The Edge Router sits between your AI agents and the network. It enforces DNS policies at the
kernel level, inspects TLS traffic for SNI-based blocking, manages native IPAM and DHCP,
and runs Andrew β your embedded AI network administrator.
π‘ Kernel-level enforcementπ Native IPAMπ Fail-closed designπ¬ Andrew AI
merideon.ai/edge-router Β· Dashboard
How Enforcement Works
Two Layers. No Gaps.
DNS policy enforcement catches most violations. Packet-level TLS inspection catches the rest. Together they form an enforcement stack no agent can route around.
Layer 1
DNS Enforcement
BIND9 RPZ + nftables port 53 intercept
# kernel redirects ALL port 53 traffic
nftables β BIND9 RPZ # agents cannot use external DNS allowed β pass through blocked β NXDOMAIN
Intercepts all DNS regardless of configured resolver β agents cannot specify an external DNS server
Every query logged and surfaced as an AI-Router Event in the Security Office
Layer 2
TLS Packet Inspection
nfqueue SNI extraction from ClientHello
# intercepts new TCP connections
nfqueue β inspect TLS ClientHello # extract SNI hostname policy match β pass through no match β packet dropped
Blocks agents that bypass DNS enforcement by connecting via hardcoded IP addresses
Hostname extracted directly from TLS ClientHello β no MITM, no decryption, no certificate required
Bypass attempts logged and reported to Security Office as high-severity events
π
Fail-Closed by Design
If the enforcement engine crashes or is restarted, the Linux kernel continues to block new agent connections until enforcement fully restores β from the persistent database automatically. There is no window of opportunity. Established connections continue; new unauthorized connections cannot be established.
What It Does
Complete Network Edge β One Appliance
Enforcement, native IPAM, DHCP, DNS, load balancing, and Andrew AI β all in a single deployable appliance.
Agent Policy Enforcement
Receives DNS and traffic policies pushed from the Security Office and enforces them at the kernel level via BIND9 RPZ and nfqueue. Andrew syncs confirmed β no manual configuration.
Native IPAM
Live IP grid across all subnets β color-coded by status at a glance. Automated ping sweeps, Docker reconciliation, and DNS record management. Every device tracked automatically.
DHCP (Kea)
Kea DHCP server management per LAN scope. Configure pools, set lease times, create MAC reservations for static-style assignment. DHCP lease events surface in AI-Router Events on the SO.
Multi-WAN Failover
Active/standby WAN management with automatic failover. Live throughput monitoring per interface. Andrew detects WAN failure and initiates failover autonomously β with full audit trail.
nftables Firewall
Full stateful firewall management via a structured UI. Add, enable, disable, and delete rules without touching the command line. Rules apply instantly via nftables reload.
HAProxy Load Balancer
Full VIP, pool, and member management. Live HAProxy health stats per member. Enable/disable for maintenance without deletion. Config applies in real time.
DHCP Grace Period
New devices that appear on the network get a 24-hour registration window. After the grace period, unregistered devices are blocked at the kernel level until assigned a policy.
Andrew Chat
Natural language interface to the entire router. Status, diagnostics, and configuration β Andrew interprets, shows you exactly what will change, and executes only on your explicit approval.
IP Grid β 192.168.10.0/24β Live
Native IPAM
Your Network. Fully Mapped. Always Current.
IPAM is built into the Edge Router β not a separate appliance. Every IP address, hostname, and
service is tracked in real time. Automated ping sweeps, Docker reconciliation, and DNS management
keep the record accurate without manual intervention.
Visual IP gridEvery address in every subnet, color-coded by status. Click any cell to see host details, services, and DNS records.
Docker reconciliationReads the Docker socket and automatically keeps container records current. No manual updates when containers start or stop.
Service directoryEvery web-accessible service catalogued, searchable, and click-to-open. Categories, ports, and health status at a glance.
DNS record managementA, CNAME, and PTR records managed directly in the Edge Router's BIND9 instance β tied to enforcement.
Andrew AI
Autonomous Intelligence. Human Authority.
Andrew is the Edge Router's embedded AI network administrator. He monitors WAN health,
enforces agent policies, manages HAProxy, and responds to natural language commands β
but never executes a write operation without your explicit approval. Non-negotiable.
π’
Read operations β autonomousStatus queries, DNS event lookups, traffic analysis, topology visualization β instant, no approval needed.
π‘
Write operations β approval card requiredFirewall rules, DHCP changes, DNS records, LB updates β Andrew shows exactly what will change, you approve or cancel.
π
Every action loggedEvery conversation, every approval, every configuration change β immutable audit log with actor, timestamp, and outcome. Surfaced in the Security Office.
A
Andrew
Edge Router AI
β Online
Policy Modes
From Observe to Enforce β At Your Pace.
Merideon's progressive policy modes let you build confidence before enforcement. Start in observe, learn the baseline, review suggestions, then enforce.
π
Observe
All DNS queries logged. Nothing blocked. Watch what your agents do normally.
Week 1β2
π
Learning
Baseline builds automatically. Edge Router categorizes domains and builds a suggested allowlist.
Week 3
β
Review
Inspect suggested allowlist in the SO. Approve high-confidence domains. Investigate flagged ones.