AiFw
Open source · MIT licensed · Built in Rust

The modern firewall
for FreeBSD

A complete firewall platform in one Rust codebase: stateful pf rules, Suricata + Sigma + YARA IDS, WireGuard & IPsec VPN, CARP/pfsync HA, multi-WAN with FIB isolation, AI threat detection, and a live React dashboard. An honest alternative to pfSense and OPNsense.

Install AiFw GitHub
300+
API endpoints
37
RBAC perms
5
AI detectors
6
NAT types
3
Rule formats
AiFw live dashboard with real-time CPU, memory, and network graphs
Features

Everything a firewall needs.
Nothing it doesn't.

A complete platform in one Rust binary per service. No PHP-FPM, no package sprawl, no legacy admin UIs.

Stateful firewall

FreeBSD pf with rule scheduling, aliases, and traffic shaping. Full IPv4/IPv6 and VLAN support.

pfIPv4/IPv6VLAN

WireGuard & IPsec

Native WireGuard with auto-keypair generation and per-peer config export. IPsec ESP/AH in tunnel or transport mode.

WireGuardESPAH

IDS / IPS engine

Suricata-compatible inspection with Sigma and YARA rule support — neither OPNsense nor pfSense can do this.

SuricataSigmaYARA

AI threat detection opt-in · experimental

Five behavioural detectors: port scan, DDoS, brute force, C2 beacon, and DNS tunneling. Auto-response with TTL blocks.

port-scanddosc2-beacon

Multi-WAN with FIB isolation

Each WAN in its own FreeBSD FIB. Gateway groups with failover, weighted, and adaptive MOS-weighted policies. Per-flow blast-radius preview before apply. Setup →

FIBPBRSLA

Full NAT suite

SNAT, DNAT/port forwarding, masquerade, 1:1 binat, NAT64, and NAT46 — the last one is unique.

snatdnatnat64nat46

Live dashboard

WebSocket-powered real-time metrics. Connection tracking, bandwidth graphs, memory breakdown, animated NAT flow topology.

WebSocketReactNext.js

Reverse proxy + ACME

Built-in TrafficCop reverse proxy: HTTP, TCP, UDP routers, services, middlewares. ACME / Let's Encrypt automation pushes certs straight to the TLS store, file, or webhook. Configure →

TrafficCopACMETLS

Active-passive HA

CARP virtual IP + pfsync state migration, REST API + operator dashboard. Active-passive pair in beta with documented failure modes and ops runbooks. Setup & failure modes →

CARPpfsyncbeta

Granular RBAC

37 specific permissions across every subsystem. TOTP 2FA, OAuth/SSO, API keys, built-in CA for certificate issuance.

37 permsTOTPOAuth

Commit confirm

Every apply stages changes with a timer. If you don't confirm within the window, your config auto-reverts. Never lock yourself out.

auto-revertsnapshotsrollback

OPNsense config import

Drop-in migration from OPNsense. Parse the XML config, see exactly what'll change, apply atomically with rollback. Recently rewritten end-to-end. Migration guide →

XMLatomicrollback
Screenshots

Real screens, real state

Every page below is rendered live from WebSocket data. No mockups.

AiFw live dashboard with system metrics, service health, and IDS summary
DashboardLive system metrics, service health, and IDS summary in one view.
AiFw NAT flow topology — per-interface pipes with throughput-scaled widths
NAT flow topologyPer-interface pipes with throughput-scaled widths — see exactly where traffic goes.
AiFw firewall rules editor with drag-to-reorder and time-based scheduling
Firewall rulesDrag to reorder, schedule by time, group by alias. IPv4 and IPv6 side by side.
AiFw IDS/IPS dashboard with Suricata, Sigma, and YARA engines
IDS / IPSSuricata, Sigma, and YARA engines on one pane. Classify, suppress, tune.
AiFw WireGuard VPN management with auto-keypair generation and per-peer config export
WireGuardAuto-keypair generation, per-peer config export, live handshake tracking.
AiFw DHCP server with HA failover and live lease tracking
DHCPHA failover, reservations, live lease tracking. Powered by rDHCP.
AiFw reverse proxy with HTTP, TCP, and UDP routers
Reverse proxyTrafficCop routes HTTP, TCP, and UDP. Middlewares, health checks, ACME certs.
AiFw Geo-IP filtering with country-based block and allow rules
Geo-IPCountry-based block / allow with on-disk GeoLite2 lookups.
AiFw NTP and PTP time service status
Time serviceNTP and PTP via the rTIME companion. Drift, peer health, and stratum.
AiFw roles and permissions matrix with 37 granular RBAC permissions
Roles & permissions37 granular RBAC permissions. Built-in admin / operator / viewer plus custom roles.
AiFw settings panel with TLS policy, metrics backend, and API config
SettingsTLS policy, metrics backend, system tuning — all from the web UI.
AiFw self-update workflow with one-click rollback
Self-updateUpdate check, download, verify, install, restart. One-click rollback.
Comparison

How it stacks up

Against the incumbents. Full matrix at /compare.

Feature
AiFw
OPNsense
pfSense
WireGuard (native)
Suricata IDS
pkg
Sigma + YARA rules
AI behavioural detection
NAT46
OAuth / SSO
Commit confirm (auto-rollback)
Modern UI stack
React/Next.js
PHP
PHP
OpenVPN
Multi-WAN with FIB isolation
OPNsense config import
n/a
Built-in reverse proxy
TrafficCop

See the full matrix →

Architecture

Rust all the way down

Every service is a single Rust binary. The web UI compiles to static HTML with no Node.js runtime on the appliance.

// Workspace crates
aifw-common shared types: rules, NAT, VPN, IDS, HA, geo-IP
aifw-pf pf backend trait (ioctl on FreeBSD, mock on Linux)
aifw-core engines: rules, NAT, VPN, HA, shaping, audit, multi-WAN
aifw-ids IDS/IPS engine with Suricata + Sigma + YARA
aifw-ai 5 behavioural threat detectors
aifw-conntrack connection tracking
aifw-plugins plugin host (native Rust; WASM planned)
aifw-metrics metrics collection
aifw-api Axum REST (257 routes) + WebSocket
aifw-daemon background worker
aifw-cli `aifw` CLI — 17 subcommand groups
aifw-tui terminal UI
aifw-setup first-boot wizard

// Companion services (separate binaries)
rDNS DNS resolver
rDHCP DHCP server with HA failover
rTIME NTP/PTP time sync
TrafficCop reverse proxy (HTTP/TCP/UDP)

tokio · axum 0.8 · sqlx 0.8 · rustls 0.23 · Next.js 16 · FreeBSD 15

Install in minutes

~203 MB compressed ISO. Runs on anything FreeBSD runs on: bare metal, KVM, ESXi, bhyve, Proxmox.

Get started Latest release →

Last updated: