How to install WanGuard: hardware requirements, the ITORO deployment sequence, and BIOS/OS/NIC tuning for sub-5-second DPDK detection. A practical, operator-grade guide.
Installing WanGuard means deploying three components (Console, Sensor and Filter) on 64-bit Linux servers, feeding them your traffic via port-mirror or flow export, and wiring them to a BGP-capable router that enforces mitigation. The software install is the easy part. The work that actually decides whether you get accurate, sub-5-second protection is the tuning: per-subnet baselines, NIC and DPDK setup, thresholds, and the BGP session that carries FlowSpec and RTBH.
Key takeaways
- WanGuard runs on your own 64-bit Linux servers (RHEL/AlmaLinux/Rocky family); no traffic leaves your network.
- Three components to deploy: the Console (web control plane), the Sensor (detection), and the Filter / WanFilter (scrubbing).
- Two ways to feed it traffic: port-mirror/SPAN with DPDK for sub-5-second reaction, or NetFlow/sFlow/IPFIX for cheap, Terabit-scale coverage.
- You need a BGP-capable router to enforce mitigation via BGP FlowSpec or RTBH.
- The result depends on tuning, not the installer — which is why ITORO deploys, tunes and trains end to end.
What do you need to install WanGuard?
WanGuard is self-hosted software, so before any package is unpacked you need three things in place: a BGP-capable router, a way to see your traffic, and a server sized to your port speed. Get these prerequisites right and the install is routine. Get them wrong and no amount of configuration will give you accurate detection or line-rate mitigation. WanGuard is an L3/L4 volumetric anti-DDoS system, so plan the environment around that scope.
The BGP-capable router
Mitigation lives on your router, not on the WanGuard server. WanGuard detects the attack and then instructs the edge to drop it, so you need a router that speaks BGP FlowSpec (for surgical, 5-tuple filtering) or at minimum RTBH (for black-hole null-routing). Carrier platforms from Juniper, Cisco, Arista and Nokia support FlowSpec, though rule scale varies by line card. A dedicated iBGP session between WanGuard and the router carries these announcements, so plan the peering and the blackhole community (RFC 7999 uses 65535:666) before install day.
Traffic visibility: port-mirror or flow
WanGuard can only detect what it can see, and the collection method you choose sets both your detection speed and your cost. There are two options, and most operators run a mix:
- Port-mirror / SPAN (DPDK): a copy of your traffic is fed to a Packet Sensor using high-speed DPDK capture. It inspects 100% of packets at line rate and reacts in under 5 seconds, ideal for 100/400GE edges. This needs a DPDK-compatible NIC and a mirror port on the switch or router.
- Flow (NetFlow / sFlow / IPFIX): your routers export sampled flow records to a Flow Sensor. It is bandwidth-independent, covers many POPs from one server, and scales to Terabit volumes cheaply, but because it samples, detection typically takes 35 to 95 seconds and is coarser.
Sizing the server to your port speed
Size the hardware to the traffic you intend to inspect, not to a generic spec sheet. A flow-only Sensor is light and runs comfortably on a modest server. A DPDK Packet Sensor at 100GE is a different animal: it needs enough physical CPU cores dedicated to packet processing, plenty of RAM, fast storage for the traffic-records database, and, critically, a supported DPDK NIC (Intel and Mellanox families are the usual choices). Exact core, RAM and NIC-model figures scale with line rate and should be confirmed against the current sizing tables. [SOURCE NEEDED: Andrisoft WanGuard hardware sizing table, current version.]
Which operating system? Download and install guides
WanGuard runs on all the major 64-bit Linux distributions. ITORO recommends Debian — it is the distribution we deploy, harden and support for anti-DDoS workloads, so it is the platform where we can guarantee the fastest, best-tuned result. The newest supported release is Debian 13 “Trixie”. Andrisoft publishes a step-by-step install guide for every supported system: start with the Debian 13 install guide, or browse all WanGuard install guides.
ITORO deploys and supports WanGuard on Debian only. The other distributions above are supported by WanGuard itself and are listed for reference, but our standard installation, tuning and support package is built around Debian.
How do you install WanGuard step by step?
The software installs from Andrisoft's repository onto a clean 64-bit Linux host in minutes; the deployment around it is what takes real work. In our experience, a first-time production deployment is measured in days of tuning, not hours of installing. Below is the sequence ITORO follows on every WanGuard anti-DDoS build, ordered so each step de-risks the next.
- Install the Console first. Deploy the Console component (the web GUI, its web server and database) on the management host. This is your control plane for everything that follows: sensors, filters, thresholds, dashboards and reports.
- Install the Sensor(s). Add a Packet Sensor where you need sub-5-second DPDK detection, a Flow Sensor where you need broad, cheap coverage, or both. Register each Sensor to the Console.
- Install the Filter / WanFilter. Deploy the mitigation engine where you will scrub, inline or as an off-ramp, for the cases where router FlowSpec alone is not enough.
- Tune BIOS, OS and NIC before you trust the numbers. DPDK performance is fragile without this step (details below). Do it now, not after you see packet loss.
- Connect the components and the BGP session. Point Sensors at their traffic source (mirror port or flow export), link Filter and Sensors to the Console, and bring up the iBGP session to the router that will carry FlowSpec and RTBH.
- Add client IP subnets and set thresholds. Define every protected prefix, group them per customer, and set per-subnet baselines and thresholds. This is where detection accuracy is won or lost.
- Wire mitigation: FlowSpec first, RTBH as fallback. Configure automatic responses so the system filters granularly with FlowSpec and only escalates to RTBH when an attack is too large or too randomized to filter.
- Configure alerts, then train operators, then go to production. Set up email/webhook/NOC alerts, walk the operators through a live drill, and only then move the deployment into production.
How do you tune BIOS, OS and NIC for WanGuard?
DPDK line-rate capture depends on host tuning, and skipping it is the fastest way to ruin a good deployment. A Packet Sensor that drops mirrored packets builds its baselines on incomplete data, which quietly degrades every detection decision downstream. Before you trust a single graph on a DPDK Sensor, work through the tuning layers below.
BIOS
Disable deep C-states and aggressive power-saving so cores do not throttle mid-attack, set the performance power profile, and confirm the NIC sits on a PCIe slot with enough lanes for its rated throughput. On dual-socket servers, know which CPU socket owns the capture NIC.
Operating system
Reserve hugepages for DPDK, isolate the CPU cores used for packet processing from the general scheduler, and pin the Sensor's capture threads to cores on the same NUMA node as the NIC. Crossing a NUMA boundary for every packet is a well-known throughput killer. Keep the OS on the RHEL/AlmaLinux/Rocky family that WanGuard targets.
NIC
Bind the capture interface to the DPDK poll-mode driver, verify the card is on the supported list, and watch the RX-drop counters under real load. Zero drops at your peak mirrored rate is the pass/fail line. Only when those counters stay clean should you move on to setting thresholds.
What are the most common WanGuard installation pitfalls?
Most failed or "flaky" WanGuard deployments trace back to the same handful of mistakes, and none of them are software bugs. In our experience they cluster around visibility, tuning and BGP, the three prerequisites operators most often underestimate. Here are the ones we see repeatedly:
- No baseline period. Setting thresholds on day one, before the Sensor has learned a week of normal traffic, produces either false positives or missed attacks. Let it learn first.
- Sampled flow mistaken for full capture. Expecting sub-5-second detection from a NetFlow deployment. Flow samples, so it detects in tens of seconds; if you need faster, you need port-mirror and DPDK.
- DPDK NIC packet loss ignored. As above: a Sensor dropping mirrored packets looks like it is working while feeding you bad data.
- Heavy customers not excluded. A legitimate high-bandwidth client (a CDN cache, a big game server) looks like a flood until you exclude or group it. This is the number-one source of false positives.
- BGP session not tested. The first time FlowSpec or RTBH fires should never be during a real attack. Validate the announcements and the router's reaction in a controlled test.
- Treating WanGuard as application-layer defense. WanGuard is an L3/L4 volumetric system; it stops floods, not L7 request-based attacks. Be honest about scope so nobody expects the wrong protection.
Why deploy WanGuard with ITORO?
The WanGuard installer is public; the operational judgment around it is not, and that is where deployments succeed or fail. Accurate protection depends on correct sizing, clean NIC/DPDK tuning, sane per-subnet baselines, a BGP session, and operators who have run a drill before the first real attack. ITORO is a worldwide Andrisoft Gold Partner built on 25+ years of ISP and network operations (20+ years with Juniper), and we handle the full build as WanGuard installation, setup & training, so you inherit a tuned, tested system rather than a fresh install.
See the wider scope of our network security services, or get an itemized estimate on Plans & Pricing.
Frequently asked questions
What are the requirements to install WanGuard?
WanGuard needs a 64-bit Linux server (RHEL/AlmaLinux/Rocky family), a way to see your traffic (port-mirror/SPAN for DPDK capture, or NetFlow/sFlow/IPFIX export), and a BGP-capable router to enforce mitigation via FlowSpec or RTBH. Server sizing scales with your port speed; a DPDK Packet Sensor at 100GE also needs a supported DPDK NIC.
How long does a WanGuard installation take?
Installing WanGuard is easy — the packages come from Andrisoft's repository and are up in minutes, which is fine for a lab or a demo. Reaching high DPDK throughput and low-latency detection in production is a different job: it demands deep DPDK expertise combined with OS tuning matched to the exact NIC, CPU and RAM in the box. That is the hard, specialised part — and the burden ITORO takes off you. Follow Andrisoft's install guides to stand it up; bring in ITORO to make it perform.
What operating system does WanGuard run on?
WanGuard is 64-bit Linux software and targets the RHEL/AlmaLinux/Rocky family. It is self-hosted on servers you control, so no traffic is rerouted to a third party. The Console component includes a web GUI, web server and database; Sensor and Filter components are deployed alongside or on separate hosts depending on scale.
Do I need a special NIC for WanGuard?
Only for DPDK port-mirror detection. A Packet Sensor using DPDK capture requires a supported NIC (Intel and Mellanox families are common) plus BIOS/OS tuning (hugepages, NUMA pinning, isolated cores) to capture at line rate without dropping packets. A flow-based Flow Sensor has no special NIC requirement because it reads sampled router exports.
Where is the WanGuard documentation?
Andrisoft publishes the official WanGuard installation and configuration documentation, which covers package install and component setup. It is deliberately concise, so it does not cover the deployment sequencing, host tuning and BGP validation that decide real-world accuracy. This guide fills those gaps from operator experience; ITORO also documents each deployment it delivers.
Can I install WanGuard myself?
Yes, the packages are self-service, and a lab or small edge is a reasonable place to learn. For production on a live ISP, hosting or enterprise edge, the risk is in the tuning and the BGP path, not the installer. A misconfigured baseline causes false positives; an untested FlowSpec/RTBH session fails during the one attack it needed to stop.
Sources
- Andrisoft — WanGuard product, installation & documentation: https://www.andrisoft.com/software/wanguard
- IETF — RFC 7999, BLACKHOLE BGP Community: https://www.rfc-editor.org/rfc/rfc7999
- DPDK — Supported hardware & poll-mode drivers: https://core.dpdk.org/supported/
- [SOURCE NEEDED] Andrisoft WanGuard hardware/sizing requirements table (current version) for exact CPU/RAM/NIC figures per line rate.