// service line · Active
RedCyfer Systems
Network security, firewall design, and infrastructure consulting for businesses that have outgrown a consumer router but don't have — or want — an in-house network team. The routers, the rules, and the reasoning behind them.
Talk through your network> What this covers
Firewalls & network security
Purpose-built firewall rule chains — input, forward, and output — with connection tracking, sane NAT, and mangle rules where they earn their keep. Not a box of defaults; a policy you can read and I can explain.
VLAN & segmentation design
Separate networks for work traffic, guest, IoT, and management, so a compromised smart plug can't see your accounting machine. Segmentation planned around how your business actually operates.
Site-to-site & remote-access VPN
WireGuard, IPSec, OpenVPN, or SSTP to link offices, reach cloud resources, or get staff in securely — routed properly, not bolted on.
Routing for multi-site growth
BGP and OSPF when you outgrow static routes — multiple locations, cloud VPCs, and failover paths that hold together as you add sites.
Hybrid cloud & on-prem
Connecting AWS to the gear in your closet — the kind of hybrid environment I run day in, day out. VPN concentration, routing, and the security boundary between them.
Automation & monitoring
RouterOS scripting for automated responses, plus SNMP/API integration so the network can feed dashboards and trigger actions instead of sitting dark.
> Self-hosted observability
SaaS monitoring — Datadog and the rest — works, until you're paying a growing monthly bill to ship all your operational telemetry to someone else's cloud. I build private, self-hosted observability platforms that keep your metrics, logs, and traces on infrastructure you own:
- Metrics Live health of every server and service — CPU, memory, disk, network — on one screen
- Logs Centralized, searchable, fleet-wide logging
- Tracing End-to-end request tracing with OpenTelemetry to find slow paths and errors
- Alerting Threshold and recovery alerts to Slack and email, 24/7
- Backup assurance Every backup run tracked and confirmed — not assumed
- Private by design Runs inside your network, VPN-gated, with least-privilege read-only integrations
Built on proven open components — time-series and columnar databases (TimescaleDB, ClickHouse), OpenTelemetry, and a dependency-light self-hosted dashboard. Your data stays home; the bill stops growing. More on the approach →
> Resilient storage & backup
Storage always grows faster than planned, and backups quietly rot until the day you need one. I build storage that scales without forklift upgrades and backups that actually restore:
- Distributed storage Self-healing Ceph clusters — no single point of failure, scale by adding nodes, S3-compatible
- Verified backups Automated and restore-tested — a backup you haven't restored isn't a backup
- Ransomware-resistant Immutable, write-once backups (Object Lock) that survive stolen admin keys
- Cheap archives S3 lifecycle tiering to Glacier Deep Archive — keep everything for pennies per terabyte
3-2-1 done properly, on infrastructure you own. More on the approach →
> Why MikroTik first
MikroTik / RouterOS is my default recommendation for SMB firewall and routing: the price-to-capability ratio is hard to beat, and you get full CLI and scripting control instead of a locked-down appliance. It runs the same rule chains, VPNs, and routing protocols the big vendors charge a premium for.
That said — vendor choice follows your needs, not my preference. I also work with pfSense/OPNsense, Ubiquiti, Fortinet, Palo Alto, Cisco, and WatchGuard, and if you've already standardized on one of those, I'll work within it and tell you honestly where it helps or hurts. The goal is a network that's secure, documented, and something you can actually reason about — regardless of the badge on the box.