The Genesis: Consolidation Without Compromise
The modern business network has historically been a fragmented mess of discrete appliances and isolated software silos. Network administrators are routinely forced to juggle separate hardware interfaces for firewalls, routing, DHCP, internal DNS, and ad-blocking servers like AdGuard. The DMSBG was born out of this frustration — a unified appliance handling every critical network service under one roof.
We evaluated the enterprise landscape and found it lacking. Industry mainstays like Fortinet offered robust features but carried prohibitively expensive hardware markups and recurring licensing taxes. Legacy unified communications options like 3CX were becoming increasingly hostile to self-hosters, plagued by restrictive subscription models. We needed a platform that belonged entirely to us and our clients. Starting from the rock-solid, community-tested foundation of OpenWrt, we began engineering a system that consolidated these services without the enterprise bloat.
The DMSBG hardware is designed and manufactured in collaboration with Iridia Solutions Private Limited, our hardware engineering and manufacturing partner, ensuring tight integration between the software stack and the physical appliance across all generations.
For more details about the platform, visit difuse.io.
The Proving Ground: Iterations v1 and v2
Our first two generations served as the vital proving ground for this concept. Built on a Node.js and Express backend with EJS templates, these early iterations proved that a unified, web-managed OpenWrt environment was not only viable but highly effective in production — they shipped to customers and ran real traffic.
However, as deployment scales grew, so did our ambitions. Running Node.js on embedded hardware introduced memory overhead and performance bottlenecks on constrained edge devices. By the time we were designing v3, it was clear we needed a fundamental rethink.
The v3 Architecture: High-Performance Go & SvelteKit
For v3, we executed a ground-up rewrite, transitioning to a strict API-first architecture. The backend was rewritten in Go — every core service (firewall manager, VPN orchestrator, PBX controller, telemetry pipeline) became a separate daemon communicating over a local IPC bus. Go gave us predictable performance on sub-128 MB devices and static binaries that deployed cleanly across RISC-V, ARM, and x86 from a single CI pipeline. The firewall manager became an nftables abstraction layer with atomic rule rollback. The VPN orchestrator handled WireGuard and IPsec lifecycles with automatic failover. The PBX controller wrapped FreeSWITCH’s event socket for call control and CDR streaming.
On the frontend, we deployed SvelteKit — a reactive SPA with REST-driven dashboards showing real-time connection graphs, bandwidth utilization, and live SIP call state. By moving away from heavy, client-side virtual DOM frameworks and instead compiling our UI into highly optimized vanilla JavaScript, the dashboard is now instantly responsive, feeling more like a native desktop application than a traditional router web GUI.
This architectural leap also future-proofed our hardware support. Because our stack is entirely compiled, v3 boasts full compatibility with the absolute latest OpenWrt kernel releases and effortlessly extends support to emerging architectures like RISC-V, alongside traditional ARM and x86.
Next-Generation Security: The Lightweight DPI Engine
The most technically challenging piece was the deep packet inspection engine. Off-the-shelf libraries like nDPI assume x86_64 server hardware. On a RISC-V processor with 512 MB of RAM, they caused unacceptable latency spikes. So we built one from scratch.
The classifier uses a trie-based protocol signature tree — a multi-level prefix tree mapping packet bytes to protocol identifiers, with O(k) classification regardless of total signature count. Packets are captured via ring buffers, so the classifier operates on raw byte slices without copying into userspace. Only matching packets are copied out.
By utilizing nftables optimized set lookups and kernel-level packet classification, firewall rules evaluate in O(1) time complexity. This means the gateway can filter a practically endless number of clients at the same blinding speed as a single device. Armed with auto-updating signature feeds and dynamic GeoIP synchronization, the platform provides granular traffic visibility and zero-day threat control without breaking a sweat.
A lightweight flow tracker maintains state for TCP streams and UDP conversations, but only classifies the first N bytes of each flow before marking and moving on. A lock-free ring buffer records per-flow byte and packet counts, consumed by the telemetry daemon for the dashboard. New protocol signatures from the Difuse DPI feed compile into the trie incrementally without stopping the engine — delivered as compiled trie nodes swapped atomically.
We validated across all hardware tiers. On the DMSBG-50 (4 RISC-V RV22 cores, 512M RAM), it sustained 200 Mbps line-rate classification with 120+ protocol signatures at under 5% CPU. On the DMSBG-100 (4 ARM Cortex-A72 cores, 2 GB RAM), it scaled to 2 Gbps without drops.
Unified Communications: The FreeSWITCH Integration
Communication is just as vital as data routing. To completely eliminate third-party subscriptions, v3 features deep, native integration with FreeSWITCH. By weaving this battle-tested PBX engine directly into our management layer, the DMSBG transforms into a fully unified communications hub, reliably handling enterprise voice, SIP trunking, and internal extensions alongside standard network data — giving businesses complete autonomy over their telecommunications.
Hardware Synergy and Wi-Fi Abstraction
Enterprise networking rarely relies on a single hardware vendor. We invested heavily in a robust hardware abstraction layer that interacts with underlying OpenWrt wireless drivers (like hostapd and mac80211). This ensures the DMSBG can intelligently manage radios, channel widths, and wireless security standards seamlessly, wringing maximum performance out of whatever silicon is deployed.
Beyond Bare Metal: The DMSBG-X Virtual Appliance
Recognizing that modern enterprise deployments are increasingly moving away from bare-metal appliances, we introduced the DMSBG-X variant — a software-only edition that completely decouples our proprietary management stack and OpenWrt base from physical hardware constraints. Administrators can deploy the complete DMSBG ecosystem as a highly optimized virtual machine, whether on Proxmox, VMware, or a FreeBSD host running bhyve, allowing high-performance routing, DPI, and PBX solutions to scale elastically within any existing virtualized data center.