Step 01
Plug it in
Ethernet from your modem to Shield. Power on. Shield brings up its local setup page.
A calm appliance behind your modem. Wi-Fi stays the same.
Shield connects to your existing modem over Ethernet. Your phones, laptops and TVs keep using the Wi-Fi they already use. Filtering decisions and the dashboard run on the device on your network, not in someone else's cloud.
“This is the architecture I would build if I were the buyer. Local-first because protection should not depend on a third party. Signed updates because you should be able to verify what is running on your device. Public filter lists because trust is something you earn one inspectable line at a time.”, Founder, WOMBATS Shield
Setup, in fifteen minutes.
Step 02
Pick your modem
Choose your modem from our catalog, we pre-fill the right DNS and DHCP settings so you don't have to.
Step 03
Confirm and forget
Apply the settings. From this point on every device on your network goes through Shield.
Tested with Telstra, NBN Co, Optus and major retail modems. Mesh Wi-Fi, double-NAT and ISP-locked routers are supported. If your network setup is unusual, talk to us before ordering, founding members get hands-on setup help.
For step-by-step instructions on each page of Shield's local dashboard, see the owner guides.
WOMBATS Shield filtering
See what's being blocked in real time
Track ads, trackers, adult content and malicious domains blocked across your network from the local WOMBATS dashboard.
What WOMBATS blocks
Ads and ad networks
Known malware domains
Known phishing websites
Known tracking domains
Adult and unsafe content categories
SafeSearch on supported search engines
Common encrypted-DNS bypass paths
Run an independent network protection test →
External tool. Results may vary depending on your network configuration.
The path of a single request.
When a device on your network tries to reach a website or service, it almost always starts with a DNS lookup. Shield evaluates that lookup against your active filter sources and policy, then either resolves it upstream or stops it at the door.
- Step 01
Device asks
A laptop, phone or TV asks the network: "where is example.com?"
- Step 02
Shield checks policy
Shield evaluates the lookup against your active filter lists, household categories and per-device policy.
- Step 03
Allow or block
If allowed, Shield resolves the lookup upstream. If not, the connection never gets started, quietly.
- Step 04
Local-only enforcement
Local nftables rules resist common encrypted-DNS bypass paths and Apple Private Relay traffic on the network.
Built on trusted open technology, then carefully hardened.
- Raspberry Pi 5 hardware baseline. 2 GB on Core and Edge, 4 GB on Vault. Real, repairable, well-documented silicon with a long supply life.
- Debian 12 base system. A long-term Linux base with a known security track record and a predictable patch pipeline.
- AdGuard Home, restricted defaults. AdGuard provides the DNS-layer filtering engine. We've intentionally restricted, disabled or redesigned features that conflicted with our privacy and security goals, including default query logging behaviour and remote-management exposure.
- nftables enforcement. Local redirect, port-block and forward-chain rules to resist common DNS-bypass paths and Apple Private Relay traffic.
- Signed update bundles. Software lands as a complete, signed bundle. The device verifies the signature before applying. No ad-hoc remote changes.
- Hardware-assisted unlock. Shield's encrypted partitions are unlocked at boot through a key path on a real ATECC secure element. The unlock key is bound to the device and cannot be lifted off and used elsewhere.
- Vault SSD, three independent key paths. On Shield Vault the storage SSD can be unlocked three ways: an ATECC-bound auto-unlock key (used at boot, device-bound), a user passphrase, and a recovery key. The three are independent, losing any one doesn't compromise the others.
- Separate payload & storage partitions (Vault). Shield Vault keeps the encrypted system partition separate from the encrypted storage partition that holds your files. Each has its own ATECC-bound key path.
More on the security and disclosure side at /security.
Where Shield deliberately stops
A network‑level appliance has clear boundaries. We'd rather name them up front.
- Devices outside your network, phones on mobile data, laptops on café Wi-Fi, are outside Shield's policy.
- VPNs and encrypted DNS on a determined managed device can still tunnel out, Shield gives you visibility, not coercion.
- Shield does not break TLS or deep-packet-inspect every app, that's the right boundary for a calm home appliance.
- Shield is designed to sit behind your modem on a normal home or office network, not directly on the public internet.
The full version is on the threat model page.
Founding Edition
Reserve a Shield Reserve a Shield from the founding batch.
Founding price locked in for life. No subscriptions.