detailed configuration for a specific interface Read interface_list_overview List all network interfaces with their overview Read list_arp_entries List all ARP table entries Read list_available_dnsbl List all available DNSBL subscription lists (e.g. OISD, Hagezi, Abuse.ch) Read list_backups List available backups Read list_dhcp_leases List all DHCP leases Read list_dns_blocklist List all DNS blocklist entries Read list_firewall_rules List all firewall rules Read list_vlans List all VLANs Read macro_analyze Analyze a macro to detect patterns and parameters Read macro_list List all saved macros Read monit_get_settings Get full Monit configuration (general settings, services, tests, alerts) Read monit_status Get Monit live status — shows if Monit is running and the state of all monitored services Read monitoring_get_cpu_usage Get CPU usage statistics Read monitoring_get_disk_usage Get disk usage statistics Read monitoring_get_memory_usage Get memory usage statistics Read monitoring_get_metrics Get current system metrics Read monitoring_get_network_stats Get network interface statistics Read nat_analyze_config Analyze NAT configuration for issues Read nat_get_mode Get current NAT mode (automatic, hybrid, manual, disabled) Read nat_list_outbound List all outbound NAT rules Read nat_list_port_forwards List all port forward rules Read network_query Query network devices using natural language Read openvpn_get_connections Get active OpenVPN connections Read openvpn_list_clients List all OpenVPN client configurations Read openvpn_list_servers List all OpenVPN server instances Read routing_fix_dmz Quick fix for DMZ to LAN routing (includes NFS rules) Read search_dns_blocklist Search DNS blocklist entries Read ssh_backup_config Backup OPNsense configuration via SSH Read ssh_show_pf_rules Show packet filter rules via SSH Read ssh_show_routing Show routing table via SSH Read ssh_system_status Get comprehensive system status via SSH Read sync_network_data Sync network data from OPNsense Read system_get_settings Get system-level firewall and routing settings Read test_connection Test API connection and authentication Read traffic_get_statistics Get traffic shaper statistics Read traffic_list_pipes List traffic shaper pipes (bandwidth limiters) Read traffic_list_queues List traffic shaper queues Read traffic_list_rules List traffic shaper rules Read macro_export Export all macros to a file

RELATED SERVERS

Other MCP servers with similar tools — same risk classification, starter policies for each.

BNB Chain MCP 1240 tools
adminautomation
Binance MCP Server 734 tools
adminautomation
Nodebench 724 tools
adminautomation
GoHighLevel MCP Server 566 tools
adminautomation
UnClick 451 tools
adminautomation
NowAIKit — ServiceNow AI Toolkit 446 tools
adminautomation
Mcp Windows 441 tools
adminautomation
0nmcp 407 tools
adminautomation

FAQ

Can an AI agent delete data through the OPNSense MCP Server MCP server? +

Yes. The OPNSense MCP Server server exposes 23 destructive tools including acme_delete_action, acme_revoke_certificate, cert_delete. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through OPNSense MCP Server? +

The OPNSense MCP Server server has 65 write tools including macro_start_recording, macro_stop_recording, block_multiple_domains. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach OPNSense MCP Server.

How many tools does the OPNSense MCP Server MCP server expose? +

196 tools across 4 categories: Destructive, Execute, Read, Write. 75 are read-only. 121 can modify, create, or delete data.

How do I enforce a policy on OPNSense MCP Server? +

Register the OPNSense MCP Server MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every OPNSense MCP Server tool call.

Deterministic rules across all 196 OPNSense MCP Server tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON OPNSENSE →

Free to start. No card required.

196 OPNSense MCP Server tools catalogued and risk-classified — across an index of 42,500+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.