Real macvlan sub-interfaces
Dedicated IP per mapping with its own MAC — optionally inside an 802.1Q VLAN. Not a
namespace trick: the device shows up in ip link and answers ARP.
L4 load balancing
Round-robin, least_conn, hash (+consistent), random, or random-two —
with weights, health probes and active-passive priority failover.
New
Per-interface firewall
Security-group style iptables rules — every interface gets its own ordered rule set and
default policy. Off by default, with lockout protection and a one-click panic switch.
Automated SSL
Upload a cert, generate a SAN self-signed pair with openssl, or reuse a managed
cert across mappings. Keys land at 0600, shared certs are refcounted.
Access lists
Named IP/CIDR allow lists rendered to nginx snippets. Auto-refreshing from a source URL —
the built-in tas-ix feed replaces a cron job entirely.
ModSecurity WAF
Install the OWASP Core Rule Set from the dashboard, bind it to any HTTPS mapping, and
switch Off → Detection → Enforce once you've tuned the false positives.
Live monitoring & map
Host CPU/RAM/disk, per-interface throughput, backend health probes, and an n8n-style
canvas of every route — with downed backends flagged in red.
Snapshots & rollback
One-click backup of everything — mappings, users, certs, sub-interfaces, audit log — on a
schedule, in-process. Restore or roll back to any point.
Roles & audit log
Admin and creator roles behind a login, PBKDF2-hashed passwords, and a persistent audit
trail of every privileged action taken in the UI.