Skip to main content
βš™οΈ
Edge Router

The Enforcement Layer No Agent Can Bypass.

The Edge Router sits between your AI agents and the network. It enforces DNS policies at the kernel level, inspects TLS traffic for SNI-based blocking, manages native IPAM and DHCP, and runs Andrew β€” your embedded AI network administrator.

πŸ›‘ Kernel-level enforcement 🌐 Native IPAM πŸ”’ Fail-closed design πŸ’¬ Andrew AI
merideon.ai/edge-router Β· Dashboard
MERIDEON Edge Router Overview Agent Policies IP Grid Andrew Audit Log Live OVERVIEW πŸ“Š Overview πŸ’¬ Andrew Chat ENFORCEMENT πŸ“‹ Agent Policies πŸ›‘οΈ DNS Events πŸ” Traffic Blocks NETWORK 🌐 IP Grid πŸ“‹ DHCP πŸ”— DNS Records πŸ—ΊοΈ Topology SYSTEM βš–οΈ Load Balancer πŸ”₯ Firewall βš™οΈ Settings ENFORCEMENT ● ACTIVE Fail-closed ready AGENT POLICIES 12 9 enforcing DNS BLOCKS TODAY 47 3 agents involved IP RECORDS 213 Live across 4 subnets Recent DNS Enforcement Events Live TIME AGENT DOMAIN ACTION 19:44:02 AnalyticsBot data-exfil.io BLOCKED 19:43:58 DataSync api.openai.com ALLOW 19:43:41 AnalyticsBot pastebin.com BLOCKED 19:42:19 MonitorAgent anthropic.com ALLOW 19:41:55 AnalyticsBot 52.84.10.100 SNI BLOCK ⚠ TLS ClientHello bypass attempt β€” SNI extracted: data-exfil.io β€” dropped at packet layer 19:40:02 DataSync github.com ALLOW 47 DNS blocks today Β· 3 SNI bypass attempts blocked Β· 0 enforcement gaps
How Enforcement Works

Two Layers. No Gaps.

DNS policy enforcement catches most violations. Packet-level TLS inspection catches the rest. Together they form an enforcement stack no agent can route around.

Layer 1
DNS Enforcement
BIND9 RPZ + nftables port 53 intercept
# kernel redirects ALL port 53 traffic
nftables β†’ BIND9 RPZ
# agents cannot use external DNS
allowed β†’ pass through
blocked β†’ NXDOMAIN
Intercepts all DNS regardless of configured resolver β€” agents cannot specify an external DNS server
Policy modes: Observe (log only), Learning (build baseline), Enforce (block violations)
Every query logged and surfaced as an AI-Router Event in the Security Office
Layer 2
TLS Packet Inspection
nfqueue SNI extraction from ClientHello
# intercepts new TCP connections
nfqueue β†’ inspect TLS ClientHello
# extract SNI hostname
policy match β†’ pass through
no match β†’ packet dropped
Blocks agents that bypass DNS enforcement by connecting via hardcoded IP addresses
Hostname extracted directly from TLS ClientHello β€” no MITM, no decryption, no certificate required
Bypass attempts logged and reported to Security Office as high-severity events
πŸ›‘
Fail-Closed by Design

If the enforcement engine crashes or is restarted, the Linux kernel continues to block new agent connections until enforcement fully restores β€” from the persistent database automatically. There is no window of opportunity. Established connections continue; new unauthorized connections cannot be established.

What It Does

Complete Network Edge β€” One Appliance

Enforcement, native IPAM, DHCP, DNS, load balancing, and Andrew AI β€” all in a single deployable appliance.

Agent Policy Enforcement

Receives DNS and traffic policies pushed from the Security Office and enforces them at the kernel level via BIND9 RPZ and nfqueue. Andrew syncs confirmed β€” no manual configuration.

Native IPAM

Live IP grid across all subnets β€” color-coded by status at a glance. Automated ping sweeps, Docker reconciliation, and DNS record management. Every device tracked automatically.

DHCP (Kea)

Kea DHCP server management per LAN scope. Configure pools, set lease times, create MAC reservations for static-style assignment. DHCP lease events surface in AI-Router Events on the SO.

Multi-WAN Failover

Active/standby WAN management with automatic failover. Live throughput monitoring per interface. Andrew detects WAN failure and initiates failover autonomously β€” with full audit trail.

nftables Firewall

Full stateful firewall management via a structured UI. Add, enable, disable, and delete rules without touching the command line. Rules apply instantly via nftables reload.

HAProxy Load Balancer

Full VIP, pool, and member management. Live HAProxy health stats per member. Enable/disable for maintenance without deletion. Config applies in real time.

DHCP Grace Period

New devices that appear on the network get a 24-hour registration window. After the grace period, unregistered devices are blocked at the kernel level until assigned a policy.

Andrew Chat

Natural language interface to the entire router. Status, diagnostics, and configuration β€” Andrew interprets, shows you exactly what will change, and executes only on your explicit approval.

IP Grid β€” 192.168.10.0/24 ● Live
ADDRESS SPACE .1 .2 .3 .4 .5 .6 .7 .8 .9 .10 In Use Free Available Dead HOST CATEGORIES πŸ€– AI Agents 7 πŸ“¦ Containers 9 πŸ“Š Services 5 πŸ–₯️ Infrastructure 8 🐳 Docker reconciled β€” 9 containers synced
Native IPAM

Your Network. Fully Mapped. Always Current.

IPAM is built into the Edge Router β€” not a separate appliance. Every IP address, hostname, and service is tracked in real time. Automated ping sweeps, Docker reconciliation, and DNS management keep the record accurate without manual intervention.

Visual IP grid Every address in every subnet, color-coded by status. Click any cell to see host details, services, and DNS records.
Docker reconciliation Reads the Docker socket and automatically keeps container records current. No manual updates when containers start or stop.
Service directory Every web-accessible service catalogued, searchable, and click-to-open. Categories, ports, and health status at a glance.
DNS record management A, CNAME, and PTR records managed directly in the Edge Router's BIND9 instance β€” tied to enforcement.
Andrew AI

Autonomous Intelligence. Human Authority.

Andrew is the Edge Router's embedded AI network administrator. He monitors WAN health, enforces agent policies, manages HAProxy, and responds to natural language commands β€” but never executes a write operation without your explicit approval. Non-negotiable.

🟒
Read operations β€” autonomous Status queries, DNS event lookups, traffic analysis, topology visualization β€” instant, no approval needed.
🟑
Write operations β€” approval card required Firewall rules, DHCP changes, DNS records, LB updates β€” Andrew shows exactly what will change, you approve or cancel.
πŸ“œ
Every action logged Every conversation, every approval, every configuration change β€” immutable audit log with actor, timestamp, and outcome. Surfaced in the Security Office.
A
Andrew
Edge Router AI
● Online
Show me AnalyticsBot's DNS activity today You Andrew AnalyticsBot: 94 DNS queries today. 47 ALLOWED, 47 BLOCKED. Top blocked: data-exfil.io (23Γ—), pastebin.com (18Γ—). ⚠ 2 SNI bypass attempts blocked at packet layer. Quarantine AnalyticsBot β€” it's compromised You 🚨 Quarantine Agent β€” Approval Required This will immediately: β€’ Revoke badge MRD-0003 (AnalyticsBot) β€’ Remove agent policy from nftables β€” all traffic blocked β€’ Notify Security Office Β· create CRITICAL alert 🚨 Quarantine Cancel βœ“ AnalyticsBot quarantined. Badge revoked. Policy removed. SO notified. CRITICAL alert created. Audit log updated.
Policy Modes

From Observe to Enforce β€” At Your Pace.

Merideon's progressive policy modes let you build confidence before enforcement. Start in observe, learn the baseline, review suggestions, then enforce.

πŸ‘
Observe

All DNS queries logged. Nothing blocked. Watch what your agents do normally.

Week 1–2
πŸ“Š
Learning

Baseline builds automatically. Edge Router categorizes domains and builds a suggested allowlist.

Week 3
βœ…
Review

Inspect suggested allowlist in the SO. Approve high-confidence domains. Investigate flagged ones.

Week 4
πŸ›‘
Enforce

Policy active. Violations return NXDOMAIN. SNI bypasses dropped. Agent is fully governed.

Live

Deploy the enforcement layer your agents can't bypass.

Edge Router is included in all Merideon plans. Deploy both appliances in under an hour.