Forest Router

ChicagoForest-Compliant Router. Mesh-ready, secure by default.

What is this?

Forest Router turns any hardware into a ChicagoForest-compliant mesh network node. Pre-configured firewall zones (WAN, LAN, FOREST), WireGuard tunneling, B.A.T.M.A.N. mesh routing, and the Mycelium protocol for peer discovery — all ready to go.

MagicDNS gives every node a hostname.forest name. Tailscale/Headscale provides zero-config WireGuard mesh across the internet. Be your own ISP.

Two options: OpenWrt (ARM + x86, lightweight) or OPNsense (x86 only, full-featured). Same Forest rules, different engines.

Choose Your Platform

Recommended

OpenWrt

ARM + x86 — 32MB flash

Lightweight, runs on anything from a Raspberry Pi to an old PC. Custom image with Forest packages baked in.

  • Mycelium protocol (gossip + discovery)
  • MagicDNS (*.forest names)
  • Tailscale/Headscale mesh VPN
  • B.A.T.M.A.N. + WireGuard
  • LuCI web dashboard

OPNsense

x86 only — 8GB+ disk

Full-featured firewall OS. Best for dedicated router hardware with multiple NICs. Managed via OPNSenseMCP for IaC.

  • Enterprise firewall engine
  • WireGuard + OpenVPN
  • IDS/IPS (Suricata)
  • HAProxy load balancing
  • AI-managed via MCP
FeatureOpenWrtOPNsense
ARM supportYesNo
x86 supportYesYes
Min RAM128MB2GB
Min storage32MB8GB
Mycelium protocolEmbeddedPlanned
MagicDNS*.forestPlanned
Tailscale/HeadscaleBuilt-inPlugin
B.A.T.M.A.N.NativePlugin
WireGuardYesYes
IDS/IPSBasicSuricata
MCP managedPlannedOPNSenseMCP

Downloads

Pre-built images with ChicagoForest configuration. Flash and boot.

OpenWrt x86-64 (EFI) ~17MB — Mini PCs, old desktops, VMs OpenWrt x86-64 (BIOS) ~17MB — Older hardware without UEFI BananaPi BPI-R3 (ARM) 5 GbE + 2x SFP + WiFi 6 — purpose-built router board OPNsense ISO (external) Download from opnsense.org, then import our config

After installing OPNsense, import forest-config.xml via System → Configuration → Restore.

Quick Start

# OpenWrt: Flash to USB/SD gunzip forest-openwrt-x86-64.img.gz dd if=forest-openwrt-x86-64.img of=/dev/sdX bs=4M status=progress # Boot, connect to LAN port, browse to http://192.168.42.1 # Forest mesh interface auto-discovers peers # Or configure via SSH: ssh root@192.168.42.1 cat /etc/forest/version

Supported Hardware

Any x86 PC

Old desktops, mini PCs, VMs

BananaPi BPI-R3

ARM, 5 GbE + 2 SFP + WiFi 6

BananaPi BPI-R4

ARM, 4 GbE + 2x 10G SFP

GL.iNet Flint 2

ARM, WiFi 6, 2 GbE

Protectli Vault

x86, 4-6 port Intel GbE

VirtualBox/QEMU

Test in a VM first

Mycelium Protocol + MagicDNS

Every Forest Router runs the Mycelium protocol — a gossip-based peer discovery and topology management system inspired by fungal networks. Nodes automatically find each other, share routing information, and self-heal when links fail.

MagicDNS (inspired by Tailscale) gives every node a human-readable name on the mesh:

# Every node gets automatic DNS names kitchen-router.forest → 192.168.42.1 garage-node.forest → 10.42.0.5 CFN-a7f2b8d4.id.forest → 100.64.1.3 # Service discovery grafana.forest → SRV 0 0 3000 kitchen-router.forest # Powered by dnsmasq + gossip propagation # Works across WireGuard tunnels and Tailscale

Headscale (self-hosted Tailscale) provides the WireGuard mesh backbone. Drop a config file on the router and it auto-joins your control plane:

# /etc/forest/config.json { "headscaleUrl": "https://headscale.yourdomain.com", "headscaleAuthKey": "your-pre-auth-key", "domain": "forest" }

No Headscale? No problem. The Mycelium gossip protocol works over any IP transport — LAN, WireGuard, or plain internet. Headscale just makes it zero-config.

Network Zones

Internet Chicago Forest Mesh | | ┌────┴────┐ ┌─────┴─────┐ │ WAN │ │ FOREST │ │ (eth0) │ │ (eth1) │ └────┬────┘ └─────┬─────┘ │ ┌──────────┐ │ └────┤ Router ├──────┘ │ nftables│ └────┬─────┘ │ ┌─────┴─────┐ │ LAN │ │ (br-lan) │ │ 192.168.42.x └───────────┘

WAN is optional. Without internet, the router operates as a pure Forest mesh node. LAN devices get internet via WAN and Forest mesh access simultaneously.

Specs

ChicagoForest Compliant Mycelium Protocol MagicDNS ARM + x86 Tailscale/Headscale WireGuard B.A.T.M.A.N. Open Source

Forest Router — Part of the ChicagoForest ecosystem
OPNSenseMCPFOOSPXE