Cloud-managed next-generation firewall and router administration platform that runs on Cloudflare's Edge.
Centralized management, configuration, monitoring, and security — designed with families in mind.
Website · Dashboard · Documentation · API Reference
|
Most router interfaces haven't kept pace with modern expectations. NGFW.sh provides automatic updates, cloud-based management, and security monitoring — no network engineering degree required. |
IDS/IPS, DNS filtering, traffic analytics, and VPN management — capabilities that traditionally required enterprise budgets or deep technical expertise, now available to everyone. |
Real-time visualization, threat detection, traffic patterns, and device fingerprinting through a cloud dashboard accessible from anywhere with sub-50ms latency globally. |
# 1. Sign up at app.ngfw.sh and register your router
# 2. Install the agent (guided setup, under 5 minutes)
# 3. Manage from the cloud — anywhere, any deviceThe router agent connects via persistent WebSocket through Cloudflare Durable Objects for real-time metrics. Advanced features including firewall rules, DNS filtering, VPN, IDS/IPS, and traffic analytics are rolling out progressively.
Authentication — Secure login via Clerk.com with email, phone, MFA, and passkeys
Dashboard — Real-time system monitoring and status overview
Network Configuration — WAN, LAN, and WiFi management
Security — Firewall rules and DNS filtering
Billing — Plan management and subscriptions
Feature-based, not usage-based. No artificial caps on devices, users, VPN peers, firewall rules, or any other metrics. Pay for capabilities, not permission to use your own network.
| Starter | Pro | Business | Business Plus | |
|---|---|---|---|---|
| Monthly | $25 | $49 | $99 | $199 |
| Annual | $20/mo | $39/mo | $79/mo | $159/mo |
| Core management & monitoring | ✓ | ✓ | ✓ | ✓ |
| DNS filtering & VPN | ✓ | ✓ | ✓ | ✓ |
| QoS & traffic shaping | — | ✓ | ✓ | ✓ |
| IDS/IPS & real-time alerts | — | ✓ | ✓ | ✓ |
| Fleet management & API | — | — | ✓ | ✓ |
| Priority support & onboarding | — | — | — | ✓ |
All plans include a 14-day free trial · 20% discount on annual billing
Cloud Management & Dashboard
| Feature | Starter | Pro | Business | Business Plus |
|---|---|---|---|---|
| Cloud-hosted management portal | ✓ | ✓ | ✓ | ✓ |
| Real-time system monitoring (CPU, RAM, temp, load) | ✓ | ✓ | ✓ | ✓ |
| Interface statistics & status | ✓ | ✓ | ✓ | ✓ |
| Automatic firmware updates | ✓ | ✓ | ✓ | ✓ |
| Dual boot slot management | ✓ | ✓ | ✓ | ✓ |
| Configuration backup & restore | ✓ | ✓ | ✓ | ✓ |
| Audit log | ✓ | ✓ | ✓ | ✓ |
| Email support | ✓ | ✓ | ✓ | ✓ |
| Priority support (4hr SLA) | — | — | — | ✓ |
| Onboarding assistance | — | — | — | ✓ |
Networking
| Feature | Starter | Pro | Business | Business Plus |
|---|---|---|---|---|
| WAN configuration (DHCP, Static, PPPoE) | ✓ | ✓ | ✓ | ✓ |
| WAN status, DHCP lease renew/release | ✓ | ✓ | ✓ | ✓ |
| LAN / bridge configuration | ✓ | ✓ | ✓ | ✓ |
| VLAN support | ✓ | ✓ | ✓ | ✓ |
| DHCP server & IP pools | ✓ | ✓ | ✓ | ✓ |
| DHCP static reservations | ✓ | ✓ | ✓ | ✓ |
| WiFi radio management | ✓ | ✓ | ✓ | ✓ |
| Multi-SSID configuration | ✓ | ✓ | ✓ | ✓ |
| WiFi client monitoring | ✓ | ✓ | ✓ | ✓ |
| NAT / port forwarding | ✓ | ✓ | ✓ | ✓ |
| UPnP management | ✓ | ✓ | ✓ | ✓ |
| QoS traffic shaping | — | ✓ | ✓ | ✓ |
| Per-device bandwidth limits | — | ✓ | ✓ | ✓ |
| Traffic class definitions | — | ✓ | ✓ | ✓ |
| Dynamic DNS | — | ✓ | ✓ | ✓ |
Security
| Feature | Starter | Pro | Business | Business Plus |
|---|---|---|---|---|
| Stateful firewall | ✓ | ✓ | ✓ | ✓ |
| Zone-based policies | ✓ | ✓ | ✓ | ✓ |
| Rule ordering & hit counters | ✓ | ✓ | ✓ | ✓ |
| DNS filtering (ad & tracker blocking) | ✓ | ✓ | ✓ | ✓ |
| DNS allowlist / custom overrides | ✓ | ✓ | ✓ | ✓ |
| Force blocklist update | ✓ | ✓ | ✓ | ✓ |
| IDS (Intrusion Detection System) | — | ✓ | ✓ | ✓ |
| IPS (Intrusion Prevention System) | — | ✓ | ✓ | ✓ |
| IDS/IPS rule categories | — | ✓ | ✓ | ✓ |
| IDS/IPS custom rules | — | ✓ | ✓ | ✓ |
| Real-time threat alerts (WebSocket) | — | ✓ | ✓ | ✓ |
VPN
| Feature | Starter | Pro | Business | Business Plus |
|---|---|---|---|---|
| WireGuard VPN server | ✓ | ✓ | ✓ | ✓ |
| VPN peer management | ✓ | ✓ | ✓ | ✓ |
| Peer QR code generation | ✓ | ✓ | ✓ | ✓ |
| VPN client profiles | ✓ | ✓ | ✓ | ✓ |
| Connect/disconnect from dashboard | ✓ | ✓ | ✓ | ✓ |
| VPN connection status monitoring | ✓ | ✓ | ✓ | ✓ |
Logging & Analytics
| Feature | Starter | Pro | Business | Business Plus |
|---|---|---|---|---|
| DNS query log & statistics | ✓ | ✓ | ✓ | ✓ |
| Traffic log with filtering (src, dst, port, proto, app, geo) | ✓ | ✓ | ✓ | ✓ |
| Top clients by bandwidth | ✓ | ✓ | ✓ | ✓ |
| Top destinations | ✓ | ✓ | ✓ | ✓ |
| Aggregated traffic statistics | ✓ | ✓ | ✓ | ✓ |
| Real-time traffic stream (WebSocket) | — | ✓ | ✓ | ✓ |
Fleet Management & Integration
| Feature | Starter | Pro | Business | Business Plus |
|---|---|---|---|---|
| Fleet device management | — | — | ✓ | ✓ |
| Configuration templates | — | — | ✓ | ✓ |
| Apply template to multiple devices | — | — | ✓ | ✓ |
| Bulk device commands | — | — | ✓ | ✓ |
| REST API access | — | — | ✓ | ✓ |
| Webhook endpoints | — | — | ✓ | ✓ |
Account & Security
| Feature | Starter | Pro | Business | Business Plus |
|---|---|---|---|---|
| User profile management | ✓ | ✓ | ✓ | ✓ |
| Multi-factor authentication (MFA) | ✓ | ✓ | ✓ | ✓ |
| Passkey support | ✓ | ✓ | ✓ | ✓ |
| Session management | ✓ | ✓ | ✓ | ✓ |
┌─────────────────────────────────────────────────────────────────────┐
│ Cloudflare Workers Edge │
│ │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌─────────────┐ │
│ │ Web │ │ Schema │ │ Rust │ │ Config │ │
│ │ Portal │ │ API │ │ API │ │ Store │ │
│ │ │ │ │ │ │ │ │ │
│ │ React/Vite │ │ Hono/ │ │ workers-rs │ │ D1/KV/R2 │ │
│ │ │ │ Chanfana │ │ │ │ │ │
│ └────────────┘ └────────────┘ └────────────┘ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
│
│ WebSocket / HTTPS
▼
┌─────────────────────────────────────────────────────────────────────┐
│ Router (On-Premises) │
│ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ RPC Agent │ │
│ │ ↕ │ │
│ │ nftables · dnsmasq · hostapd · WireGuard │ │
│ └───────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Services
| Package | Domain | Purpose |
|---|---|---|
packages/portal |
app.ngfw.sh | Dashboard SPA |
packages/www |
ngfw.sh | Marketing site |
packages/api |
api.ngfw.sh | REST API, WebSocket RPC, OpenAPI |
packages/schema |
specs.ngfw.sh | Legacy API (deprecated) |
docs/ |
docs.ngfw.sh | Documentation (Starlight) |
Storage
| Type | Binding | Purpose |
|---|---|---|
| D1 | DB |
Users, plans, subscriptions, configs |
| KV | DEVICES |
Device registry & API keys |
| KV | CONFIGS |
Device configurations |
| KV | SESSIONS |
User sessions |
| KV | CACHE |
Blocklist & threat feed cache |
| R2 | FIRMWARE |
Firmware images |
| R2 | BACKUPS |
Configuration backups |
| R2 | REPORTS |
Generated reports |
|
Frontend
Auth
|
Backend
Storage
|
# Setup
bun run setup # Install all dependencies
# Development servers
bun run dev:portal # Portal → localhost:5173
bun run dev:schema # Schema API → localhost:8787
bun run dev:api # Rust API → localhost:8788
bun run dev:www # Marketing → localhost:4321
bun run dev:docs # Documentation → localhost:4322
# Build & Deploy
bun run build # Build all packages
bun run deploy # Deploy all packages
# Quality
bun run test # Run tests
bun run lint # Lint with oxlint| Resource | Description |
|---|---|
| ARCHITECTURE.md | Full technical specification — API endpoints, schemas, RPC protocol |
| PROJECT.md | Task tracking, roadmap, and development status |
| RESEARCH.md | Market research and competitive analysis |
| docs.ngfw.sh | User documentation |
| api.ngfw.sh/openapi.json | OpenAPI 3.1 specification |