Audit source zone matching is now used everywhere, not just DNS - so users with custom firewall zones get much more accurate results across all audit checks.
Security Audit
- Zone-aware source matching across all firewall checks - Source network matching was consolidated into a single zone-aware method on the FirewallRule model, and all 18+ callsites were updated. VLAN isolation, internet bypass detection, allow/block eclipse analysis, UniFi/AFC/NTP access checks, and traffic pattern matching all now properly respect custom firewall zones. Previously, many of these checks used a simpler string-based match that ignored zones entirely.
- DNS block detection rewritten - Block-all rules, connection-state-only rules (like "Block Invalid Traffic"), and rules with unresolved port groups were causing false positives. Detection now filters by rule type and requires proper destination/source zone matching before counting a rule as a DNS block.
- Per-network DNS coverage tracking - DNS53, DoT, and DoQ block rules now track which networks they actually cover. Partial coverage shows "Partial" status with detail text instead of falsely reporting "Protected."
- Stale DoH providers filtered - Switching DoH to "custom" mode left behind built-in server names (Cloudflare, Google) that appeared as active providers. Those stale entries are now correctly hidden.
- Disabled networks excluded from DNS analysis - Networks with
enabled: falseare skipped in third-party DNS detection and consistency checks since their DHCP config is dormant. - Server/hypervisor VLAN threshold raised - Proxmox, ESXi, and TrueNAS devices now get a higher tagged VLAN threshold (6 vs 3) since they legitimately need multiple VLANs for VMs and containers.
- UX/UX7 in AP mode excluded from port audit - These devices don't expose switch ports in UniFi Port Manager when acting as mesh APs, so port-level recommendations (MAC restriction, unused port, VLAN tagging) were not actionable. They still appear in the ports table.
Installation
Windows: Download the MSI installer below
Docker:
docker compose pull && docker compose up -dmacOS (native, recommended for accurate speed tests vs Docker Desktop):
git clone https://github.com/Ozark-Connect/NetworkOptimizer.git && cd NetworkOptimizer && ./scripts/install-macos-native.sh
# or if you already have it cloned
cd NetworkOptimizer && git pull && ./scripts/install-macos-native.shProxmox:
bash -c "$(curl -fsSL https://raw.githubusercontent.com/Ozark-Connect/NetworkOptimizer/main/scripts/proxmox/install.sh)"For other platforms (Synology, QNAP, Unraid, native Linux), see the Deployment Guide.