Features

One coherent interface across the whole router

Every domain below is configured through the same pipeline — validate, apply live, write atomically, record a revision — with drift detection watching the result. Anything not yet shipped is badged; every statement on this page traces to evidence in the repository.

The safety model

These guarantees are cross-cutting — every domain on this page inherits them. They exist because a firewall is the one machine where a bad change locks you out.

  • Validated, atomic, revisioned. every apply is checked first, applied live, written atomically, and recorded as a revision you can browse and roll back.
  • Commit-confirmed windows. changes that could cut you off — firewall rules, tunnels, WireGuard, CARP — revert automatically unless you confirm they worked.
  • Drift detection. every domain continuously compares configured intent against live state and tells you the moment they diverge.
  • Idempotent operations. mutating operations carry idempotency keys, so a nervous retry can never double-apply.

Firewall (PF)

Structured PF management — a real rule model, not a text box over pf.conf.

  • Structured rules. inline NAT (nat-to, rdr-to, binat-to), macros, tables, and policy-based routing with route-to / reply-to.
  • Live state browser. search live states and tracked sources as they stream, and kill individual states surgically.
  • Abuse resistance. TCP syncookies, per-source connection caps, and brute-force auto-ban backed by overload tables.
  • You stay in. anti-lockout and default-deny baselines are built into every ruleset the system writes.
  • Safe applies. rulesets apply inside commit-confirmed windows — if the new rules cut you off, they revert on their own.

Dynamic routing — OSPF & BGP

Both protocols driven from one canonical model, with depth most firewall interfaces never expose. This is the part of OgmaProtect network engineers notice first.

  • Full OSPF surface. redistribution with cross-daemon collision gating, per-interface timers, stub areas with inherited defaults, SPF tuning, and CARP-aware demotion.
  • Zero-downtime key rotation. rotate OSPF MD5 authentication keys through multi-key rings without dropping adjacencies.
  • A real BGP policy engine. prefix and AS sets, import/export filters, communities — and a transit-leak gate that refuses configurations that would leak routes between peers.
  • Built for more than three peers. peer groups and dynamic-peer templates that accept whole CIDR ranges.
  • Session protection. per-neighbor timers, multihop and TTL security, TCP-MD5, and per-address-family announce control for IPv4 and IPv6.
  • Live visibility. OSPF neighbour and BGP session status straight from the routing daemons.

VPN & tunnels

Site-to-site and remote access on the primitives OpenBSD does best.

  • WireGuard, properly. the full key lifecycle including per-peer preshared keys, minimal-diff peer reconciliation, and drift detection.
  • IPsec. IKEv2 via iked plus manual keying, with the firewall passes for the encrypted path managed for you.
  • Tunnels. GRE, EtherGRE, VXLAN, EtherIP and gif interfaces, under the same reversible apply model as everything else.

Resilient edge

Built for real ISP connections and imperfect uplinks.

  • Multi-WAN failover. gateway health probes catch the dead-but-link-up uplink that static routing misses, fail over, and alert you.
  • PPPoE WAN. PAP/CHAP credentials held in the secret store, MSS clamping handled.
  • IPv6 end to end. SLAAC, DHCPv6 prefix delegation, and router advertisements — with drift detection that understands dynamic v6 addressing.
  • Layer-2 flexibility. VLANs, bridges and virtual ethernet, with display names and per-interface settings.

Network services

The services every LAN needs, managed from the same interface.

  • DHCP server. pools and static reservations, a live lease view, and one-click make-static from any active lease.
  • DNS. Unbound with DNS-over-TLS upstreams, DNSSEC, local zones and records, block-domains, and per-subnet access control.
  • Time. managed NTP and timezone handling.

High availability

Two boxes, one address — and no drive to the office at 3 a.m.

  • CARP virtual IPs. master/backup roles with safe preemption windows, so a takeover can never strand you.
  • State synchronisation. pfsync keeps established connections alive across a failover.
  • Configuration sync. authenticated, certificate-pinned config replication between peers.

Day-2 operations

The unglamorous features that decide whether a firewall is operable for years.

  • Users, roles, MFA. granular role-based access, per-user TOTP with recovery codes, and hard anti-lockout protections.
  • Revisions & rollback. every apply records who changed what and when; browse the history and roll back.
  • Alerting. delivery to TLS syslog and authenticated webhooks.
  • Diagnostics. read-only packet capture, private-subnet ping sweeps and port checks, ARP/NDP views, and live connection-log streaming.
  • Kernel tunables. curated network sysctls with a safety gate on the ones that can take you offline.

Backup & recovery

Configuration you can carry out of a fire — and trust on the way back in.

  • Export & restore. full-configuration export, validated dry-run imports, and revision history as your rollback.
  • Signed & encrypted bundles. cryptographically signed, encrypted backups with role-gated import. In progress

See it on your own hardware

OgmaProtect is in early access — request it, install the package on a stock OpenBSD system, and manage your router from a browser within the hour.

Get started