One coherent interface across the whole router
Every domain below is configured through the same pipeline — validate, apply live, write atomically, record a revision — with drift detection watching the result. Anything not yet shipped is badged; every statement on this page traces to evidence in the repository.
The safety model
These guarantees are cross-cutting — every domain on this page inherits them. They exist because a firewall is the one machine where a bad change locks you out.
- Validated, atomic, revisioned. every apply is checked first, applied live, written atomically, and recorded as a revision you can browse and roll back.
- Commit-confirmed windows. changes that could cut you off — firewall rules, tunnels, WireGuard, CARP — revert automatically unless you confirm they worked.
- Drift detection. every domain continuously compares configured intent against live state and tells you the moment they diverge.
- Idempotent operations. mutating operations carry idempotency keys, so a nervous retry can never double-apply.
Firewall (PF)
Structured PF management — a real rule model, not a text box over pf.conf.
- Structured rules. inline NAT (nat-to, rdr-to, binat-to), macros, tables, and policy-based routing with route-to / reply-to.
- Live state browser. search live states and tracked sources as they stream, and kill individual states surgically.
- Abuse resistance. TCP syncookies, per-source connection caps, and brute-force auto-ban backed by overload tables.
- You stay in. anti-lockout and default-deny baselines are built into every ruleset the system writes.
- Safe applies. rulesets apply inside commit-confirmed windows — if the new rules cut you off, they revert on their own.
Dynamic routing — OSPF & BGP
Both protocols driven from one canonical model, with depth most firewall interfaces never expose. This is the part of OgmaProtect network engineers notice first.
- Full OSPF surface. redistribution with cross-daemon collision gating, per-interface timers, stub areas with inherited defaults, SPF tuning, and CARP-aware demotion.
- Zero-downtime key rotation. rotate OSPF MD5 authentication keys through multi-key rings without dropping adjacencies.
- A real BGP policy engine. prefix and AS sets, import/export filters, communities — and a transit-leak gate that refuses configurations that would leak routes between peers.
- Built for more than three peers. peer groups and dynamic-peer templates that accept whole CIDR ranges.
- Session protection. per-neighbor timers, multihop and TTL security, TCP-MD5, and per-address-family announce control for IPv4 and IPv6.
- Live visibility. OSPF neighbour and BGP session status straight from the routing daemons.
VPN & tunnels
Site-to-site and remote access on the primitives OpenBSD does best.
- WireGuard, properly. the full key lifecycle including per-peer preshared keys, minimal-diff peer reconciliation, and drift detection.
- IPsec. IKEv2 via iked plus manual keying, with the firewall passes for the encrypted path managed for you.
- Tunnels. GRE, EtherGRE, VXLAN, EtherIP and gif interfaces, under the same reversible apply model as everything else.
Resilient edge
Built for real ISP connections and imperfect uplinks.
- Multi-WAN failover. gateway health probes catch the dead-but-link-up uplink that static routing misses, fail over, and alert you.
- PPPoE WAN. PAP/CHAP credentials held in the secret store, MSS clamping handled.
- IPv6 end to end. SLAAC, DHCPv6 prefix delegation, and router advertisements — with drift detection that understands dynamic v6 addressing.
- Layer-2 flexibility. VLANs, bridges and virtual ethernet, with display names and per-interface settings.
Network services
The services every LAN needs, managed from the same interface.
- DHCP server. pools and static reservations, a live lease view, and one-click make-static from any active lease.
- DNS. Unbound with DNS-over-TLS upstreams, DNSSEC, local zones and records, block-domains, and per-subnet access control.
- Time. managed NTP and timezone handling.
High availability
Two boxes, one address — and no drive to the office at 3 a.m.
- CARP virtual IPs. master/backup roles with safe preemption windows, so a takeover can never strand you.
- State synchronisation. pfsync keeps established connections alive across a failover.
- Configuration sync. authenticated, certificate-pinned config replication between peers.
Day-2 operations
The unglamorous features that decide whether a firewall is operable for years.
- Users, roles, MFA. granular role-based access, per-user TOTP with recovery codes, and hard anti-lockout protections.
- Revisions & rollback. every apply records who changed what and when; browse the history and roll back.
- Alerting. delivery to TLS syslog and authenticated webhooks.
- Diagnostics. read-only packet capture, private-subnet ping sweeps and port checks, ARP/NDP views, and live connection-log streaming.
- Kernel tunables. curated network sysctls with a safety gate on the ones that can take you offline.
Backup & recovery
Configuration you can carry out of a fire — and trust on the way back in.
- Export & restore. full-configuration export, validated dry-run imports, and revision history as your rollback.
- Signed & encrypted bundles. cryptographically signed, encrypted backups with role-gated import. In progress
See it on your own hardware
OgmaProtect is in early access — request it, install the package on a stock OpenBSD system, and manage your router from a browser within the hour.