--- title: "I Gave My AI Agent the Keys to My Network" date: 2026-03-03 description: "How I built an MCP server that lets my AI agent configure my firewall, manage VLANs, control smart home devices, and troubleshoot connectivity — all through natural language." tags: ["ai-hacks-on-tap","mcp","home-network","home-automation","agent-experience"] readingTime: "14 min read" url: https://alexmoening.com/dev-thoughts/i-gave-my-ai-agent-the-keys-to-my-network.html markdownUrl: https://alexmoening.com/dev-thoughts/i-gave-my-ai-agent-the-keys-to-my-network.md --- # I Gave My AI Agent the Keys to My Network [← Back to /dev/thoughts](/dev-thoughts/)

I built a single MCP server that gives my AI agent control over my entire home network — firewall rules, VLAN assignments, smart plugs, LED strips, and 235 Home Assistant entities. A task that used to mean juggling three SSH sessions and copy-pasting UUIDs now takes one sentence and thirty seconds.

### The Moment That Got Me I was migrating my home network to a proper VLAN-segmented setup — the kind of project where you're SSH'd into three different things simultaneously, cross-referencing MAC addresses in one terminal while editing firewall rules in another. It's the kind of work that makes you feel like a sysadmin in 2003, except now the stakes include your housemate's ability to stream Netflix. Halfway through, I realized my TV was on the wrong VLAN. To fix that manually, I'd need to:
Step Action System
1 Find the network configuration IDs SSH → Firewall
2 Log into the switch controller API with cookie-based auth REST → UniFi
3 Look up the device ID for the correct switch REST → UniFi
4 Find which port the TV is on REST → UniFi
5 Build a JSON payload that merges the new VLAN assignment with existing port overrides (without clobbering other ports) Manual JSON
6 Push the config and force-provision the switch REST → UniFi
7 Kick the device to get a new DHCP lease on the correct subnet SSH → Firewall
Instead, I said: *"Move the Sony TV on Switch B port 6 to the IoT VLAN."* The agent found the switch, identified the port, looked up the correct network ID, built the override payload, applied it, and provisioned the switch. Thirty seconds. No context switching. No copy-pasting UUIDs between terminals. That's when I knew this was worth writing about. ### What I Actually Built The setup is a single MCP (Model Context Protocol) server running as a Docker container on my NAS. It speaks to five different systems through their native protocols, and exposes everything as 45 tools through one HTTP endpoint. My AI coding agent connects to it and can control the entire home infrastructure through natural language.
Module Protocol Auth What It Manages
Firewall (pfSense) SSH ed25519 key Firewall rules, DHCP leases, ARP tables, static maps
Switch Controller (UniFi) REST API Cookie auth Switch ports, VLANs, WiFi SSIDs, client tracking
Home Assistant REST API Bearer token 235 entities, automations, scenes, services
LED Controllers (WLED x3) HTTP JSON None (LAN only) Colors, effects, brightness, presets
Smart Plugs (Kasa x3) Local protocol None (LAN only) On/off, energy monitoring, WiFi provisioning
The key design decision: **one server, not five**. Every home infrastructure tool I looked at wanted to be its own microservice. But I don't need Kubernetes in my living room. I need one container that starts on boot and talks to everything. Each backend system gets a module — a thin client wrapper plus MCP tool registration. The module pattern is dead simple:
File Role Example
client.py Protocol wrapper aiohttp session with Bearer token auth
tools.py MCP tool registration register_tools(mcp, client) → 7 tools
config.py Settings model Host, port, token with env var overrides
server.py Conditional import if "homeassistant" in modules_enabled:
New module? Write a client class, register some tools, add a settings model with environment variable overrides. The server picks it up on next deploy. I've been averaging about 45 minutes per module including deployment and testing. ### Why MCP and Not Just SSH Scripts? Fair question. I've been writing shell scripts to manage networks for two decades. The difference isn't automation — it's *context*. When I ask the agent to "troubleshoot why the HomePod isn't responding in Apple Home," it doesn't just run one command. It chains reasoning across multiple systems:
Step Action System
1 Query all connected clients and their VLANs Switch Controller
2 Check the ARP table to see what's actually on the network Firewall
3 Pull configuration to see what IPs are stored Home Assistant
4 Compare stored IPs against actual IPs Agent reasoning
5 Find five integrations with stale IPs from months ago Agent reasoning
6 Update config entries with correct addresses Home Assistant
7 Remove seven dead integrations that no longer exist Home Assistant
8 Restart the service Home Assistant
That's eight steps across three different systems, using three different authentication methods, and making decisions along the way. A shell script could do steps 1 and 2. The rest requires reasoning — looking at the data from step 1, cross-referencing it with step 3, and deciding what to do. That's where the agent shines. The MCP protocol gives the agent *structured access* to each system. Instead of parsing `arp -a` output with regex, it gets clean JSON with MAC addresses, IPs, and interface names as distinct fields. Instead of screen-scraping a web UI, it calls `ha_list_entities(domain="light")` and gets back 23 lights with their current state, brightness, and last-changed timestamp. ### The Five Modules Here's what each module actually does, and why the tool count matters less than you'd think.
Module Tools Capabilities Example Command
Firewall 15 ARP tables, DHCP leases, static IPs, firewall rules, interface status, gateway health "Add a static DHCP reservation for this device"
Switch Controller 9 VLAN assignments, client tracking, WiFi SSID management, port configuration "Disable the legacy WiFi network"
Home Assistant 7 Entity control, automation management, service calls across dozens of device types "Disable the bathroom motion sensor automation"
LED Controllers 8 On/off, brightness, RGB color, effects, presets across 3 WLED strips "Set the picture frame to warm orange at half brightness"
Smart Plugs 6 On/off, real-time wattage, energy monitoring, WiFi provisioning "Migrate this plug from the old WiFi to the new one"
### The Architecture Choice: Why One Container?
Advantage One Container (What I Built) Five Containers (What I Didn't)
Cross-module queries Free — tools share one server process Three MCP connections, three auth flows, triple the context
Deployment One rsync, one rebuild, under a minute Docker Compose orchestration, dependency ordering
Network access One container with host networking, one position on the Core VLAN Per-container network config, firewall rules per container
Mental model One URL, all 45 tools, self-describing names "Which server handles VLAN changes again?"
### What Surprised Me
Surprise What Happened
The agent is better at firewall rule syntax than I am pfSense stores config in XML with PHP-encoded arrays. Getting the nesting right for source, destination, protocol, interface, direction — the agent nails it every time because the tool validates inputs before writing.
Smart home troubleshooting is where this really pays off Home automation involves a web of dependencies: LED controller on the right VLAN, HA integration with the right IP, HomeKit bridge with the right entity IDs, automation with the right device references. When any of these breaks, the failure mode is "no response" with zero diagnostics. The agent checks all layers in sequence.
Natural language makes VLAN work feel normal Before: dreading VLAN changes because each required juggling UUIDs across systems. Now: "put this device on the IoT network" is a sentence. Cognitive load dropped from "senior network engineer" to "homeowner."
Error handling matters more than features Every tool returns {"success": false, "error": "..."} on failure. When a Smart Plug command failed because the firewall blocked the protocol port, the agent told me which port to open and on which interface — not just "connection timed out."
### The Security Model I want to be clear about the trust boundaries here, because "I gave my AI the keys to my network" sounds irresponsible out of context.
Boundary Implementation
Network isolation The MCP server runs on the local network only. Not exposed to the internet. Behind the same firewall that protects everything else. The only client is my AI coding tool on the same LAN.
Secrets management API keys, passwords, and tokens live in an environment file on the NAS. Source code has settings models with defaults and env var overrides — no credentials. The .env is excluded from version control.
Human-in-the-loop Write operations require confirmation. The agent proposes changes (add this firewall rule, move this port to that VLAN) and I approve or deny each one. MCP provides the guardrail.
Scoped auth The Home Assistant token expires in a year. The switch controller uses a dedicated service account. The firewall uses SSH key auth. Nothing uses shared or admin credentials.
### What's Next: From Tools to Watchdog The 45 tools I have now are reactive — I ask the agent to do something, and it does it. But the architecture opens the door to something more interesting: **agentic loops that proactively monitor the network**. Imagine an agent that runs on a schedule — say, every few hours — and quietly checks things:
Check What It Does Why It Matters
Misconfiguration detection Compare the ARP table against static DHCP maps. Flag devices that are on the wrong VLAN or have conflicting assignments. After a network migration, stale configs hide everywhere. An agent that cross-references would have caught the HomePod issue before I noticed it.
Anomalous device detection Diff the connected client list against a known-good baseline. Alert on new MAC addresses that haven't been seen before. Rogue devices on a VLAN-segmented network are a real concern. A periodic scan turns the agent into a lightweight IDS.
Service health monitoring Poll Home Assistant entities for stale last_changed timestamps. Flag sensors or automations that have gone silent. Motion sensors that stop reporting, automations that haven't triggered in weeks — these are quiet failures that compound until something visible breaks.
Firewall rule drift Snapshot the firewall rule set periodically. Diff against the previous snapshot. Flag unexpected changes. Rule sets accumulate cruft. An agent that reviews them periodically can flag redundant, conflicting, or overly permissive rules before they become a problem.
Energy anomalies Track smart plug wattage over time. Alert when a device draws significantly more or less power than its baseline. A plug drawing 0W that should be drawing 60W means something died. A plug drawing 200W that normally draws 60W might be a problem worth investigating.
The tools are already there. The agent already knows how to query each system. The missing piece is the loop — a scheduler that triggers the agent, a memory store that tracks baselines, and a notification channel for findings. That's where I'm headed next. I'm also planning a few more modules — the Hue bridge for direct light control, Proxmox for VM management, and compound tools that span multiple systems. "Migrate this device to the IoT VLAN" as a single high-level operation that touches the switch, firewall, and DHCP in sequence. But the bigger vision is an agent that doesn't just respond to my commands — one that occasionally takes a peek at the network, notices things I wouldn't have noticed, and surfaces them before they become outages. Not a full SIEM. Not a monitoring stack. Just an agent with the right tools, a schedule, and enough context to connect the dots. ### Should You Build This?
Your Setup Verdict
Segmented home network with VLANs, managed switches, smart devices Yes. The investment is a few hundred lines of Python per module. The payoff is immediate.
Flat home network with a consumer router Probably not. The complexity isn't there yet, and consumer routers don't expose APIs worth wrapping.
The prosumer gap: pfSense/OPNsense, managed switches, a few smart home systems The sweet spot. Complex enough to need tooling, simple enough that one container handles it. This is where natural language control goes from "neat demo" to "I can't go back."
The MCP protocol is the right abstraction for this. It gives the agent structured tool access without requiring a full web application. The tools are stateless — each call is independent — so there's no session management or state machine to debug. It's just functions that talk to APIs. ### The Punchline Two weeks ago, I was configuring VLANs by hand. SSH into the firewall, cross-reference with the switch controller, check the DHCP lease, update the Home Assistant config, hope I didn't fat-finger a UUID. Now I say things like "why isn't the bathroom motion sensor automation working?" and the agent checks the automation config, finds the device reference, verifies the sensor is online, and tells me the device ID changed after a firmware update — then offers to fix it. The network still requires the same technical knowledge to *design*. You still need to understand VLANs, firewall rules, DHCP scoping, and inter-VLAN routing. But the day-to-day *operation* — the config changes, the troubleshooting, the "something broke and I don't know which layer" investigations — that's where having 45 tools behind natural language changes the game. My home network is more complex than it's ever been. And it's never been easier to manage. --- ## Navigation - [Home](/) - [About](/about.html) - [Projects](/projects.html) - [Contact](/contact.html) - [/dev/thoughts](/dev-thoughts/) *Copyright 2026 Alex Moening. Opinions expressed are my own.*