Bare-metal L4 orchestration · TCP + UDP

One Linux box.
Many real IPs.
Zero config editing.

Streamer turns a single host into a multi-IP Layer-4 reverse proxy you drive from a browser. Provision genuine macvlan sub-interfaces, point an nginx stream upstream pool at your backends, automate TLS, and lock every interface down with its own firewall — in seconds, not SSH sessions.

  • No database
  • No containers
  • One installer
streamer · apply
$ streamer apply site4.example.com

→ resolving bind target
  ip link add link eth0.50 name mv-web-0 type macvlan
  ip addr add 192.168.50.20/24 dev mv-web-0
✓ sub-interface up — 52:54:00:fa:bb:04

→ writing /etc/nginx/stream.d/site4.conf
  upstream pool → 192.168.50.10:443, .11:443
  least_conn · tls · acl: office

→ nginx -t
✓ configuration file test is successful
✓ reloaded — listening on 192.168.50.20:443
Backend health
healthy10.0.0.10:8443
healthy10.0.0.11:8443
SFW-IN-eth0
accepttcp/443
dropdefault
4
Layer proxied (TCP/UDP)
4094
802.1Q VLANs supported
5
LB algorithms
Bind IPs per host
How it works

From a domain name to a live proxy in three moves

Streamer runs directly on the host — no network namespaces, no overlay. The interfaces and IPs it creates are real, routable and visible in ip link show.

01

Resolve the bind IP

Bind straight to an interface's existing IP, or give the mapping its own dedicated address on a real macvlan device — unique MAC, optional VLAN tag, static IP.

# its own MAC, inside VLAN 50
ip link add link eth0.50 name mv-web-0 \
   address 52:54:00:fa:bb:04 type macvlan
02

Generate the stream config

An upstream {} pool is rendered for your backends with the load-balancing method you picked, plus TLS, access lists and L4 rate limits.

upstream pool_924cb {
    server 192.168.50.10:443;
    server 192.168.50.11:443;
    least_conn;
}
03

Validate & hot-reload

nginx -t runs before every reload, so a bad block is rolled back and the live proxy is never reloaded against a broken config. Each step is streamed back to the UI.

nginx -t   # config OK
nginx -s reload
✓ 192.168.50.20:443 → pool_924cb
Live mapping

Watch every route on your host, in real time

Each domain binds its own address, flows through the proxy host, and fans out to its backend pool. Downed backends light up red the moment a health probe fails.

Live healthy degraded backend down 6 mappings · 8 backends
example1.com 192.168.11.82:449 TCP ↳ ens33 · direct example2.com 192.168.11.83:53 UDP ↳ mv-sub-0 · static example3.com 192.168.11.83:443 TCP ↳ mv-sub-0 · static example4.com 192.168.11.87:443 TCP ↳ mv-sub-2 · static example5.com 192.168.11.84:443 TCP ↳ mv-sub-1 · static example6.com 192.168.11.88:443 TCP ↳ mv-sub-6 · static streamer proxy host example1.com 2 backends · round-robin ! example2.com 2 backends · round-robin example3.com 1 backend · round-robin example4.com 1 backend · round-robin example5.com 1 backend · round-robin example6.com 1 backend · round-robin
Capabilities

Everything the edge of your network needs

Built with Python + Flask and a single-page dashboard. Mappings, users and settings persist to plain JSON — there is nothing else to run.

Real macvlan sub-interfaces

Dedicated IP per mapping with its own MAC — optionally inside an 802.1Q VLAN. Not a namespace trick: the device shows up in ip link and answers ARP.

L4 load balancing

Round-robin, least_conn, hash (+consistent), random, or random-two — with weights, health probes and active-passive priority failover.

New

Per-interface firewall

Security-group style iptables rules — every interface gets its own ordered rule set and default policy. Off by default, with lockout protection and a one-click panic switch.

Automated SSL

Upload a cert, generate a SAN self-signed pair with openssl, or reuse a managed cert across mappings. Keys land at 0600, shared certs are refcounted.

Access lists

Named IP/CIDR allow lists rendered to nginx snippets. Auto-refreshing from a source URL — the built-in tas-ix feed replaces a cron job entirely.

ModSecurity WAF

Install the OWASP Core Rule Set from the dashboard, bind it to any HTTPS mapping, and switch Off → Detection → Enforce once you've tuned the false positives.

Live monitoring & map

Host CPU/RAM/disk, per-interface throughput, backend health probes, and an n8n-style canvas of every route — with downed backends flagged in red.

Snapshots & rollback

One-click backup of everything — mappings, users, certs, sub-interfaces, audit log — on a schedule, in-process. Restore or roll back to any point.

Roles & audit log

Admin and creator roles behind a login, PBKDF2-hashed passwords, and a persistent audit trail of every privileged action taken in the UI.

Safe by construction

Powerful enough to break things — designed not to

Streamer runs privileged commands on a production host. Every destructive path has a guard rail, and every one of them is on by default.

  • No shell injection. Every command runs as an argv list — never a shell string — through a single audited choke point.
  • Firewall can't lock you out. Every managed chain accepts established connections and the dashboard's own port first — and Panic tears it all down.
  • Fail-safe reloads. nginx -t gates every reload, so the live proxy never restarts against a broken config.
  • Simulation mode. Run the whole tool off-host: it prints the exact commands it would execute and touches nothing.
  • Least privilege, optionally. Runs as root by default, or as an unprivileged user with a scoped sudoers file granting only what it needs.
SFW-IN-eth0 · rendered
# established + the dashboard, always first
iptables -A SFW-IN-eth0 -m conntrack \
    --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A SFW-IN-eth0 -p tcp --dport 8088 -j ACCEPT

# your rules, by priority
iptables -A SFW-IN-eth0 -p tcp --dport 22 \
    -s 203.0.113.0/24 -j ACCEPT
iptables -A SFW-IN-eth0 -p tcp --dport 443 -j ACCEPT

# fallback = interface default policy
iptables -A SFW-IN-eth0 -j DROP
iptables -I INPUT 1 -i eth0 -j SFW-IN-eth0
Get started

One command. One host. Done.

Installs nginx + the stream module, python, iproute2, iptables and openssl for your distro, wires the kernel and nginx, and starts a systemd service.

$ git clone <repo> streamer && cd streamer
$ sudo ./setup.sh --service

Then open http://<server-ip>:8088 and create your admin account. Debian/Ubuntu, RHEL/Fedora, Arch and openSUSE are supported — the installer is idempotent and safe to re-run.

Ready to give your backends real addresses?

Free and open source, MIT licensed.

Launch the dashboard