open source router middleware for high performance network monitoring, integration and control

Most internet gateways are not well secured. Security assumes if you have access to the network you are trusted. Edge routers, internal networks and more advanced IoT networking need fundamental innovation to address the security weakness. New architectures are needed for UI bootstrapping, key distribution, key storage, network segmentation, service discovery and addressing that will work as well at the edge as it does on the open internet.


Open WRT

Fully compatible with OpenWRT code base which is dominant router operating system.


High performance

Highly optimised code for foot print and efficiency. Necessary for networking capability.

ProtoBuf aware

Can be integrated via protobuf and endpoint controlled security for easy of integration.

Network Control

Implements multiple methods of network control, including segmentation and device disable.

Standards Compliant

Embodies ManySecued D3 concepts, IETF MUD and targeting NIST onboarding.

Tools Set

Support toolsets for integrating via SPAN ports and PCAP exports for broader interoperability.


Internal isolation:

External isolation:

network management

Network Management techniques are implemented at the WiFi level protocol. We are using the VLAN mechanism to segment the network of connected devices and consider two types of isolation:


  • Internal: The internal isolation is based on subnets as depicted in the example diagram. There are five devices located in five separated subnets. The arrows indicate the bridge connection between devices. Note that device 1 can not communicate with devices 4 and 5, and vice-versa.


  • External: The external isolation is based on denying a particular device access to the external network. Here devices 1, 2 and 3 can access the external network. However device 4 has no access.

traffic monitoring

The network capture service has the purpose of monitoring network traffic for each connected device. It can be configured to execute custom middlewares. The packet capture implements the actual network sniffing process.

Currently, it uses the libpcap library, however, it also allows interfacing with PF_RING or similar.

Example configuration:

# absolute path to the capture SQLite db used by the middlewares
captureDbPath = “/path_to_capture/capture.sqlite”
# the capture filter for the libpcap library
# example filter=”src net 10.0 and dst net 10.0″
filter = “”
# libpcap options, see
# if true, captures all data on the LAN interface
promiscuous = false
# libpcap buffer timeout in milliseconds
bufferTimeout = 10
# enables libpcap immediate mode if true (disabled buffering)
# see
immediate = false

device discovery

The device discovery procedure makes sure that the connected devices can find themselves across subnets. At the core of the discovery procedure, is the ability to monitor and forward the mDNS traffic emanating from the connected devices.

secure storage

The secure storage module implements a key/value store for all other services to store and retrieve encrypted keys or data. To encrypt data the crypt service generates keys that are encrypted using the hardware secure element or a user supplied passphrase. This service is implemented as a sqlite database which contains two tables:


  • Secrets: id is the ID of the generated key, value is the value of the key, iv the initial value (IV) used to encrypt and decrypt the key and salt is the salt parameter. valuesalt and iv are base64 encoded.


  • Store: key is the key for the value, value is the value to be stored, id is the key id used to encrypt/decrypt the value and iv is the IV used to encrypt/decrypt the value. value and iv are base64 encoded.
Secrets table:
masterLbknNO6o+s+u1b4 ...Z95m5G/+jgb3ga0dufa//whka2MmSUkJUJBf7TQMYnug
resta2UiZR/DLYb3hX6 ...RLdlnafYj7279lne7A5UoAlgTKNxgxbeCxg4VySS/7vw
94:b9:7e:15:47:95lPVf5wqMnb9+8Q8 ...gFvI5tfeHANOafJlFsHXpgmH2yeX/FEvJd1ilg25Zwcg

Store table: