# Portunus (https://portunus.bybee.dev/en/docs)



# Portunus [#portunus]

Remote TCP and UDP forwarding for teams that need more than a static port
map. Run edge clients on remote hosts, push forwarding rules from a central
server, and keep L4 traffic as byte passthrough while adding RBAC, metrics,
audit logs, and traffic caps.

Just one host? The single-binary [standalone forwarder](/en/docs/configuration/standalone)
runs the same data plane from a local TOML file — no server, no enrollment, no
control plane.

<Cards>
  <Card title="Start in 60 seconds" href="/en/docs/getting-started/installation" />

  <Card title="Open the architecture guide" href="/en/docs/getting-started/architecture" />

  <Card title="Read the performance report" href="/en/docs/getting-started/performance" />
</Cards>

## Performance [#performance]

Starting in v1.3.0, plain TCP rules with no bandwidth cap use a Linux kernel
`splice(2)` fast path. On the same Linux host that produced the v0.11 baseline,
single-flow uncapped throughput **doubled from 9.9 Gbit/s to 21.9 Gbit/s**
(2.20×). An offered-load sweep through 20 Gbit/s tracks both direct `iperf3` and
`iptables` REDIRECT within iperf3 short-run noise — the v0.11 "Portunus
saturates ≥ 12.5 Gbit/s" caveat disappears for uncapped TCP.

| Offered bandwidth      | What to expect (v1.3.0)                                                                                               |
| ---------------------- | --------------------------------------------------------------------------------------------------------------------- |
| 100 Mbit/s - 10 Gbit/s | Hits the offered rate. Indistinguishable from a direct iperf3 baseline.                                               |
| 12.5 - 20 Gbit/s       | With splice on, single-flow throughput stays within iperf3 noise of direct loopback and iptables REDIRECT (95-109 %). |
| Rate-limited rules     | Bandwidth-capped rules stay on the canonical userspace path — metrics, counters, and audit byte-identical to v1.2.0.  |

<Cards>
  <Card title="Methodology, raw numbers, and caveats" href="/en/docs/getting-started/performance" />
</Cards>

## What it gives you [#what-it-gives-you]

| Area          | Capabilities                                                                          |
| ------------- | ------------------------------------------------------------------------------------- |
| Forwarding    | TCP and UDP rules, port ranges, DNS-name targets, multi-target failover.              |
| L4 routing    | TLS SNI routing without TLS termination, optional PROXY protocol headers.             |
| Control plane | CLI, operator HTTP API, embedded Web UI, hot rule updates over pinned TLS.            |
| Multi-tenancy | RBAC by user, client, protocol, and port range, with server-enforced ownership.       |
| QoS           | Per-rule and per-owner bandwidth, new-connection, and concurrent-flow caps.           |
| Operations    | Prometheus metrics, structured logs, audit trail, bundled SQLite, backup and restore. |

## Feature highlights [#feature-highlights]

<Cards>
  <Card title="TCP & UDP forwarding" href="/en/docs/features/tcp-forwarding" />

  <Card title="Port-range rules" href="/en/docs/features/port-range" />

  <Card title="DNS-name targets" href="/en/docs/features/dns-targets" />

  <Card title="Multi-target failover" href="/en/docs/features/multi-target-failover" />

  <Card title="TLS SNI routing" href="/en/docs/features/tls-sni-routing" />

  <Card title="PROXY protocol" href="/en/docs/features/proxy-protocol" />

  <Card title="Rate limiting & QoS" href="/en/docs/features/rate-limiting" />

  <Card title="Multi-user RBAC" href="/en/docs/features/rbac" />

  <Card title="Web UI" href="/en/docs/features/web-ui" />

  <Card title="SQLite storage" href="/en/docs/features/sqlite-storage" />
</Cards>

## Where it fits [#where-it-fits]

Use `Portunus` when you need centrally managed edge listeners, tenant-aware
access control, observability, or per-owner quotas around plain L4 forwarding.
For a single static rule on one Linux host where only peak throughput matters,
kernel-space forwarding has a simpler, faster execution path. Want the
`Portunus` data plane (port ranges, multi-target failover, PROXY protocol,
`splice`) on a single host but none of the control plane? Reach for the
[standalone forwarder](/en/docs/configuration/standalone) — the same forwarding
code, driven entirely by a TOML file.

## Quick links [#quick-links]

<Cards>
  <Card title="Install in 60 seconds" href="/en/docs/getting-started/installation" />

  <Card title="CLI walkthrough" href="/en/docs/cli/walkthrough" />

  <Card title="Architecture" href="/en/docs/getting-started/architecture" />

  <Card title="Configuration reference" href="/en/docs/configuration/server" />

  <Card title="Standalone forwarder" href="/en/docs/configuration/standalone" />

  <Card title="CLI reference" href="/en/docs/cli/portunus-server" />

  <Card title="Operator HTTP API" href="/en/docs/api/operator-http" />
</Cards>

## License [#license]

Licensed under the [GNU Affero General Public License v3.0](https://github.com/ZingerLittleBee/Portunus/blob/main/LICENSE)
(`AGPL-3.0-only`).