New · Application Firewall for OpenWiFi

NetExperience
Secure Wireless Edge

Activate enterprise-grade content filtering, threat protection, application-aware QoS, and microsegmentation on every NetExperience OpenWiFi access point. No additional hardware. No cloud middleman. No vendor lock-in.

<30s

Controller push to enforcement

~12 MB

Total engine footprint on AP

5,600+

Domains mapped to named apps

100%

Kernel-resident · zero userspace

Why It Matters

New revenue. Zero new hardware.

Turn your existing OpenWiFi infrastructure into a premium security platform your subscribers will pay for.

New Revenue Stream

Sell premium safety, security, and contentpolicy tiers your subscribers want. Activated centrally in uCentral, billed by you. Net-new ARPU on infrastructure you already own.

Zero-Friction Deployment

Provisioned through the same uCentral controller you already use. Runs on every TIP OpenWiFi-certified AP. No truck rolls, no proprietary CPE stack, no new operations to learn.

Privacy by Design

All inspection happens in the AP. Telemetry goes only where you decide. No mandatory cloud, no third-party data extraction, no sovereignty concerns for EU and regulated markets.

Architecture

Four-stage inspection pipeline

Every packet traverses a kernel-resident pipeline — wire-speed decisions, zero userspace overhead.

01

Classification

Identifies protocol — DNS, HTTP, TLS, or unknown encrypted traffic via signature detection on ephemeral ports.

02

Profile Lookup

Resolves the device to its security profile by MAC address, SSID, or VLAN.

03

Policy Evaluation

Applies the profile's allow/blocklists, application database, and L3/L4 firewall rules.

04

Verdict Caching

Commits the decision to wire-speed packet-mark caches so subsequent packets in the same flow are decided in microseconds without re-inspection.

Configured In
uCentral — Profile & Venue templates
Granularity
Per-device, SSID, VLAN, venue, tenant
Update Propagation
<30 seconds controller → AP
AP Impact
Live reload · zero packet loss · no reboot
Footprint
~12 MB · negligible CPU & RAM
Security
AES-256 encrypted · cryptographically signed
Capabilities

Complete capability catalog

Everything your operators need — from content filtering to microsegmentation — in a single software activation.

Content Filtering

  • Multi-protocol L7 inspection: DNS, HTTP, TLS (SNI)
  • Six curated blocklist categories: ads, adult, gambling, threats, trackers, bypass services
  • Allowlists with global override across all protocols
  • ~5,600 domains mapped to ~1,900 named applications
  • Custom domain lists per venue and per profile
  • Per-protocol category scoping (e.g., DNS-only for threats)

Bypass Prevention

  • DNS-over-TLS (DoT) blocking — TCP/853 reject
  • DNS-over-HTTPS (DoH) blocking — UDP/853 drop
  • QUIC / HTTP/3 enforcement — UDP/443 drop
  • WireGuard tunneling block — UDP/51820 drop
  • ECH prevention via DNS HTTPS RR (QTYPE 65) suppression
  • All enforced at the AP before bypass channel is established

Unknown Traffic Inspection

  • Signature-based detection of encrypted protocols on ephemeral ports
  • Default detectors: BitTorrent, SSH, hidden VPNs — extensible
  • Catches policy-evading traffic DNS filters and SNI inspection miss
  • Configurable as block or allow with per-profile telemetry

Threat Detection

  • Real-time threat intelligence feeds, professionally curated
  • Phishing, malware, ransomware, and C2 blocking
  • Profile-level L3/L4 rules: protocol, port, IP, direction
  • Default-allow or default-block policy per profile
  • Incognito mode — telemetry suppression for privacy-sensitive profiles

Microsegmentation & IoT

  • Per-VLAN profiles with dynamic 802.1X — no AP reconfiguration needed
  • Per-SSID profiles: guest, tenant, IoT, staff — each isolated independently
  • East-west blocking: prevent IoT from reaching subscriber laptops
  • Lateral-movement defense: compromise contained to profile boundary
  • Quarantine-ready: move compromised devices to restricted egress profile

Telemetry & Visibility

  • Per-domain event reporting with nanosecond-precision timestamps
  • Source MAC, IP, profile, application name, verdict, and reason
  • Operator-managed analytics: InfluxDB, NetExperience telemetry, or compatible
  • Batched, retried, persistent — no event loss on transient cloud outages
  • Provisioned via uCentral — no SSH, no per-AP CLI required
Use Cases

Built for every vertical

One platform, purpose-built security posture for every deployment scenario.

MDU & Student Housing

Per-tenant security with dynamic 802.1X VLANs. Family-safe upgrades as a premium tier. P2P controls. Compromise of one tenant cannot reach another.

Hospitality

Brand-safe guest SSID with age-appropriate filtering. Separate conference SSID with stricter policies. Same AP, different posture per network.

Education

CIPA-compliant filtering. Classroom vs dorm vs guest SSIDs with distinct profiles. Malware and phishing blocked at the AP, before the LAN.

Senior Living

Scam, phishing, and tech-support-fraud blocking. Guest network for visitors with default-deny on the resident LAN.

SMB

Scam, phishing, and tech-support-fraud blocking. Guest network for visitors with default-deny on the resident LAN.

Public Wi-Fi / Hotspots

Liability protection. Content compliance per jurisdiction. Per-SSID profiles for guest, paid, and free tiers.

Competitive Comparison

How Application Firewall compares

Measured against enterprise SSE/SWG stacks, residential VAS, and cloud DNS filters — the three alternatives OpenWiFi operators typically evaluate.

Capability App Firewall Enterprise SSE Residential VAS Cloud DNS
Native to TIP OpenWiFi / uCentral provisioning
Runs in-kernel on AP — no extra hardwaren/a
No mandatory cloud — data stays under operator control
Blocks DoH / DoT / ECH / QUIC / WireGuard at the APPartialPartial
Detects encrypted protocols on ephemeral portsPartialPartial
Per-VLAN, per-SSID microsegmentation built into APLimited
Multi-tenant by design — ISP/MSP/MDU scaleEnterprise onlyVia vendor cloudVia vendor cloud
Activated as Premium VAS in your existing platform
Total cost of ownership for OpenWiFi operatorsLowest — hardware you ownHighest — appliance + OpExMid-high per-subscriberLow cost, severe gap
Why NetExperience Wins

Three capabilities no competitor can match

The gaps that end every evaluation in Application Firewall's favor.

1

The only operator-grade application firewall that runs in the kernel of every TIP OpenWiFi AP. No proprietary CPE stack to adopt. No cloud middleman to trust. No new operations to learn.

2

The only solution that keeps your subscribers' data on your network, in your jurisdiction, under your control. Every cloud competitor requires telemetry to leave the home. Application Firewall doesn't.

3

The only one that closes the bypass holes your cloud DNS filter can't. DoH, ECH, QUIC, hidden VPNs, BitTorrent on ephemeral ports — all blocked at wire-speed inside the AP. Ask any cloud DNS vendor what happens to ECH. They'll point you to the standards body.

Get Started

Ready to activate?

Enable in uCentral, push profiles, done. No truck rolls. No new hardware. Contact sales for per-AP or per-subscriber pricing.