OPNSense MCP Server MCP Server: 196 Tools with Risk Policies

// ALL 196 OPNSENSE MCP SERVER TOOLS

READ 75 tools

Read acme_get_settings Get full ACME/Let\ Read cert_check_expiry Check certificate expiration status Read cert_get Get certificate details Read cert_letsencrypt_renew Renew a Let\ Read cert_list List all certificates Read cli_show_routing Show routing table via CLI Read find_arp_by_hostname Find ARP entries by hostname pattern Read find_arp_by_interface Find ARP entries on specific interface Read find_arp_by_ip Find ARP entries by IP address or subnet Read find_arp_by_mac Find ARP entries by MAC address Read find_device_by_mac Find device by MAC address Read find_device_by_name Find devices by hostname pattern Read find_devices_on_vlan Find devices on specific VLAN Read find_firewall_rules Find firewall rules by description Read firewall_get_rule Get a specific firewall rule by UUID Read firewall_list_rules List all firewall rules Read get_arp_stats Get ARP table statistics Read get_devices_by_interface Group devices by network interface Read get_firewall_rule Get firewall rule details Read get_guest_devices Get all devices on guest network (VLAN 4) Read get_interfaces List available network interfaces Read get_vlan Get VLAN details Read haproxy_backend_get Get detailed information about a specific HAProxy backend by UUID Read haproxy_backend_health Get health status of a specific backend Read haproxy_backend_list List all HAProxy backends Read haproxy_certificate_list List available certificates for HAProxy Read haproxy_frontend_get Get detailed information about a specific HAProxy frontend by UUID Read haproxy_frontend_list List all HAProxy frontends Read haproxy_stats Get HAProxy statistics Read iac_list_resource_types List available resource types Read ids_get_alert Get detailed alert information Read ids_get_statistics Get IDS/IPS statistics Read ids_get_status Get IDS/IPS service status Read ids_list_alerts List recent IDS alerts Read ids_list_rule_sets List available rule sets Read interface_get_config Get detailed configuration for a specific interface Read interface_list_overview List all network interfaces with their overview Read list_arp_entries List all ARP table entries Read list_available_dnsbl List all available DNSBL subscription lists (e.g. OISD, Hagezi, Abuse.ch) Read list_backups List available backups Read list_dhcp_leases List all DHCP leases Read list_dns_blocklist List all DNS blocklist entries Read list_firewall_rules List all firewall rules Read list_vlans List all VLANs Read macro_analyze Analyze a macro to detect patterns and parameters Read macro_list List all saved macros Read monit_get_settings Get full Monit configuration (general settings, services, tests, alerts) Read monit_status Get Monit live status — shows if Monit is running and the state of all monitored services Read monitoring_get_cpu_usage Get CPU usage statistics Read monitoring_get_disk_usage Get disk usage statistics Read monitoring_get_memory_usage Get memory usage statistics Read monitoring_get_metrics Get current system metrics Read monitoring_get_network_stats Get network interface statistics Read nat_analyze_config Analyze NAT configuration for issues Read nat_get_mode Get current NAT mode (automatic, hybrid, manual, disabled) Read nat_list_outbound List all outbound NAT rules Read nat_list_port_forwards List all port forward rules Read network_query Query network devices using natural language Read openvpn_get_connections Get active OpenVPN connections Read openvpn_list_clients List all OpenVPN client configurations Read openvpn_list_servers List all OpenVPN server instances Read routing_fix_dmz Quick fix for DMZ to LAN routing (includes NFS rules) Read search_dns_blocklist Search DNS blocklist entries Read ssh_backup_config Backup OPNsense configuration via SSH Read ssh_show_pf_rules Show packet filter rules via SSH Read ssh_show_routing Show routing table via SSH Read ssh_system_status Get comprehensive system status via SSH Read sync_network_data Sync network data from OPNsense Read system_get_settings Get system-level firewall and routing settings Read test_connection Test API connection and authentication Read traffic_get_statistics Get traffic shaper statistics Read traffic_list_pipes List traffic shaper pipes (bandwidth limiters) Read traffic_list_queues List traffic shaper queues Read traffic_list_rules List traffic shaper rules Read macro_export Export all macros to a file

WRITE 65 tools

Write macro_start_recording Start recording API calls to create a macro Write macro_stop_recording Stop recording and save the macro Write block_multiple_domains Block multiple domains at once Write firewall_toggle_rule Toggle a firewall rule enabled/disabled Write group_devices Group devices together (e.g., all devices belonging to one person) Write nat_fix_dmz Fix DMZ NAT issue - adds no-NAT rules for inter-VLAN traffic Write toggle_blocklist_entry Enable/disable a DNS blocklist entry Write toggle_firewall_rule Toggle firewall rule enabled/disabled Write acme_add_action Create a new ACME automation action (restart HAProxy, restart web UI, SFTP upload, SSH command, etc.) Write acme_update_certificate Update certificate settings (renewal interval, restart actions, enable/disable, description) Write add_dnsbl_subscription Add a DNSBL subscription list (e.g. OISD, Hagezi, Abuse.ch ThreatFox) Write apply_blocklist_category Apply a predefined category of domain blocks Write applyResource Apply a single resource (create, update, or delete) Write block_domain Add a domain to the DNS blocklist Write cert_generate_csr Generate a Certificate Signing Request Write cert_import Import a certificate Write configure Configure OPNsense connection Write create_backup Create a configuration backup Write create_firewall_preset Create a firewall rule from a preset Write create_firewall_rule Create a new firewall rule Write create_vlan Create a new VLAN Write firewall_create_rule Create a new firewall rule Write firewall_update_rule Update an existing firewall rule Write haproxy_acl_create Create an ACL for HAProxy frontend. Supports all OPNsense HAProxy ACL expression types including SNI matchi... Write haproxy_acl_update Update an existing HAProxy ACL Write haproxy_action_create Create an action for HAProxy frontend. Supports all OPNsense HAProxy action types including tcp-request for... Write haproxy_action_update Update an existing HAProxy action Write haproxy_backend_create Create a new HAProxy backend Write haproxy_backend_update Update an existing HAProxy backend configuration Write haproxy_certificate_create Create a certificate for HAProxy Write haproxy_frontend_create Create a new HAProxy frontend Write haproxy_frontend_update Update an existing HAProxy frontend configuration Write haproxy_server_add Add a server to an HAProxy backend Write haproxy_server_update Update an existing HAProxy server Write ids_disable_rule_set Disable a rule set Write ids_enable_rule_set Enable a rule set Write ids_update_rules Update IDS/IPS rule sets Write interface_configure_dmz Configure DMZ interface for inter-VLAN routing Write interface_enable_intervlan_all Enable inter-VLAN routing on all interfaces Write interface_enable_intervlan_routing Enable inter-VLAN routing on a specific interface Write interface_update_config Update interface configuration Write macro_import Import macros from a file Write monit_add_alert Add a new Monit alert recipient (email address for notifications) Write monit_add_service Add a new Monit monitored service (process, host, custom script, filesystem, network, etc.) Write monit_add_test Add a new Monit test condition (CPU, memory, disk, custom, etc.) Write monit_update_alert Update an existing Monit alert recipient Write monit_update_service Update an existing Monit service Write monit_update_test Update an existing Monit test Write nat_create_outbound_rule Create an outbound NAT rule Write nat_create_port_forward Create a port forward rule Write nat_set_mode Set NAT mode (automatic, hybrid, manual, disabled) Write openvpn_create_server Create a new OpenVPN server instance Write routing_create_intervlan_rules Create firewall rules for inter-VLAN routing Write ssh_enable_intervlan_routing Enable inter-VLAN routing via SSH Write ssh_restore_config Restore OPNsense configuration via SSH Write system_enable_intervlan_routing Enable inter-VLAN routing at the system level Write system_update_firewall_settings Update system firewall settings Write traffic_create_pipe Create a traffic shaper pipe Write traffic_create_queue Create a traffic shaper queue Write traffic_create_rule Create a traffic shaper rule Write traffic_update_pipe Update a traffic shaper pipe Write update_device_name Update friendly name for a device Write update_dnsbl_subscription Update a DNSBL subscription entry (change lists, enable/disable, update description) Write update_firewall_rule Update a firewall rule Write update_vlan Update VLAN description

DESTRUCTIVE 23 tools

Destructive acme_delete_action Delete an ACME automation action Destructive acme_revoke_certificate Revoke a certificate Destructive cert_delete Delete a certificate Destructive delete_firewall_rule Delete a firewall rule Destructive delete_vlan Delete a VLAN Destructive firewall_delete_rule Delete a firewall rule Destructive haproxy_acl_delete Delete an HAProxy ACL Destructive haproxy_action_delete Delete an HAProxy action Destructive haproxy_backend_delete Delete an HAProxy backend Destructive haproxy_frontend_delete Delete an HAProxy frontend Destructive haproxy_server_delete Delete an HAProxy server Destructive iac_destroy_deployment Destroy deployed resources Destructive macro_delete Delete a saved macro Destructive monit_delete_alert Delete a Monit alert recipient Destructive monit_delete_service Delete a Monit monitored service Destructive monit_delete_test Delete a Monit test Destructive nat_cleanup_dmz_fix Remove all MCP-created NAT fix rules Destructive nat_delete_outbound_rule Delete an outbound NAT rule by description (SSH mode) or UUID (API mode) Destructive nat_delete_port_forward Delete a port forward rule Destructive remove_dnsbl_subscription Remove a DNSBL subscription list. Deletes the entry if no lists remain. Destructive traffic_delete_pipe Delete a traffic shaper pipe Destructive unblock_domain Remove a domain from the DNS blocklist Destructive restore_backup Restore a configuration backup

EXECUTE 33 tools

Execute acme_renew_certificate Trigger manual renewal of a specific certificate Execute cli_execute Execute a CLI command on OPNsense for advanced configuration Execute haproxy_service_control Control HAProxy service (start, stop, restart, reload) Execute ids_restart Restart IDS/IPS service Execute ids_start Start IDS/IPS service Execute ids_stop Stop IDS/IPS service Execute routing_diagnostics Run comprehensive inter-VLAN routing diagnostics Execute ssh_batch_execute Execute multiple commands in sequence via SSH Execute ssh_execute Execute arbitrary command via SSH on OPNsense (full CLI access) Execute acme_sign_certificate Issue/sign a certificate (initial creation or re-issue) Execute cert_letsencrypt_request Request a Let\ Execute cli_check_nfs Check NFS connectivity from DMZ Execute cli_fix_dmz_routing Comprehensive DMZ routing fix via CLI Execute cli_fix_interface_blocking Fix interface blocking settings via CLI (for DMZ routing issues) Execute cli_reload_firewall Reload firewall rules via CLI Execute ids_block_ip Block an IP address detected by IDS Execute macro_play Play a saved macro Execute nat_quick_fix_dmz Quick fix for DMZ NAT issue with minimal configuration Execute routing_fix_all Automatically fix all detected inter-VLAN routing issues Execute ssh_check_nfs_connectivity Check NFS connectivity from OPNsense Execute ssh_fix_dmz_routing Apply comprehensive DMZ routing fix via SSH Execute ssh_fix_interface_blocking Fix interface blocking settings via SSH (resolves DMZ routing issues) Execute ssh_quick_dmz_fix Apply quick DMZ fix (streamlined version) Execute ssh_reload_firewall Reload firewall rules via SSH Execute ssh_test_vlan_connectivity Test connectivity between VLANs Execute cli_apply_changes Apply all configuration changes via CLI Execute firewall_apply_changes Apply pending firewall changes Execute iac_apply_deployment Apply a deployment plan Execute iac_plan_deployment Plan infrastructure deployment changes Execute macro_generate_tool Generate an MCP tool definition from a macro Execute nat_apply_changes Apply NAT configuration changes Execute openvpn_disconnect_client Disconnect a specific VPN client Execute traffic_apply_changes Apply traffic shaper changes

// FAQ

How many tools does the OPNSense MCP Server MCP server have? +

The OPNSense MCP Server MCP server exposes 196 tools across 4 categories: Read, Write, Destructive, Execute.

How do I enforce policies on OPNSense MCP Server tools? +

Route the OPNSense MCP Server server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do OPNSense MCP Server tools fall into? +

OPNSense MCP Server tools are categorised as Read (75), Write (65), Destructive (23), Execute (33). Each category has a recommended default policy.

Enforce policy on every OPNSense MCP Server tool call.

Deterministic rules across all 196 OPNSense MCP Server tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

GOVERN OPNSENSE →

Free to start. No card required.

42,500+ MCP servers and 110,000+ tools scanned and risk-classified.