NethSecurity Alpha 1 is ready 🛡

Following an endless night of coding in the realm of darkness, we’re thrilled to announce that our latest creation is finally emerging from the depths of chaos! :ghost:

Let the digital witches dance and the debugging ghosts fade away because it’s time to set our product free in the wild world! :ghost: #HalloweenRelease :jack_o_lantern::jack_o_lantern:

NethSecurity Alpha 1 “Halloween” Release :jack_o_lantern:

We are excited to introduce the alpha 1 release of NethSecurity, a significant leap in network security solutions. This release focuses on technical aspects and is intended for evaluation purposes to explore the new system’s functionalities.

What’s NethSecurity?


It’s a fully-featured Linux firewall that combines multiple security features into a single platform, including firewalling, intrusion detection/prevention, antivirus, multi WAN, DNS and content filtering, and more.

Why NethSecurity?

With the release of NethServer 8 we abandoned the UTM firewall module included in version 7. Still, we wanted to continue helping those who used NethServer as a firewall gateway in their network. So we decided to create a new Linux open-source project that is highly focused on the firewall, and NethSecurity was born, which is basically a NethServer spinoff with a completely new technological stack.

:penguin: Linux and Open Source

There are not only BSD firewalls, having a firewall based on Linux means: wide hardware support, a larger ecosystem, more familiarity for administrators and faster release cycles.

:timer_clock: Setup your firewall literally in minutes

Deploy your installations with pre-installed and pre-configured firewall modules. It offers an intuitive user interface, so beginners will find it very easy to navigate the system and configure it to their requirements.

:hotel: Made for your SMBs

Designed specifically for Small and Medium-sized Businesses (SMBs) it’s a cost-effective and All-in-One solution. No useless frills, just what users need.

Alpha 1 Main features

Here’s what we’ve included in this version

:lock: Firewall Separation

In this release, we’ve detached the firewall component from NS8 and relocated it to its dedicated distribution, optimizing security and efficiency.

:building_construction: Built on OpenWrt

NethSecurity Alpha 1 is based on OpenWrt, known for reliability and robustness. It’s tailored for firewall applications, is lighter than CentOS7, and will soon support the ARM platform for wider device compatibility.

:computer: Live Testing via USB Key

You can now boot NethSecurity from a USB key, operating entirely in RAM without utilizing internal storage. This feature is designed for live testing and evaluation.

:hammer_and_wrench: Streamlined Installation Process

We’ve simplified the installation process, eliminating modular components and software centers for rapid deployment.

:star2: Future-Proof Development

Alpha1 ensures feature parity with NethSecurity7 NG, emphasizing speed and efficiency in deployment.

Next Steps

:globe_with_meridians: Upcoming Product Website

Stay tuned for our dedicated product website for in-depth exploration of NethSecurity’s capabilities.

:rocket: Stay Updated with NethSecurity

To check available updates, execute in your shell:
opkg list-upgradable | cut -f 1 -d ' ' | xargs -r opkg upgrade
Stay current with the latest enhancements and security features.

Technical details

This is an alpha release designed for evaluation. Users can use the new interface, which is currently under development and may contain known issues.

Please note that some features available on the old LuCI interface will be removed once the corresponding page on the new interface is completed. While the backend functionality is fully operational and thoroughly tested, the new interface is still a work in progress.

New Interface features

We’re heavily working on the interface, these are the panels ready so far

  • Dashboard
  • Subscription Management
  • Hostname and Timezone Configuration
  • Additional Storage Setup
  • Network Interface Configuration
  • DNS and DHCP Settings
  • Routing Configuration
  • Multi-WAN Support
  • Port Forwarding Options
  • Zones and Policies Management
  • Flashstart DNS Filtering
  • Deep Packet Inspection (DPI) Filtering
  • Root User Password Change
  • Access to System Logs

Sneak peek

Some preview screenshots from Alpha1

New Dashboard

Interfaces and devices



New DPI filter

Apply changes

DNS and DHCP and left menu

Try it!

Follow the instructions, download and try it
Download :arrow_down:


Read about all features, migration from NS7 and more inside the official documentation

We need your feedback

Your feedback during this alpha phase is crucial for refining NethSecurity.
Join us in shaping the future of IT security.

Please open a new topic in the NethSecurity category
Add tags like feature bug support

Known bugs in the new interface can be found here.


I just had to do yearly renewals for a couple of paid NGFW.
Would have much rather paid for more economical support from you guys. :anguished:
Next year I guess.

TOP JOB! Scary night…

Some interesting features you may willing to consider…

  • configuration backup and restore
  • automated configuration and log backup, with forward options (SMB, S3, SFTP, email)
  • user management (local and remote)
  • VPNs management
    • IPSec, with also v2, Camellia and blowfish support, s’il vous plait; not everyone considers AES “safest cypher” today
    • OpenVPN, roadwarrior and n2n with compatibility with NS7, but with configuration download working on Firefox, please
    • Wireguard
    • L2TP, still most widely available VPN client for consumer Client’s OSes.
  • reverse proxy with virtualhost support
  • proxy server with content filtering
  • scheduled reports with multiple forward options (including digitally signed PDFs)
  • user/group based alert management, not only via email (telegram bot?)
  • HA
  • Zabbix template (some starting point here), AFAIK no zabbix agent available for OpenWRT.

Dang it! You’ve truely pulled a rabbit out of the hat on this one!

This is one of the very few times an Alpha release of a product has got me really interested in it and want to give it a try.

And on Halloween none the less… Truely spooky


so in short we are taking OpnSense up for a competition, dont we?

Does the current release fature a radius server, if not would it be considered to be added in future? near or later…

1 Like

Why not! :wink: I hope NethSecurity will be far more easy than OpnSense :crossed_fingers:

We still do not have it but OpenWrt does [OpenWrt Wiki] FreeRADIUS
What is the usage scenario?

What about WAF?

We thought about it, I know that @filippo_carletti did some tests. But AFAIK there is not a real candidate for now.
Do you know something that we can try to integrate?

We currently use nginx as main web server instead of uhttpd (the default on OpenWrt)

this is usefule for one is ISP’s both small and large

an ip address is to a pppoe user thats added to the radius srver, and when the user tries to connect from their router, its assigned the credentials to achieve the same.

ALso in in some cases in companies

Most non-ISP users (Users here in the Forum) will more be interested in using RADIUS for WLan authentification…

My 2 cents

1 Like

I know this usage scenario but I do not think that NethSecurity is a good candidate for being an ISP firewall.

Absolutely yes, this could be a common scenario. But usually the administrator want the authentication integrated with AD systems, and this configuration has some major security drawbacks.
If someone is interested, check out this:

By the way, if you want to explore such scenarios, you can install packages directly from OpenWrt repositories: Package repositories | NethSecurity
We can start as we did with NS7: just create an howto, if many users will use it, we can convert it in a official module.


AFAIK, it’s a well known security “Gotcha”, yet due to the ubiquitness of Windows Systems in large Enterprises, it’s still comonnonly used, networks are specially secured against external access by other methods. PEAP-MSCHAPv2 is still one of the most common, and is - under RADIUS only protected with TLS, and only if configured correctly. Nowadays, just not enough, and MSCHAP, even if “v2” is still to much “in the clear”. But it does work reliably!

MS-ID is not well implemented yet for OpenSource RADIUS, AFAIK.
see also

### RADIUS authentication with Microsoft Entra ID

And, yes, for all those asking, RADIUS as a project for Authentification is written All Caps…
The Name comes from:
Remote Access Dial In User Service
and it did actually start out as an alternative to MS “Remote Access” Dial-In.

Long time ago, before 2000!

My 2 cents

A commercial (not neutral), but still good, understandable write up about RADIUS with a lot of valluable Infos…

also this:

1 Like

if this is a viable solution to solving and implementing RADIUS then am all in, and would be great generally for community users.

ALso i think would add alot mor evalue because OWT has many modules already available on its firewall.


Is that real? NS8 now will have a firewall? HOTSPOT?!

Thats too good to be true…

How much will this cost? LOL!

1 Like

Thats also true, i miss RADIUS.

NS8 has a built, very simple firewall just to open and close ports of services. NethSecurity is the spin-off of NethServer 7: it contains the UTM firewall part .

Yes, the same of NS7.

It’s free, if you want to setup your own instance Install Dedalo Hotspot with Icaro on local servers