Frequently asked questions
Is AiFw a fork of OPNsense or pfSense?
No. AiFw is a ground-up rewrite in Rust. It runs on FreeBSD and uses pf for packet filtering, but shares no PHP or codebase with OPNsense or pfSense. The user-space services, web UI, REST API, and CLI are all original Rust and Next.js code.
Does AiFw require AI features to work?
No. AiFw is a complete firewall, router, DHCP server, DNS resolver, IDS/IPS, reverse proxy, and NTP server without any AI features enabled. The five behavioural detectors in aifw-ai (port scan, DDoS, brute force, C2 beacon, DNS tunneling) are opt-in, experimental, and disabled by default. They will be developed further in future releases.
Can I import my existing OPNsense config?
Yes. AiFw ships an OPNsense XML importer that parses your config, previews a diff of what’ll change, and applies atomically with rollback on failure. The importer was rewritten end-to-end in 2026 (PRs #230 and #248–#252). See the backup & migration guide.
Does AiFw support Multi-WAN failover and load balancing?
Yes. AiFw ships an enterprise-grade multi-WAN system with FIB isolation per WAN, gateway groups (failover, weighted, MOS-weighted adaptive), policy routing on 5-tuple + DSCP + geo-IP, and blast-radius preview before apply. See the multi-WAN guide.
What hardware do I need to run AiFw?
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 1 amd64 core | 2+ cores, AES-NI |
| RAM | 1 GB | 4 GB+ (more for IDS) |
| Disk | 4 GB | 16 GB SSD |
| NIC | 1 | 2+ (WAN + LAN) |
arm64 (Raspberry Pi, Ampere) is planned but not yet supported. AiFw runs anywhere FreeBSD runs — bare metal, KVM, Proxmox, VMware ESXi, bhyve.
Is AiFw production-ready?
Core firewall, NAT, VPN, IDS, DHCP, DNS, multi-WAN, and HA are production-ready and stable. AI threat detection is opt-in / experimental, and the plugin system is in beta. Check the relevant page on this site for the current status of each subsystem.
How do I migrate from pfSense to AiFw?
Direct pfSense XML import is not supported. The recommended path is to export your pfSense config to OPNsense first (community tooling exists), then use AiFw’s OPNsense importer. Alternatively, rebuild config from scratch — the AiFw web UI is fast.
Does AiFw have a paid version or paid tier?
No. Every feature is MIT-licensed and free. There is no paid tier, no gated features, and no telemetry or cloud dependency.
Where can I get help?
GitHub Discussions and Issues at https://github.com/ZerosAndOnesLLC/AiFw. The repo also includes detailed docs in CLAUDE.md and the docs/ directory.
How does AiFw compare to OPNsense and pfSense?
AiFw wins on: Sigma + YARA rules, AI threat detection, NAT46, OAuth/SSO, commit-confirm auto-rollback, modern React UI, multi-WAN with FIB isolation, OPNsense config import, built-in reverse proxy + ACME.
AiFw lags on: OpenVPN, LDAP/RADIUS, captive portal, DDNS WAN client, project age.
See the full comparison.
Does AiFw support OpenVPN?
Not currently. AiFw supports WireGuard and IPsec only. If OpenVPN is a hard requirement, stay on pfSense or OPNsense.
Can I run AiFw in a VM?
Yes. AiFw runs anywhere FreeBSD runs — bare metal, KVM, Proxmox, VMware ESXi, bhyve. AWS and DigitalOcean FreeBSD images are untested but should work.
Does AiFw work with WireGuard mobile clients?
Yes. AiFw generates per-peer .conf files you can scan as a QR code from the WireGuard mobile app. Persistent keepalive can be set per peer. Handshake status is shown live in the web UI.
How does HA failover work?
AiFw runs an active-passive pair using CARP (virtual IP) and pfsync (state-table sync). TCP sessions survive a master reboot. WireGuard tunnels reconnect within ~5 seconds if peers have PersistentKeepalive set. Failover detection takes 1.5–3 seconds depending on the configured latency profile. See the HA cluster guide.
Is the source code auditable / where do I read it?
Yes. The full source is at github.com/ZerosAndOnesLLC/AiFw under the MIT license. The codebase is Rust workspace crates plus a Next.js web UI. CLAUDE.md in the repo root has an architectural overview.