pfsense-mcp-server

Overview

This MCP server connects AI assistants like Claude Desktop to pfSense firewalls via REST/XML-RPC/SSH connections. It provides comprehensive access to firewall management capabilities while implementing robust safety measures including automatic backups, explicit confirmations for destructive operations, and input sanitization. The server supports multiple pfSense versions and authentication methods, making it suitable for diverse enterprise environments.

Try asking AI

After installing, here are 5 things you can ask your AI assistant:

• create_firewall_rule

  Creates a new firewall rule with specified action, interface, protocol, and source/destination

  Try:Create a firewall rule to block traffic from 203.0.113.5 on WANTry:Add a rule to allow HTTPS traffic to my server
• get_firewall_rules

  Retrieves current firewall rules with filtering options

  Try:Show me all firewall rulesTry:List blocked traffic rules on LAN interface
• create_port_forward

  Creates a new NAT port forward rule to redirect external traffic to internal hosts

  Try:Create a port forward for port 443 to 192.168.1.50Try:Forward SSH from external IP to my server
• start_openvpn_server

  Starts an OpenVPN server with specified configuration

  Try:Start the OpenVPN server for remote accessTry:Initialize VPN with client certificates
• create_static_route

  Adds a static route to the routing table

  Try:Add a static route for 10.10.0.0/24 via 192.168.1.1Try:Create route for remote network
• get_system_status

  Retrieves comprehensive system status including uptime, interfaces, and services

  Try:Show me system statusTry:Check if all services are running
• create_dns_override

  Creates a DNS override entry for specific hosts or domains

  Try:Override internal.example.com to 192.168.1.10Try:Block ads.example.com resolution
• run_system_health_check

  Performs a comprehensive health check of the pfSense system

  Try:Run a full system health checkTry:Check for any system issues
• add_dhcp_static_mapping

  Adds a static DHCP mapping for a specific MAC address

  Try:Add static mapping for server at 192.168.1.100Try:Reserve IP for printer with MAC AA:BB:CC:DD:EE:FF
• generate_self_signed_cert

  Generates a self-signed SSL certificate for internal services

  Try:Generate a self-signed certificate for HTTPSTry:Create certificate for VPN authentication
• block_ip

  Blocks a specific IP address at the firewall level

  Try:Block traffic from 203.0.113.5Try:Add 192.168.1.100 to block list
• run_pci_compliance_check

  Performs a PCI compliance check on firewall configuration

  Try:Run a PCI compliance checkTry:Check firewall rules for PCI compliance

Comparable tools

Installation

git clone https://github.com/gensecaihq/pfsense-mcp-server.git
cd pfsense-mcp-server
pip install -r requirements.txt
cp .env.example .env
# Edit .env: set PFSENSE_URL, AUTH_METHOD, and credentials

{
  "mcpServers": {
    "pfsense": {
      "command": "python3",
      "args": ["-m", "src.main"],
      "cwd": "/path/to/pfsense-mcp-server",
      "env": {
        "PFSENSE_URL": "https://192.168.1.1",
        "AUTH_METHOD": "basic",
        "PFSENSE_USERNAME": "admin",
        "PFSENSE_PASSWORD": "your-password",
        "PFSENSE_VERSION": "CE_2_8_0",
        "VERIFY_SSL": "false"
      }
    }
  }
}

FAQ

What safety measures does this server implement?

The server includes 9 layers of security: input sanitization, explicit confirmations for destructive operations, automatic config backups before changes, rate limiting to prevent runaway AI loops, and audit logging with redacted sensitive parameters.

Which pfSense versions are supported?

Verified versions include pfSense CE 2.8.1 and pfSense Plus 25.11 with REST API v2.7.3. Also supported are pfSense CE 2.8.0 and pfSense Plus 24.11 with REST API v2.6.0+.

Compare pfsense-mcp-server with