
pfSense MCP Server
โ 73from gensecaihq
Enables natural language interaction with pfSense firewalls through GenAI applications.
pfSense MCP Server
Manage your pfSense firewall with natural language. 327 tools. 9 layers of safety. One command to start.
You: "Block all traffic from 203.0.113.5 on WAN"
Claude: Creates block rule โ applies changes โ confirms with rollback instructionspfSense MCP Server connects Claude Desktop, Claude Code, and other MCP-compatible AI clients to your pfSense firewall. Ask questions, diagnose issues, and manage your firewall โ all through conversation.
Why This Exists
Managing a pfSense firewall means clicking through web UI tabs, remembering field names, and hoping you don't fat-finger a rule that locks you out. With this MCP server, you describe what you want in plain English and the AI handles the REST API calls, validates inputs, and warns you before anything destructive happens.
What makes it different:
- Every destructive operation requires explicit confirmation and shows you exactly what will happen
- Automatic config backup before every delete/reboot โ with a one-line rollback command
- Rate limiting prevents runaway AI loops from flooding your firewall with rules
- Input sanitization blocks command injection, path traversal, and XSS in every parameter
What You Can Do
327 tools across every major pfSense subsystem:
| Domain | Tools | What You Can Do |
|---|---|---|
| Firewall Rules | 9 | Create, update, delete, reorder rules. Bulk block IPs. View compiled pf ruleset. |
| Aliases | 5 | Manage host/network/port/URL aliases. Add and remove addresses. |
| NAT | 16 | Port forwards, outbound NAT, 1:1 NAT โ full lifecycle management. |
| VPN | 51 | OpenVPN servers and clients, IPsec tunnels, WireGuard peers โ CRUD, status, apply. |
| Routing | 16 | Gateways, gateway groups, static routes, default gateway management. |
| DNS | 24 | Unbound resolver and dnsmasq forwarder: host overrides, domain overrides, access lists. |
| DHCP | 17 | Leases, static mappings, address pools, custom options, server config. |
| Certificates | 15 | Certs, CAs, CRLs โ generate, renew, export PKCS12. |
| Users | 12 | User accounts, groups, LDAP/RADIUS auth server config. |
| Interfaces | 14 | Interface config, VLANs, bridges, groups. |
| System | 44 | Status, settings, diagnostics, config history, reboot, ping. |
| Services | 14 | Start/stop/restart services. NTP, cron, SSH, service watchdog. |
| Logs | 3 | Firewall log analysis with parsed IPv4/IPv6 filterlog data. |
| Traffic Shaping | 12 | Shapers, queues, and limiters for bandwidth management. |
| Schedules | 8 | Time-based firewall rule scheduling. |
| Virtual IPs | 5 | CARP, ProxyARP, and IP Alias management. |
| Troubleshooting | 10 | Diagnose connectivity, blocked traffic, VPN, DHCP, DNS, HA. Full health report. |
| Packages | 43 | HAProxy, ACME/Let's Encrypt, BIND DNS, FreeRADIUS. |
| Utility | 9 | HATEOAS navigation, object ID management, guardrail status. |
Safety First
AI managing a production firewall needs guardrails. This server has 9 layers:
"Delete firewall rule 5"
1. CLASSIFY โ HIGH risk (destructive)
2. ALLOWLIST โ tool is permitted
3. SANITIZE โ parameters clean (no injection)
4. RATE LIMIT โ under 10 deletes/minute
5. DRY RUN? โ user can preview first
6. CONFIRM โ blocked until confirm=True
7. BACKUP โ config revision captured
8. EXECUTE โ API call made
9. AUDIT LOG โ action recorded with redacted params
Response includes:
"config_backup": {
"pre_change_revision_id": 42,
"rollback_instruction": "restore_config_backup(revision_id=42, confirm=True)"
}Every destructive operation (52 delete/reboot/halt tools) requires confirm=True. Every create and update operation (112 tools) is rate-limited and sanitized. Every sensitive parameter (passwords, keys, tokens) is redacted in logs and outputs.
You can also:
- Pass
dry_run=Trueto preview any destructive operation without executing - Pass
verify_descr="Allow HTTPS"to verify you're deleting the right rule (guards against ID shifts) - Set
MCP_READ_ONLY=trueto expose only 130 read-only tools (search, get, diagnose) - Set
MCP_ALLOWED_TOOLS=search_firewall_rules,get_firewall_logto restrict to specific tools
Supported pfSense Versions
| Version | REST API | Status |
|---|---|---|
| pfSense CE 2.8.1 | v2.7.3 | Verified |
| pfSense Plus 25.11 | v2.7.3 | Verified |
| pfSense CE 2.8.0 | v2.6.0+ | Supported |
| pfSense Plus 24.11 | v2.6.0+ | Supported |
Requires the pfSense REST API v2 package by jaredhendrickson13.
Authentication
Three methods supported (configure in .env):
| Method | Config | Best For |
|---|---|---|
| Basic Auth | AUTH_METHOD=basic + username/password | Quick setup, local users |
| API Key | AUTH_METHOD=api_key + key from System > REST API > Keys | Automation, service accounts |
| JWT | AUTH_METHOD=jwt + username/password | Short-lived tokens, auto-refresh |
Testing
python3 -m pytest tests/ -v # 323 tests
python3 -m pytest tests/ --cov=src # with coverageMCP Specification Compliance
Compliant with MCP 2025-11-25 (latest):
ToolAnnotationson all 327 tools (readOnlyHint, destructiveHint, idempotentHint)serverInfo.versionandinstructionsprovided- Origin header validation (MUST requirement)
- Bearer token auth with timing-safe comparison
- Default bind to localhost per spec SHOULD
- stdio and Streamable HTTP transports
Project Structure
src/
main.py Entry point
server.py FastMCP instance + API client
client.py pfSense REST API v2 HTTP client
guardrails.py 9-layer defense-in-depth system
helpers.py Validation, parsing, safety guards
models.py Data models
middleware.py HTTP auth + Origin validation
tools/ 34 tool modules (327 tools)
tests/ 323 testsuvx --from git+https://github.com/gensecaihq/pfsense-mcp-server pfsense-mcp-serverBefore it works, you'll need: PFSENSE_URLAUTH_METHODPFSENSE_USERNAMEPFSENSE_PASSWORDPFSENSE_VERSIONVERIFY_SSL
Quick Start
Prerequisites: Python 3.11+, pfSense with REST API v2 package installed
Option A โ run without cloning (uvx):
uvx --from git+https://github.com/gensecaihq/pfsense-mcp-server pfsense-mcp-serverOption B โ clone for development:
git clone https://github.com/gensecaihq/pfsense-mcp-server.git
cd pfsense-mcp-server
pip install -r requirements.txt
cp .env.example .env
# Edit .env: set PFSENSE_URL, AUTH_METHOD, and credentialsConnect to Claude Desktop โ add to ~/Library/Application Support/Claude/claude_desktop_config.json.
Using the installed entry point (Option A):
{
"mcpServers": {
"pfsense": {
"command": "uvx",
"args": ["--from", "git+https://github.com/gensecaihq/pfsense-mcp-server", "pfsense-mcp-server"],
"env": {
"PFSENSE_URL": "https://192.168.1.1",
"AUTH_METHOD": "basic",
"PFSENSE_USERNAME": "admin",
"PFSENSE_PASSWORD": "your-password",
"PFSENSE_VERSION": "CE_2_8_0",
"VERIFY_SSL": "false"
}
}
}
}Or running from a clone (Option B):
{
"mcpServers": {
"pfsense": {
"command": "python3",
"args": ["-m", "src.main"],
"cwd": "/path/to/pfsense-mcp-server",
"env": {
"PFSENSE_URL": "https://192.168.1.1",
"AUTH_METHOD": "basic",
"PFSENSE_USERNAME": "admin",
"PFSENSE_PASSWORD": "your-password",
"PFSENSE_VERSION": "CE_2_8_0",
"VERIFY_SSL": "false"
}
}
}
}Start talking to your firewall. Open Claude Desktop and ask:
- "Show me all blocked traffic in the last hour"
- "What services are running?"
- "Create a port forward for port 443 to 192.168.1.50"
- "Run a full system health check"
Deployment Options
stdio (default) โ for Claude Desktop and Claude Code:
python3 -m src.main # from a clone
pfsense-mcp-server # via the installed console entry point (pip/uvx/pipx)HTTP โ for remote access and multi-client setups:
python3 -m src.main -t streamable-http --port 3000Docker โ hardened container with read-only filesystem:
docker compose upContainer security: non-root user (mcp:1000), read-only filesystem, all capabilities dropped, noexec tmpfs, no-new-privileges.
Configuration
| Variable | Required | Default | Description |
|---|---|---|---|
PFSENSE_URL | Yes | โ | pfSense URL (e.g., https://192.168.1.1) |
AUTH_METHOD | api_key | api_key, basic, or jwt | |
PFSENSE_API_KEY | * | โ | REST API key |
PFSENSE_USERNAME | * | โ | pfSense username (for basic/jwt) |
PFSENSE_PASSWORD | * | โ | pfSense password (for basic/jwt) |
PFSENSE_VERSION | CE_2_8_0 | CE_2_8_0, CE_2_8_1, CE_26_03, PLUS_24_11, PLUS_25_11 | |
VERIFY_SSL | true | false for self-signed certificates | |
API_TIMEOUT | 30 | Request timeout in seconds | |
MCP_READ_ONLY | false | Only expose read-only tools |
All configuration options
| Variable | Default | Description |
|---|---|---|
ENABLE_HATEOAS | false | Enable HATEOAS links in API responses |
LOG_LEVEL | INFO | DEBUG, INFO, WARNING, ERROR |
MCP_TRANSPORT | stdio | stdio or streamable-http |
MCP_HOST | 127.0.0.1 | Bind address for HTTP mode |
MCP_PORT | 3000 | Port for HTTP mode |
MCP_API_KEY | โ | Bearer token for HTTP transport (required) |
MCP_ALLOWED_ORIGINS | localhost | Comma-separated allowed origins |
MCP_AUDIT_LOG | โ | Path to audit log file (JSON lines) |
MCP_RATE_LIMIT_DELETE | 10 | Max deletes per 60 seconds |
MCP_RATE_LIMIT_CREATE | 20 | Max creates per 60 seconds |
MCP_RATE_LIMIT_CRITICAL | 2 | Max critical ops per 300 seconds |
MCP_ALLOWED_TOOLS | all | Comma-separated tool allowlist |
MCP_ROLLBACK_BUFFER | 50 | Rollback entries kept in memory |
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.
Licensed under MITโ you can use, modify, and redistribute it under that license's terms.