ZedmsInline security engine for OPNsense
View docsContact team

Turn OPNsense into a Real Next-Generation Firewall

Built for engineers who demand more than plugins. No buzzwords. No black boxes. Just architecture, performance, and control.

View ArchitectureCompare with plugin stacksTechnical Docs

Built by engineers. Explained like engineers expect.

Architecture First

We start with the packet path—not feature lists or buzzwords.

Performance Matters

Throughput and latency are design constraints, never afterthoughts.

No Black Boxes

How it works, what it inspects, and where it fails is fully documented.

Why We Exist

Why most NGFW plugins hit a wall

Open-source firewalls are powerful, but bolted-on security features often trade performance for visibility. We built a security engine that integrates with the packet path instead of fighting it.

Meet the team behind Zedmos →

Inline capabilities

What the engine enforces without leaving the packet path

Every control runs inside the same inspection pipeline—no bolted-on daemons, no policy gaps, no extra hops.

TLS / SSL Inspection

Decrypts HTTPS, SMTPS, FTPS, and other TLS flows inline so malware and exfiltration attempts are caught where they start.

  • Man-in-the-Middle (MitM) decryption
  • Policy-based SNI bypass (Banking, Gov)
  • Supports TLS 1.2 and 1.3

Application Control

Identifies thousands of applications (BitTorrent, WhatsApp, Tor, YouTube) regardless of port using nDPI.

  • Layer-7 traffic classification
  • Block P2P, VPNs, and proxies
  • Granular category-based rules

Threat Intelligence

Blocks malicious domains, botnet C2s, and phishing sites instantly with feeds from USOM, URLhaus, OpenPhish, and ThreatFox.

  • Automated feed updates
  • Zero-configuration protection
  • Real-time blocking of new threats

Inline File Scanning

Scans HTTP/S, FTP, SMTP, and SMB transfers with ClamAV before payloads land, keeping endpoints clean.

  • Scan inside encrypted archives
  • MIME-type aware filtering
  • Optional ICAP & YARA support

Web & DNS Filtering

Enforces URL and DNS policies, including DoH/DoQ controls, so acceptable use policies stick.

  • Block adware & tracking
  • Prevent DNS tunneling
  • Baseline WAF protections

Identity & Device Aware

Applies policy per user, device type, or geography and isolates compromised assets automatically.

  • User-to-IP mapping
  • Device fingerprinting (MAC/OUI)
  • Runtime risk tagging & quarantine

Architecture Overview

Designed Around the Packet Path

This is not a feature collection; it is a security engine. Packets enter via netmap, stay in shared memory through DPI + TLS analysis, and exit only after synchronous policy evaluation. Storage and control-plane hooks are fed via writerd, not by bolting on scripts.

  • Optimized inspection pipeline
  • Minimal context switching
  • Zero-copy packet handling
  • NIC offloading aware design
  • nDPI + TLS analyzer feeding policy runtime
  • Writerd log plane (SQLite / Elastic / Mongo)

NIC / Netmap Capture

Zero-copy RX/TX rings, per-queue workers, takeover-aware interfaces.

DPI + TLS Analyzer

nDPI classification, TCP reassembly, JA3/JA4 fingerprints, TLS MITM.

Policy Runtime

Suffix tries, TI cache, identity selectors, synchronous enforcement.

Action Layer

Allow/block, tls_bump/bypass, shadow/quarantine, StartTLS handling.

Writerd / Storage

Writer daemon → SQLite/Elastic/Mongo via zero-copy ring & batching.

Control Plane

UNIX socket RPC, hot reload worker, metrics/export knobs.

Architecture is the product. Traffic never leaves this pipeline.

Read the full architecture →

Performance Is a Feature

Security engines are measured under load

Real security maintains throughput, keeps latency predictable, and avoids CPU thrash even when inspection is fully enabled.

ThroughputInspection ON vs OFF
10.0Gbps

Inspection OFF

9.4Gbps

Inspection ON

Latencyp95 under sustained load
0.68ms

Baseline routing (Zedmos bypass)

0.74ms

Zedmos DPI + policy

0.88ms

Zedmos DPI + TLS MITM

CPU UtilizationInspection enabled
18%DPI + policy runtime
7%TLS MITM & cert cache
5%Writerd log plane
Measured on Xeon D-1746, 10G line-rate traffic, Zedmos policy set r2025.06.
View benchmarks and methodology →

Comparison

Why Zedmos replaces plugin stacks

Plugin chains chase features after traffic leaves the NIC. Zedmos stays inline—from netmap capture through policy runtime—so latency, CPU, and telemetry stay deterministic.

DimensionPlugin stackZedmos engine
ModelSecurity plugin chainZedmos inline engine
Architecture focusFeature backlog & UIPacket-path & determinism
Inspection pathAdd-on detour after routingIntegrated netmap → policy
Performance priorityShared CPU budgetPrimary design goal (line-rate)
Policy executionPer-plugin hooksSingle runtime w/ suffix tries
TelemetrySyslog/export scriptsWriterd log plane (SQLite / ES / Mongo)
Full comparison →

Built for

  • OPNsense power users
  • Security engineers
  • MSPs / MSSPs
  • High-throughput environments

Not for

  • One-click security buyers
  • Black-box stacks
  • Feature-only comparisons
  • Marketing-driven deployments