🛡️ NGFW.sh

Cloud-managed next-generation firewall and router administration platform that runs on Cloudflare's Edge.

Centralized management, configuration, monitoring, and security — designed with families in mind.

Website · Dashboard · Documentation · API Reference

---

✨ Why NGFW.sh?

🎯 Simple Management Most router interfaces haven't kept pace with modern expectations. NGFW.sh provides automatic updates, cloud-based management, and security monitoring — no network engineering degree required.

🔐 Accessible Security IDS/IPS, DNS filtering, traffic analytics, and VPN management — capabilities that traditionally required enterprise budgets or deep technical expertise, now available to everyone.

📊 Actionable Insights Real-time visualization, threat detection, traffic patterns, and device fingerprinting through a cloud dashboard accessible from anywhere with sub-50ms latency globally.

---

🚀 Quick Start

# 1. Sign up at app.ngfw.sh and register your router
# 2. Install the agent (guided setup, under 5 minutes)
# 3. Manage from the cloud — anywhere, any device

The router agent connects via persistent WebSocket through Cloudflare Durable Objects for real-time metrics. Advanced features including firewall rules, DNS filtering, VPN, IDS/IPS, and traffic analytics are rolling out progressively.

---

📸 Screenshots

Authentication — Secure login via Clerk.com with email, phone, MFA, and passkeys

Dashboard — Real-time system monitoring and status overview

Network Configuration — WAN, LAN, and WiFi management

Security — Firewall rules and DNS filtering

Billing — Plan management and subscriptions

---

💰 Pricing

Feature-based, not usage-based. No artificial caps on devices, users, VPN peers, firewall rules, or any other metrics. Pay for capabilities, not permission to use your own network.

	Starter	Pro	Business	Business Plus
Monthly	$25	$49	$99	$199
Annual	$20/mo	$39/mo	$79/mo	$159/mo
Core management & monitoring	✓	✓	✓	✓
DNS filtering & VPN	✓	✓	✓	✓
QoS & traffic shaping	—	✓	✓	✓
IDS/IPS & real-time alerts	—	✓	✓	✓
Fleet management & API	—	—	✓	✓
Priority support & onboarding	—	—	—	✓

All plans include a 14-day free trial · 20% discount on annual billing

---

📋 Feature Comparison

Cloud Management & Dashboard

Feature	Starter	Pro	Business	Business Plus
Cloud-hosted management portal	✓	✓	✓	✓
Real-time system monitoring (CPU, RAM, temp, load)	✓	✓	✓	✓
Interface statistics & status	✓	✓	✓	✓
Automatic firmware updates	✓	✓	✓	✓
Dual boot slot management	✓	✓	✓	✓
Configuration backup & restore	✓	✓	✓	✓
Audit log	✓	✓	✓	✓
Email support	✓	✓	✓	✓
Priority support (4hr SLA)	—	—	—	✓
Onboarding assistance	—	—	—	✓

Networking

Feature	Starter	Pro	Business	Business Plus
WAN configuration (DHCP, Static, PPPoE)	✓	✓	✓	✓
WAN status, DHCP lease renew/release	✓	✓	✓	✓
LAN / bridge configuration	✓	✓	✓	✓
VLAN support	✓	✓	✓	✓
DHCP server & IP pools	✓	✓	✓	✓
DHCP static reservations	✓	✓	✓	✓
WiFi radio management	✓	✓	✓	✓
Multi-SSID configuration	✓	✓	✓	✓
WiFi client monitoring	✓	✓	✓	✓
NAT / port forwarding	✓	✓	✓	✓
UPnP management	✓	✓	✓	✓
QoS traffic shaping	—	✓	✓	✓
Per-device bandwidth limits	—	✓	✓	✓
Traffic class definitions	—	✓	✓	✓
Dynamic DNS	—	✓	✓	✓

Security

Feature	Starter	Pro	Business	Business Plus
Stateful firewall	✓	✓	✓	✓
Zone-based policies	✓	✓	✓	✓
Rule ordering & hit counters	✓	✓	✓	✓
DNS filtering (ad & tracker blocking)	✓	✓	✓	✓
DNS allowlist / custom overrides	✓	✓	✓	✓
Force blocklist update	✓	✓	✓	✓
IDS (Intrusion Detection System)	—	✓	✓	✓
IPS (Intrusion Prevention System)	—	✓	✓	✓
IDS/IPS rule categories	—	✓	✓	✓
IDS/IPS custom rules	—	✓	✓	✓
Real-time threat alerts (WebSocket)	—	✓	✓	✓

VPN

Feature	Starter	Pro	Business	Business Plus
WireGuard VPN server	✓	✓	✓	✓
VPN peer management	✓	✓	✓	✓
Peer QR code generation	✓	✓	✓	✓
VPN client profiles	✓	✓	✓	✓
Connect/disconnect from dashboard	✓	✓	✓	✓
VPN connection status monitoring	✓	✓	✓	✓

Logging & Analytics

Feature	Starter	Pro	Business	Business Plus
DNS query log & statistics	✓	✓	✓	✓
Traffic log with filtering (src, dst, port, proto, app, geo)	✓	✓	✓	✓
Top clients by bandwidth	✓	✓	✓	✓
Top destinations	✓	✓	✓	✓
Aggregated traffic statistics	✓	✓	✓	✓
Real-time traffic stream (WebSocket)	—	✓	✓	✓

Fleet Management & Integration

Feature	Starter	Pro	Business	Business Plus
Fleet device management	—	—	✓	✓
Configuration templates	—	—	✓	✓
Apply template to multiple devices	—	—	✓	✓
Bulk device commands	—	—	✓	✓
REST API access	—	—	✓	✓
Webhook endpoints	—	—	✓	✓

Account & Security

Feature	Starter	Pro	Business	Business Plus
User profile management	✓	✓	✓	✓
Multi-factor authentication (MFA)	✓	✓	✓	✓
Passkey support	✓	✓	✓	✓
Session management	✓	✓	✓	✓

---

🏗️ Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                      Cloudflare Workers Edge                         │
│                                                                      │
│   ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌─────────────┐   │
│   │    Web     │  │   Schema   │  │    Rust    │  │   Config    │   │
│   │   Portal   │  │    API     │  │    API     │  │    Store    │   │
│   │            │  │            │  │            │  │             │   │
│   │ React/Vite │  │   Hono/    │  │ workers-rs │  │  D1/KV/R2   │   │
│   │            │  │  Chanfana  │  │            │  │             │   │
│   └────────────┘  └────────────┘  └────────────┘  └─────────────┘   │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘
                                 │
                                 │  WebSocket / HTTPS
                                 ▼
┌─────────────────────────────────────────────────────────────────────┐
│                        Router (On-Premises)                          │
│                                                                      │
│   ┌───────────────────────────────────────────────────────────┐     │
│   │                        RPC Agent                           │     │
│   │                            ↕                               │     │
│   │       nftables  ·  dnsmasq  ·  hostapd  ·  WireGuard      │     │
│   └───────────────────────────────────────────────────────────┘     │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

Services

Package	Domain	Purpose
packages/portal	app.ngfw.sh	Dashboard SPA
packages/www	ngfw.sh	Marketing site
packages/api	api.ngfw.sh	REST API, WebSocket RPC, OpenAPI
packages/schema	specs.ngfw.sh	Legacy API (deprecated)
docs/	docs.ngfw.sh	Documentation (Starlight)

Storage

Type	Binding	Purpose
D1	DB	Users, plans, subscriptions, configs
KV	DEVICES	Device registry & API keys
KV	CONFIGS	Device configurations
KV	SESSIONS	User sessions
KV	CACHE	Blocklist & threat feed cache
R2	FIRMWARE	Firmware images
R2	BACKUPS	Configuration backups
R2	REPORTS	Generated reports

---

🛠️ Tech Stack

Frontend React 19, Vite 7, Tailwind CSS 4 Astro 5, Starlight (docs) Auth Clerk.com

Backend Hono 4, Chanfana 3 (OpenAPI), Zod 4 workers-rs, Durable Objects, WebSocket Storage Cloudflare D1, KV, R2

---

💻 Development

# Setup
bun run setup          # Install all dependencies

# Development servers
bun run dev:portal     # Portal        → localhost:5173
bun run dev:schema     # Schema API    → localhost:8787
bun run dev:api        # Rust API      → localhost:8788
bun run dev:www        # Marketing     → localhost:4321
bun run dev:docs       # Documentation → localhost:4322

# Build & Deploy
bun run build          # Build all packages
bun run deploy         # Deploy all packages

# Quality
bun run test           # Run tests
bun run lint           # Lint with oxlint

---

📚 Documentation

Resource	Description
ARCHITECTURE.md	Full technical specification — API endpoints, schemas, RPC protocol
PROJECT.md	Task tracking, roadmap, and development status
RESEARCH.md	Market research and competitive analysis
docs.ngfw.sh	User documentation
api.ngfw.sh/openapi.json	OpenAPI 3.1 specification

---

Website · Dashboard · Docs · API

MIT License · Made with ❤️ for families everywhere