Every device gets its own isolated network. Automatically.

SPR places each WiFi device into its own VLAN with a unique password and a default-deny firewall policy. Devices are isolated from each other by default. You define connectivity through simple policies — not IP addresses and VLAN tags. Everything you don't explicitly permit is blocked.

Order Router — $399 View on GitHub Download on the App Store
Open Source — 500+ Stargazers · Zero Cloud Dependencies (Self-Hosted) · Zero Trust Networking
SPR Dashboard — device management, firewall rules, and traffic monitoring

What's in the box

  • SPR WiFi 7 PoE+ Router (CM5-based)
  • SPR pre-installed and configured
  • SPR PLUS license included
  • PoE+ powered — single ethernet cable to your PoE switch or injector
What you'll need: An internet connection, an ethernet cable to your modem or upstream network, and a PoE+ switch or PoE injector if your switch doesn't support PoE.

What you're probably wondering

"Is this just another OpenWRT fork?"

No. SPR is built from scratch on Docker containers with nftables, CoreDNS, CoreDHCP, and hostapd. Every device gets its own VLAN and /30 subnet with a unique passphrase.

"Will it work with my devices?"

Yes. SPR supports WPA2 and WPA3 simultaneously. IoT devices that only support WPA2 work fine alongside WPA3 devices.  iCloud Keychain WiFi password sharing is supported.

"Can I try it before buying?"

Yes. SPR is free and open source. Run it on a Raspberry Pi you already own, or deploy it as a VPN-only instance in Docker on any Linux box. There's a live UI demo you can try right now.

For Home & Home Lab

Network sovereignty, out of the box.

Stop your IoT devices from phoning home to servers you don't control. SPR keeps every device isolated and gives you full visibility into what's happening on your network.

  • Block ads and trackers network-wide — no per-device apps needed
  • Built-in WireGuard VPN — access your network from anywhere
  • Docker plugin ecosystem — Tailscale, Wireshark, MITMProxy, and more
  • Zero telemetry, zero cloud accounts — your data stays on your hardware
Get Started — Free
For Teams & Enterprise

High-assurance zero trust networking

SPR enforces per-device microsegmentation with policy-driven connectivity across multi-AP deployments. Programmable API for fleet management and integration with your existing security stack.

  • Per-device policy enforcement — firewall rules, DNS filters, and group permissions per device
  • Mesh networking with wired backhaul for multi-AP sites
  • REST API for fleet management, monitoring, and integration with existing tools
  • No vendor lock-in, no cloud dependency, no per-device licensing fees
Talk to Us About Your Deployment

How it works

Three steps to a microsegmented network. No networking degree required.

1

Connect

Plug in the SPR router. Each device that joins WiFi gets a unique password and its own isolated VLAN automatically. Think in policy rather than VLAN tags, RADIUS, and subnets.

2

Control

Set per-device firewall policies, DNS rules, and group permissions from the web dashboard. Block ads, restrict IoT devices, allow only what you choose. Schedule rules or set them by domain name.

3

Monitor

Real-time DNS logs, traffic analysis, and authentication monitoring. See exactly what every device is doing. Get alerts when something looks wrong.

Device onboarding with QR code and unique password
Firewall policy categories — endpoints, port forwarding, traffic blocks
Event log with timestamped network activity
Try the live demo →

Proven against real attacks

SPR's architecture proactively eliminated these vulnerability classes before knowledge of them became widespread.

Protected

AirSnitch

A breakthrough NDSS 2026 paper demonstrated four attack vectors that break WiFi client isolation on every major router vendor: shared GTK abuse, gateway bouncing, port stealing via MAC spoofing, and broadcast reflection. SPR defends against all four through per-device VLANs, per-device GTKs, unique passwords, and coordinated L2/L3 firewall policy — shipped as defaults since 2022.

Read the full analysis →
Protected

MACStealer

The MACStealer attack exploits how WiFi clients trust their access point's MAC-layer forwarding to steal frames from other clients on the same network. SPR's per-device VLAN architecture eliminates this entirely — there are no other clients on the same network to steal from.

Read the full analysis →
Protected

Conntrack Spoofing

Anvil Secure published research showing how spoofed IP packets exploit Linux conntrack state to bypass firewall rules on multihomed routers. SPR's interface-matched firewall architecture blocked the highest severity conntrack spoofing attacks out of the box.

Read the full analysis →

Per-device isolation doesn't mean slow

The most common concern with per-device VLANs: "won't that kill my throughput?" No. SPR handles inter-device routing at wire speed.

160 MHz channels > 1,000 Mbps real-world
80 MHz channels > 700 Mbps real-world

iPhone 15 speedtest on SPR WiFi 6 router (160 MHz, 5 GHz band).

iPhone 15 speedtest showing over 1000 Mbps on SPR

Built by the people who find the vulnerabilities

The team actively discovers and publishes WiFi and kernel vulnerabilities. When we say a defense works, it's because we've battle-tested it.

CVE-2025-24269

macOS Sequoia SMB Kernel Vulnerabilities

Remote kernel code execution via SMB URL attacks in macOS. Multiple vulnerabilities in Apple's SMBClient kernel extension disclosed to Apple and published.

CVE-2024-28084

IWD Beacon Double Free

Memory corruption in Intel's Wireless Daemon via malformed WiFi beacon frames. Exploitable for ASLR bypass and potential code execution on Linux wireless stacks.

Firewall Research

Conntrack Spoofing & Firewall Hardening

Analysis of conntrack-based spoofing attacks on multihomed Linux devices and the mitigations SPR implements to prevent them.

Threat Intelligence

I-Soon WiFi Exploitation Analysis

Analysis of leaked Chinese state-sponsored WiFi implant capabilities, hardware-based attack tools, and the defenses that actually stop them.

Read all research →

Customizable and programmable

Go beyond the GUI. All functions and features of SPR are accessible via an API, allowing power users to not only programmatically define how the network connects, but pull detailed information about devices on the network.

Tools for hackers, penetration testers, and other explorers. SPR makes controlling and monitoring data flows on the network easier — making research into the functionality of devices and software on your network less cumbersome.

Available Plugins Plugin Development Guide SPRbus
SPRbus CLI — programmatic network control

How SPR compares

Feature SPR Consumer Routers Enterprise APs
Per-device WiFi passwords Limited Limited
Automatic per-device isolation Limited
Ad & tracker blocking
Built-in WireGuard VPN Limited
Per-device DNS & parental controls Limited
Custom alerts & push notifications Limited
Open source
Self-hosted / no cloud dependency Limited
Programmable REST API Limited
Docker plugin ecosystem

SPR vs Consumer Routers

Per-device WiFi passwordsSPR ✓   Limited
Auto per-device isolationSPR ✓   Consumer ✗
Ad & tracker blockingSPR ✓   Consumer ✗
Built-in WireGuard VPNSPR ✓   Consumer ✗
Per-device DNS controlsSPR ✓   Consumer ✗
Open sourceSPR ✓   Consumer ✗
Docker pluginsSPR ✓   Consumer ✗

SPR vs Enterprise APs

Auto per-device isolationSPR ✓   Limited
Ad & tracker blockingSPR ✓   Enterprise ✗
Per-device DNS controlsSPR ✓   Limited
No cloud dependencySPR ✓   Enterprise ✗
Open sourceSPR ✓   Enterprise ✗
Docker pluginsSPR ✓   Enterprise ✗
Price$399   $1,500+
SPR WiFi 7 PoE+ Router (CM5)

SPR WiFi 7 PoE+ Router

$399

Enterprise-grade isolation at a fraction of the cost of traditional enterprise APs.

  • Dual-band WiFi 7 (802.11be) — 2.4 GHz + 5 GHz
  • PoE+ power delivery — single ethernet cable for power and data
  • Raspberry Pi Compute Module 5
  • 2.5 Gbps Ethernet
  • SPR PLUS license included — scheduled firewall policies, domain-based rules, mesh networking, priority support
Order Now

Get started with SPR

We offer hardware for running SPR and it can run on a wide variety of Linux systems that support Docker. Raspberry Pi4/5 and Compute Modules are widely tested.

Check out the setup guide. SPR is open source and can run in Docker containers as a cloud-only VPN or as a WiFi router.

Prebuilt containers are available for ARM64 and AMD64, OS Images are available for Raspberry Pi and ClearFog.

Setup Guide Containers & Code Image for Raspberry Pi
Run as a Host Router & Firewall with Docker
git clone https://github.com/spr-networks/super
cd super
bash base/setup.sh
docker compose up --pull always -d

This will manage the system network, firewall, and interfaces. Note: this replaces network manager, see the setup guide for details.

Also available on AWS Marketplace and DigitalOcean Marketplace.

You're not alone

Active open-source community, detailed documentation, and direct access to the team that builds SPR.

GitHub
500+ stargazers
Discord
Active community
Documentation
Guides & API reference
Live Demo
Try the UI
API Reference
OpenAPI docs