Opnsense Firewall

@dougschaefer/opnsense-firewallv2026.05.27.2· 4d agoMODELS

01README

Full OPNsense management via REST API — system status, interfaces, DNS, tunables, services, firmware/plugins, firewall states, DHCP leases, ARP table, Tailscale, WireGuard, and raw API passthrough. Replaces MCP server.

02Models1

@dougschaefer/opnsense-firewallv2026.05.27.2opnsense/firewall.ts

fn api(path: string, method: enum, body?: record)

Raw API passthrough — hit any OPNsense endpoint directly. Use for any operation not covered by a dedicated method. Path is relative to /api/ (e.g., 'tailscale/service/status').

Argument	Type	Required	Description
path	string	yes	API path after /api/ (e.g., 'core/firmware/status', 'tailscale/general/get')
method	enum	yes	HTTP method — GET for reads, POST for writes/actions
body?	record	no	POST body as JSON object (omit for GET requests)

fn status()

Get system status: firmware version, CPU/memory usage, uptime, gateway health, and PF state table size.

fn reboot()

Reboot the OPNsense appliance. Network will drop for 60-90 seconds.

fn services()

List all services with their running state.

fn interfaces()

List all network interfaces with traffic counters, MTU, link rate, hardware offloads, and error counts.

fn dns()

Get Unbound DNS resolver statistics: query counts, cache hit rate, timeouts.

fn tunables()

List all system tunables (sysctls) with current and default values.

fn sync()

Refresh all OPNsense state into resources: system status, interfaces, gateways, DHCP leases, and ARP table.

Resources

status(1h)— OPNsense system status: firmware, CPU, memory, uptime, gateway health

interface(1h)— Network interface with traffic stats, MTU, link state, and hardware offloads

dns(1h)— Unbound DNS resolver statistics

tunable(1h)— System tunable (sysctl) with current and default values

api-response(1h)— Raw API response from any OPNsense endpoint

service(1h)— OPNsense service with running state

gateway(1h)— Gateway status with latency and packet loss

dhcp-lease(1h)— DHCP lease from dnsmasq or Kea

arp-entry(1h)— ARP table entry

firmware(1h)— Firmware and plugin information

03Previous Versions10

2026.05.27.1May 27, 2026

Modernization: idempotency, live pre-flight checks, sensitive-field marking, resource-write fixes per audit. No breaking API changes.

Modified 1 models

2026.05.26.1May 26, 2026

Align model version fields with manifest (2026.05.26.1); republish under swamp 20260526 conventions

2026.05.13.1May 13, 2026

Add JSDoc to model entrypoints to satisfy rubric v2 symbols-docs factor

2026.04.27.2Apr 27, 2026

Remove _client.ts from manifest entrypoint list — it's a shared helper, not a model. The Swamp Club quality scorer lints manifest entrypoints; including _client.ts there exposed slow-type errors and cost the fast-check factor (91% → 100%).

2026.04.27.1Apr 27, 2026

Add curated README and LICENSE to tarball (additionalFiles), bringing extension's Swamp Club quality grade from F/B to A-/B.

2026.04.13.1Apr 13, 2026

Add .meta({ sensitive: true }) to apiKey and apiSecret credentials

2026.04.04.1Apr 4, 2026

Full rebuild: 20 methods including raw API passthrough, Tailscale, WireGuard, firmware/plugin management, service control, ARP, DHCP, gateway health. Replaces MCP server.

Modified 1 models

2026.03.29.1Mar 29, 2026

Pin zod to 4.3.6

2026.03.28.1Mar 28, 2026

Remove MSP-specific language from description and labels

2026.03.27.2Mar 27, 2026

Initial release: system status, interface stats, DNS analytics, tunable management. Tested against OPNsense 26.1.2 on FreeBSD 14.

04Stats

100 / 100

Downloads

Archive size

21.8 KB