Platform
Everything below is configured through the same model: validate, apply live, write
atomically, record a revision — with per-domain drift detection watching the result.
Structured rules with inline NAT, tables, macros and traffic policing; a live state browser with surgical state kill; brute-force auto-ban; anti-lockout and default-deny baselines built in.
OSPF and BGP with depth few GUIs expose: a full BGP policy engine, peer groups and templates, per-neighbor tuning, TCP-MD5, zero-downtime OSPF key rotation — with a route-leak safety gate.
WireGuard with a complete key lifecycle, IPsec (IKEv2 and manual keying), and GRE, VXLAN, EtherIP and gif tunnels — all with drift detection and reversible applies.
Multi-WAN failover driven by real gateway health probes, PPPoE WAN, IPv6 WAN and LAN (SLAAC, DHCPv6-PD, router advertisements), VLANs and bridges.
DHCP server with live leases and one-click static reservations; DNS with DNS-over-TLS upstreams, DNSSEC, local zones and block-lists; managed NTP.
CARP virtual IPs with safe preemption windows, pfsync state synchronisation, and authenticated cross-peer configuration sync for active/backup pairs.
Users, roles and TOTP MFA with hard anti-lockout; configuration revisions with rollback; alerting to TLS syslog and webhooks; capture, sweep and reachability diagnostics.
Full-configuration export with validated dry-run import and revision history. Backup signing and encryption are landing in the current hardening programme.