Every feature, one binary
The complete Cenvero Stratum capability set — from high-performance networking and the zero-trust firewall to NAT, failover IPs, BGP and gateway HA.
-
High-Performance Networking
- Line-rate packet processing Traffic is filtered and forwarded the instant it hits the wire, with no performance penalty.
- Source-IP blocklist Block traffic from specific addresses right at the network edge, each with an optional expiry.
- MAC & VLAN lockdown Lock every port to approved hardware addresses and VLANs.
- Zero-downtime reloads Change networking rules without dropping a single connection.
-
IP Address Management
- Address pools IPv4 and IPv6 pools with automatic dual-stack assignment and release.
- Conflict detection Overlapping or already-used addresses are rejected before they cause problems.
- Per-tenant address space Separate address ranges for each tenant.
- Full visibility See every lease and allocation at a glance.
-
DHCP & DNS
- DHCP server Hand out addresses per network with automatic renew and expiry, plus flood protection.
- Authoritative DNS Run your own zones and records — A, AAAA, CNAME and more.
- Split answers Give internal and external clients different DNS answers.
- Filtering & caching Sinkhole unwanted domains, sign responses, cache, and forward upstream.
-
Routing & NAT
- Static & policy routing Programmable routing tables with policy-based rules.
- Outbound NAT Lets tenant traffic reach the internet from shared addresses.
- Inbound port forwarding Expose internal services to the outside with port forwards.
- Live rule management Add, list and remove rules while everything keeps running.
-
Failover & Floating IPs
- Portable IPs Assign movable IPs to any host in the cluster.
- Automatic failover A floating IP moves to a healthy host the moment one fails.
- Instant takeover Traffic reroutes to the new host within milliseconds.
- Cluster-wide ownership Which host owns each IP is replicated across the whole cluster.
-
BGP Edge Routing
- Advertise your networks Peer with upstream routers and announce your VM networks.
- Smart path selection The best route to each destination is chosen automatically.
- Route filtering Control exactly which routes you import and export.
- Resilient peering Lossless restarts and sub-second detection of neighbour failures.
-
Gateway High Availability
- Redundant gateways A standby gateway takes over automatically if the active one fails.
- Fast failure detection A dedicated heartbeat spots failures in under a second.
- Failover & failback Automatic failover, with operator-controlled failback when you choose.
- One owner per IP Exactly one gateway owns each virtual IP at any moment.
-
Zero-Trust Firewall
- Layered policy Rules from network-wide down to a single VM, evaluated by priority.
- Default-deny Nothing passes unless you allow it, with stateful connection tracking throughout.
- Rich matching Match on address, network, port, protocol, hardware address or domain.
- Scheduled rules Turn rules on and off by day and time.
- Domain-based rules Allow or block by domain name, kept in sync automatically.
- Conflict detection Overlapping or contradictory rules are caught before they apply.
- Presets & batch apply Web, database, mail and game-server presets applied all at once.
- Hardware binding Bind ports to specific devices, hard or soft.
-
Load Balancing
- Virtual IPs High-speed load balancing spread across your backends.
- Balancing algorithms Round-robin, least-connections, weighted and source-hash.
- Stable backend selection Consistent hashing keeps each client on the same backend.
- Health checks Unhealthy backends are removed automatically, with fast return paths.
-
Bandwidth & Usage
- Bandwidth limits Per-VM upload and download limits, shared pools and burst allowances.
- Monthly quotas Usage caps that reset automatically each month.
- Usage-based billing Byte and packet accounting with 95th-percentile calculation.
- Flow records & export Per-connection stats with CSV and JSON export.
-
Clustering & Virtual Networks
- Virtual networks Isolated networks that span every host in the cluster.
- Resilient cluster state Leader election and replicated state keep the cluster consistent.
- Everything replicated Addresses, blocklists, peers, floating IPs and tenants stay in sync cluster-wide.
- Compute & gateway nodes Run a node as a VM host or as a traffic gateway.
-
Multi-Tenancy & Isolation
- Tenant management Create tenants with their own quotas and usage tracking.
- Scoped API keys Generate, validate, expire and revoke keys per tenant.
- Private networks Isolated networks with controlled membership.
- Container networking Networking for containers, not just VMs.
-
Interfaces & Hardware
- Network-card management Physical network cards are detected and given stable names.
- Link bonding Combine multiple links for redundancy or more throughput.
- Consistent packet sizes Matching packet sizes across bonded links and virtual networks.
- Tamper protection Interfaces are protected from changes made outside the platform.
-
Observability
- Metrics & dashboards Prometheus-compatible metrics for your dashboards and alerting.
- Alerting Threshold alerts with actions, cooldown and history.
- Live events A real-time event stream across the whole system.
- Audit log A structured record of every management action.
-
Platform & Lifecycle
- Plugins Signed plugins extend the platform with hooks, APIs and a built-in store.
- Backup & restore Full and config backups with schedules and retention.
- Self-update Immediate, canary or rolling updates with verification and rollback.
- Self-healing Automatic checks and repair for disk, memory, database and networking.
- Always-on supervision An independent watchdog restarts the platform if it ever stalls.
-
Security & Licensing
- Signed end-to-end Configs, licenses, plugins and binaries are all cryptographically signed.
- Brute-force protection Repeated failed logins are locked out.
- Request validation Body-size and content-type limits on every API.
- Hardware-bound licensing Licenses tied to the machine, with revocation and anti-tampering.
-
APIs, CLI & Migration
- Full API access REST, gRPC, WebSocket and a local control socket.
- Command-line control Manage every feature from one command-line tool.
- Live migration Move workloads with their IP and MAC address intact.
- Easy onboarding Import existing workloads from Proxmox, KVM and XCP-ng.
High-Performance Networking
Line-rate packet processing
Traffic is filtered and forwarded the instant it hits the wire, with no performance penalty.
Source-IP blocklist
Block traffic from specific addresses right at the network edge, each with an optional expiry.
MAC & VLAN lockdown
Lock every port to approved hardware addresses and VLANs.
Zero-downtime reloads
Change networking rules without dropping a single connection.
IP Address Management
Address pools
IPv4 and IPv6 pools with automatic dual-stack assignment and release.
Conflict detection
Overlapping or already-used addresses are rejected before they cause problems.
Per-tenant address space
Separate address ranges for each tenant.
Full visibility
See every lease and allocation at a glance.
DHCP & DNS
DHCP server
Hand out addresses per network with automatic renew and expiry, plus flood protection.
Authoritative DNS
Run your own zones and records — A, AAAA, CNAME and more.
Split answers
Give internal and external clients different DNS answers.
Filtering & caching
Sinkhole unwanted domains, sign responses, cache, and forward upstream.
Routing & NAT
Static & policy routing
Programmable routing tables with policy-based rules.
Outbound NAT
Lets tenant traffic reach the internet from shared addresses.
Inbound port forwarding
Expose internal services to the outside with port forwards.
Live rule management
Add, list and remove rules while everything keeps running.
Failover & Floating IPs
Portable IPs
Assign movable IPs to any host in the cluster.
Automatic failover
A floating IP moves to a healthy host the moment one fails.
Instant takeover
Traffic reroutes to the new host within milliseconds.
Cluster-wide ownership
Which host owns each IP is replicated across the whole cluster.
BGP Edge Routing
Advertise your networks
Peer with upstream routers and announce your VM networks.
Smart path selection
The best route to each destination is chosen automatically.
Route filtering
Control exactly which routes you import and export.
Resilient peering
Lossless restarts and sub-second detection of neighbour failures.
Gateway High Availability
Redundant gateways
A standby gateway takes over automatically if the active one fails.
Fast failure detection
A dedicated heartbeat spots failures in under a second.
Failover & failback
Automatic failover, with operator-controlled failback when you choose.
One owner per IP
Exactly one gateway owns each virtual IP at any moment.
Zero-Trust Firewall
Layered policy
Rules from network-wide down to a single VM, evaluated by priority.
Default-deny
Nothing passes unless you allow it, with stateful connection tracking throughout.
Rich matching
Match on address, network, port, protocol, hardware address or domain.
Scheduled rules
Turn rules on and off by day and time.
Domain-based rules
Allow or block by domain name, kept in sync automatically.
Conflict detection
Overlapping or contradictory rules are caught before they apply.
Presets & batch apply
Web, database, mail and game-server presets applied all at once.
Hardware binding
Bind ports to specific devices, hard or soft.
Load Balancing
Virtual IPs
High-speed load balancing spread across your backends.
Balancing algorithms
Round-robin, least-connections, weighted and source-hash.
Stable backend selection
Consistent hashing keeps each client on the same backend.
Health checks
Unhealthy backends are removed automatically, with fast return paths.
Bandwidth & Usage
Bandwidth limits
Per-VM upload and download limits, shared pools and burst allowances.
Monthly quotas
Usage caps that reset automatically each month.
Usage-based billing
Byte and packet accounting with 95th-percentile calculation.
Flow records & export
Per-connection stats with CSV and JSON export.
Clustering & Virtual Networks
Virtual networks
Isolated networks that span every host in the cluster.
Resilient cluster state
Leader election and replicated state keep the cluster consistent.
Everything replicated
Addresses, blocklists, peers, floating IPs and tenants stay in sync cluster-wide.
Compute & gateway nodes
Run a node as a VM host or as a traffic gateway.
Multi-Tenancy & Isolation
Tenant management
Create tenants with their own quotas and usage tracking.
Scoped API keys
Generate, validate, expire and revoke keys per tenant.
Private networks
Isolated networks with controlled membership.
Container networking
Networking for containers, not just VMs.
Interfaces & Hardware
Network-card management
Physical network cards are detected and given stable names.
Link bonding
Combine multiple links for redundancy or more throughput.
Consistent packet sizes
Matching packet sizes across bonded links and virtual networks.
Tamper protection
Interfaces are protected from changes made outside the platform.
Observability
Metrics & dashboards
Prometheus-compatible metrics for your dashboards and alerting.
Alerting
Threshold alerts with actions, cooldown and history.
Live events
A real-time event stream across the whole system.
Audit log
A structured record of every management action.
Platform & Lifecycle
Plugins
Signed plugins extend the platform with hooks, APIs and a built-in store.
Backup & restore
Full and config backups with schedules and retention.
Self-update
Immediate, canary or rolling updates with verification and rollback.
Self-healing
Automatic checks and repair for disk, memory, database and networking.
Always-on supervision
An independent watchdog restarts the platform if it ever stalls.
Security & Licensing
Signed end-to-end
Configs, licenses, plugins and binaries are all cryptographically signed.
Brute-force protection
Repeated failed logins are locked out.
Request validation
Body-size and content-type limits on every API.
Hardware-bound licensing
Licenses tied to the machine, with revocation and anti-tampering.
APIs, CLI & Migration
Full API access
REST, gRPC, WebSocket and a local control socket.
Command-line control
Manage every feature from one command-line tool.
Live migration
Move workloads with their IP and MAC address intact.
Easy onboarding
Import existing workloads from Proxmox, KVM and XCP-ng.
Ready to deploy?
Every feature is included with each license.