Netcraze Orbiter 6 (NAP-630) Help Center

Netcraze routers allow you to set up an Internet connection over a leased Ethernet line using any connection type: IPoE, PPPoE, PPTP, L2TP, 802.1x, VLAN 802.1q, IPv4/IPv6.

It is also possible to connect to the Internet via a PON terminal or xDSL/DOCSIS/Cable modem with an Ethernet port, in a case, for example, of a pre-installed ISP hardware.

An Ethernet cable from the ISP, conforming to at least 5e category, not exceeding 100 meters in length and lugged with a standard 8-pin RJ-45 connector, should be laid out to where the router will be placed. This cable should normally be connected to router port 0 (WAN/Internet).

The most widespread and easily configurable Internet connection type is the IPoE (Internet Protocol over Ethernet), sometimes referred to as a 'dedicated' or 'leased line connection'. This method does not suppose a login and password authentication to access the Internet. All you need to do is connect the ISP cable to port 0 of the router. After that, any home device connected to its Wi-Fi network or one of the remaining Ethernet ports will access the Internet. As per that, no additional configuration is required.

In some cases, however, your ISP would assign a static public IP address for you; it must then be specified in your router settings. To accomplish that, go to the 'Ethernet Cable Connections to Internet' page of Netcraze's web interface. In the 'IPv4 Settings' section, set the 'IPv4 configuration' to 'Manual'.

Then enter the address provided by your ISP in the 'IPv4 address' field.Your ISP must supply other IP parameters (subnet mask, gateway addresses, and DNS) along with a static IP address for manual configuration; please specify them in the appropriate fields. For example:

Some ISPs restrict Internet access to only one device by registering its MAC address. Usually, a user gives the ISP the MAC address of his computer's network adapter. In this case, the Internet can only be accessed from this MAC address.

If that is actually the case and you know the MAC address that's registered with your ISP — it may be the address of your previous router device, or your PC's network adapter, or MAC is just printed out in the contract, it is then possible to substitute the factory MAC of your Netcraze with the necessary MAC address that your ISP would accept.

On the 'Ethernet Cable Connections to Internet' page, under 'ISP Requirements', please select one of the options in the MAC address field:

'By default' — the default factory setting, the WAN MAC address specified on the product label will be used;

'Get from your PC' — the WAN MAC address of your router will change to the MAC address of the Network Interface Card of the computer from which the web interface is opened. The 'Get from your PC' option is only possible when your computer is connected via Ethernet cable;

'Manual' — manually specify the MAC address to be used as the WAN MAC address.

You can find the Windows PC's MAC address by following the instructions 'How to check the network adapter settings in Windows'.

PPPoE is most commonly used when connecting to the Internet over ADSL / VDSL, but sometimes this connection type is also used by ISPs providing Internet over a dedicated Ethernet line.

On the 'Ethernet Cable Connections to Internet' page, under 'ISP Authentication (PPPoE)', enter 'PPPoE' in the 'Type (protocol)' field.

Then, in the 'Username' and 'Password' fields, enter the login and password for the Internet connection provided by your ISP.

Click on 'Show advanced PPPoE settings' to display fields with advanced settings.

The 'Service name' and 'Access concentrator' fields are optional; leave them blank if your provider has not given you additional information.

Leave the 'IPv4 configuration' field set to 'Auto' if your ISP automatically assigns an IP address for Internet access.

If your ISP has provided you with a fixed (static) IP address, select 'Manual' in the 'IPv4 configuration' field and specify the IP address and gateway address in the fields 'IP address' and 'Remote IP' that appear. For example:

If your ISP neither issues nor requires an IP address to be assigned to your router's WAN interface, i.e. if its network does not have automatic IP address assignment, disable automatic IP address acquisition via DHCP on the WAN port. To do this, in the 'IPv4 Settings' section of the 'IPv4 configuration' field, specify 'Disabled'.

PPTP and L2TP are often used in ISP networks. The main advantage of these protocols is the security of data transmission to the Internet. Below we will consider an example of setting up a connection via PPTP protocol as the most common one. The L2TP connection is configured in the same way.

On the 'Ethernet Cable Connections to Internet' page in the 'ISP Authentication (PPPoE / PPTP / L2TP)' section, in the 'Type (protocol)' field, specify the value 'PPTP' or 'L2TP', depending on what type of connection you want to configure. In the 'Server address' field, enter the IP address or domain name of the PPTP or L2TP server. In the 'Username' and 'Password' fields, enter the login and password provided by your ISP for connecting to the Internet, respectively.

Click on 'Show advanced PPTP settings' to display fields with advanced settings.

If the PPTP connection uses data encryption (MPPE), enable the corresponding option.

Leave the 'IPv4 configuration' field set to 'Automatically' if the IP address for Internet access is assigned automatically by your ISP.

If your ISP has provided you with a fixed (static) IP address, specify 'Manual' in the 'IPv4 configuration' field and specify the IP address and gateway address in the fields 'IP address' and 'Remote IP' that appear. For example:

In Netcraze routers, in most cases, digital television (IPTV) works right out of the box on both computers and set-top boxes.

If you need to connect your home network to the Internet via a Wi-Fi link, every model of Netcraze router allows that with a WISP (Wireless ISP) mode connection. You can connect, for example, to ISP's public Wi-Fi hot spot, your neighbour's Wi-Fi network, a wireless AP in a nearby cafe, or to a mobile hot-spot on your smartphone. When travelling, WISP mode is convenient to use with a hotel Wi-Fi network. Your Netcraze connects to the hotel's Wi-Fi, and all your mobile devices are good to go, already being connected to a pre-configured, secure Wi-Fi network of your router.

The WISP connection can be used as a primary or backup connection, which is automatically activated in case of problems with the main Internet access channel.

This type of Internet connection is set up on the Wireless ISP page.

On the Wireless ISP page, click Scan for a network to select the desired wireless network.

The window that appears display the available Wi-Fi networks within reach of the router. Please select the desired network by clicking on it.

This will take you back to the Wireless ISP page.

When selecting a wireless network, the Network Name (SSID) field and Network protection selector are set automatically. In the Password field, you must enter the password or the security key used to access the selected Wi-Fi network.

By default, IPv4 settings are set to automatic, i.e. the device will try to obtain an IP address via the DHCP protocol upon connection to the upstream access point. If you want to set a static IP address, gateway and DNS servers, please specify those in the corresponding fields which are uncovered by selecting Manual in the IPv4 configuration drop-down selector. For example:

To change the local IP address of your Netcraze, go to the Home segment page, and in the IP settings section, fill in the IP address field — enter a private IP address other than 192.168.1.1 (e.g., enter 192.168.0.1). Apply settings by clicking the Save button.

Set the Internet connection switch to the right (On) position to start the Wireless ISP connection.

After successful connection, in the Internet information panel on the System dashboard home page will display information about the current connection.

The Wireless ISP connection can be used as a primary or for a backup.

When using connection backup, and the Wireless ISP connection is configured as the primary connection, on the same page, you can enable Internet availability checking (Ping Check). Then, even if the connection to an AP remains, but the Internet connectivity is actually lost somehow, Ping Checker will get around that and automatically switch the router to a backup connection.

Note

With NDMS 3.8.2, the new Channel number option for Wireless ISP connection has been added, which allows you to set a specific channel number instead of automatically selecting a channel based on SSID. This option greatly reduces the time it takes for the router's client side to scan the air, leaving more resources for Wi-Fi hand-offs and the mesh Wi-Fi backhaul to work. Use this option for scenarios where the upstream access point providing the Internet has a fixed Wi-Fi channel number.

The Wi-Fi access point on the router and the embedded WISP client share the same radio module (we are talking about the same band), and it is hardware impossible to make the embedded WISP client work on different channels with the Wi-Fi access point. For example, a remote ISP access point is running on wireless channel 48; if you manually set channel 149 on your Wi-Fi access point, you will not be able to connect via WISP to the ISP access point that is running on channel 48 (this is only possible within the different 2.4 and 5 GHz bands, in which case different radio modules are used). If you set the Auto mode for channel selection on the access point, the WISP client will always follow the remote Wi-Fi access point and become the ‘master’ for its access point. At the same time, the Wi-Fi access point on your router becomes a ‘slave’ and also switches to the channel set by the WISP client.

NDMS allows you to specify the MAC address of the access point (BSSID) when connecting in Wireless ISP (WISP) mode. This feature is useful when there are several access points with the same name (SSID) on the air. In this case, you can select a particular access point for connection by manually specifying its MAC address.Connecting via a Wireless ISP

In the router's web interface, this setting is located in the Wireless ISP menu on the Internet Connection via Wi-Fi Hotspot page. In dual-band router models (2.4/5 GHz), this setting is available in both bands.

Go to the Internet Connection via Wi-Fi Hotspot page and click on Show advanced settings in the Wireless Connection Settings section. In the BSSID (MAC address of the access point) field that appears, enter the MAC address of the access point you want to connect to.

If you connect via WISP to another Netcraze device, run the following command on it to find the MAC address of the Wi-Fi access point, which you need to enter in the BSSID field. For a 2.4 GHz network:

show interface AccessPoint

For the 5 GHz network:

show interface AccessPoint_5G

You can execute the command from the web interface (web CLI) or via a telnet connection. For detailed information, please refer to the instructions Command-line interface (CLI).

VPN (Virtual Private Network) — a generic name for technologies that provide one or more network connections (tunnels) over another network (e.g., the Internet).

There are many reasons for using virtual private networks. The most common of these are security and data privacy. The confidentiality of original user data is guaranteed using data protection tools in virtual private networks.

It is known that IP (Internet Protocol) networks have a 'weak point' due to the structure of the protocol. There are no means of protecting the transferred data and no guarantee that the sender is the one he claims to be. The data in an IP network can be easily tampered with or intercepted.

We recommend using a VPN connection to connect from the Internet to your home server, USB flash drive files connected to a router, DVR, or a computer desktop through the RDP protocol. In this case, you don't have to worry about the security of the transmitted data because the VPN connection between the client and the server is usually encrypted.

Netcraze devices support the following types of VPN connections:

With the help of a Netcraze router, your home network can be connected via a VPN to a public VPN service, office network, or another Netcraze device, regardless of Internet connection type.

VPN clients/servers for secure access (PPTP, L2TP over IPSec, IKEv2, Wireguard, OpenVPN, SSTP, OpenConnect) as well as tunnels for network interconnection (Site-to-Site IPSec, EoIP (Ethernet over IP), GRE, IPIP (IP over IP) are implemented in all Netcraze devices.

Depending on the protocols used and the purpose, a VPN can provide connections in different scenarios: host-host, host-network, hosts-network, client-server, clients-server, router-router, routers-router (VPN concentrator), network-network (site-to-site).

If you don't know what type of VPN to choose, the tables and recommendations below will help you.

* — in the Starter, Runner 4G, Launcher, Explorer, Carrier models, only the AES algorithm acceleration is used, and in Skipper, Titan, Hero, Giant, Peak, Hopper the entire IPSec protocol hardware acceleration is used.

** — up to 200 for Hero, Peak and Titan; up to 150 for Carrier DSL; up to 100 for Starter, Launcher, Explorer and Carrier.

*** — from NDMS 3.7 the number of WireGuard connections is increased to 128 for for ARM-based models (KN-2710, KN-1811, KN-1012, KN-3811, KN-3812), and to 48 for KN-1011, KN-1810, KN-1912, KN-2311, KN-2610 and KN-3013.

**** — before NDMS 3.3, the limit was 10 connections for Hero (KN-1011), Titan (KN-1810), and 5 for all other models.

* — you will need to install additional free software in Windows, macOS, Linux, Android, iOS operating systems to set up the connection.

** — values are relative, not the exact figures, because speeds for VPN connections depend on models and several factors - the type of encryption algorithms used, the number of simultaneous connections, the type of the Internet connection, the speed and the load of the Internet channel, the load on the server and other factors. Let's consider low speed up to 15 Mbit/s, average speed around 30 - 50 Mbit/s, and high speed — over 70 Mbit/s.

* — This feature is implemented on our cloud server as a special software extension and is available only for the users of Netcraze devices.

In most cases, for client-server remote connections, we recommend the following protocols:

In many Netcraze models, data transfer over IPSec (including L2TP over IPSec and IKEv2) is hardware accelerated using the device processor. You don't have to worry about the privacy of IP telephony or CCTV streams in such a tunnel.

If your ISP gives you a public IP address, we recommend you to pay attention to the IKEv2, the so-called IPSec virtual server (Xauth PSK), and L2TP over the IPSec server. They are great because they provide secure access to your home network from your smartphone, tablet, or computer with minimal configuration: Android, iOS, and Windows have convenient built-in clients for these types of VPNs. For IKEv2 on Android, use the free popular strongSwan VPN client.

IKEv2 and L2TP/IPSec can be considered as the best universal option.

If your ISP only provides you with a private IP address to surf the Internet, and you can't get a public IP, you can still organize remote access to your home network using an VPN server SSTP or OpenConnect. The main advantage of the SSTP and OpenConnect tunnel is its ability to work through the cloud, i.e., it allows establishing a connection between the client and the server, even if there are private IP addresses on both sides. All other VPN servers require a public IP address. Please note that this feature is implemented on our cloud server and is available only for Netcraze users.

As for the PPTP tunnel protocol, it is the easiest and most convenient to configure, but potentially vulnerable compared to other types of VPN. However, it is better to use it than not to use a VPN at all.

And for advanced users, we may add these VPNs to the list above:

OpenVPN is very popular but extremely resource-intensive and has no particular advantages against IPSec. Netcraze devices have such features as TCP and UDP mode, TLS authentication, certificates and encryption keys to improving VPN connection's security for OpenVPN connections.

Modern protocol WireGuard will make it easier and faster to work with VPN (several times compared to OpenVPN) without increasing the power of the hardware in the device.

For mobile devices, and organising a remote connection to the router, use:

IKEv2 EAP (Login/Password) client is embedded in Android, iOS, MacOS, Windows.

To consolidate networks and organize a Site-to-Site VPN, use:

To solve specific problems of network interconnection:

IPSec is one of the most secure VPN protocols due to its crypto secure encryption algorithms. It is the best option for establishing Site-to-Site VPN connections to interconnect networks. It is possible for professionals and advanced users to create IPIP, GRE, EoIP tunnels both in pure form and in combination with IPSec tunnels, which will allow you to use IPSec VPN security standards to protect these tunnels. Support for IPIP, GRE, EoIP tunnels makes it possible to establish a VPN connection with hardware gateways, Linux routers, UNIX/Linux computers, and servers, as well as other network and telecommunication equipment supporting these tunnels. The tunnel setting of this type is available only in the router's command-line interface (CLI).

For more information on configuring different types of VPNs in the Netcraze devices, read the instructions:

WireGuard — is a free, open-source software application, virtual private network protocol (VPN) to transfer encrypted data and create secure point-to-point connections.

The features and advantages of the WireGuard protocol are in the use of modern, highly specialized data processing algorithms. The codebase of the project is written from scratch and is characterized by its compact design.

WireGuard is part of the system kernel module. WireGuard connection is software accelerated and is multithreaded, i.e., it can work stably and use resources of one kernel.

Netcraze devices can operate either as a VPN server or as a VPN client. The terms 'client' and 'server' are conditional due to the specifics of the protocol. But usually, the server is a device that waits for a connection, and the client is a device that initiates a connection.

When connecting to the WireGuard VPN server on Netcraze as a VPN client, you can use a computer (based on Windows, Linux, macOS), a mobile device (based on Android and iOS), or the Netcraze devices.

Using the WireGuard VPN client on Netcraze, you can connect to a VPN provider that provides a WireGuard VPN connection service or another Netcraze that operates as a VPN server and get remote access to its local network.

To set up protected tunnels via the WireGuard protocol in Netcraze routers, you must install the 'WireGuard VPN' system component. You can do this in the web interface on the 'General System Settings' page in the 'NDMS Update and Component Options' section by clicking on 'Component options'.

Then you will find the 'WireGuard' section on the 'Other connections' page.

To configure the WireGuard interface manually, click the 'Create connection'. We are not going to review the connection settings here, but you can find them in the detailed instruction:

You may also import WireGuard interface settings from a pre-created configuration file. Click the 'Import from a file' and then choose the path to the pre-configured file on your computer.

The main principles of WireGuard VPN operation:

Examples of WireGuard connection settings

You can find detailed instructions on how to configure the Netcraze as a VPN server and VPN client to interconnect two local networks:

To set up a connection to VPN providers that can work with WireGuard, refer to the instructions:

You can use mobile devices based on Android and iOS to connect to the Netcraze router via WireGuard protocol:

Or you may use computers based on Windows, Linux, macOS:

Sometimes you want clients connected to the Netcraze router via WireGuard to access the Internet through this VPN tunnel. You will need to make additional configurations. Please refer to the article:

You can use PPTP (Point-to-Point Tunneling Protocol) to connect to a public VPN service, office network, or another Netcraze router. PPTP may also be used to establish a secure tunnel between two local networks. The advantage of the PPTP tunnel is its ease of configuration and availability. PPTP provides secure data transfer over the Internet from smartphones, tablets, or computers. MPPE protocol can be used to protect PPTP traffic data.

In Netcraze, besides PPTP, you can also set up an L2TP (Layer 2 Tunneling Protocol) connection. Unlike other VPN protocols, L2TP does not use data encryption.

Further on, we will consider an example of a PPTP connection. Configuring an L2TP connection is done in the same way.

To set up a PPTP connection, go to the 'Other connections' page and click 'Create connection' in the 'VPN connections' section. In the 'VPN Connection Settings' window, select 'PPTP' in the 'Type (protocol)' field.

Then enter the name of the connection in the 'Connection name' field, and in the 'Server address' field, enter the domain name or IP address of the PPTP server. In the 'Username' and 'Password' fields, specify the account's data that is allowed to access the local network via PPTP.

Click 'Show advanced settings' to configure the IP settings, work schedule, or the interface through which the connection should work.

Once the connection is established, put the switch in the 'On' state.

The same page will also show the status of the connection.

To test the connection, access a resource on the remote network or ping the host on the remote network (server local network) from the client computer.

PPTP server configuration in Netcraze is described in detail in the article 'PPTP VPN server'.

You can access remote network resources by connecting to a VPN server from your Netcraze router via the L2TP over IPSec (L2TP/IPSec) protocol.

You don't have to worry about the confidentiality of file server data, IP telephony, or video surveillance streams in such a tunnel. L2TP/IPSec provides absolutely secure access to the home network from a computer with minimal configuration: Windows have a convenient built-in client for this type of VPN. Also, many Netcraze models offer hardware acceleration of data transfer over L2TP over IPsec.

To configure the L2TP/IPsec connection, you must install the 'IKEv1/IPsec and IKEv2/IPsec VPN servers, L2TP/IPsec VPN client, Site-to-site IPsec VPN' system component. You can do this on the 'General System Settings' page in the 'Updates and component options' section by clicking 'Component options'.

To set up an L2TP/IPsec connection, go to the 'Other Connections' page and click 'Create connection' in the 'VPN Connections' section. In the 'VPN Connection Settings' window, select 'L2TP/IPsec' in the 'Type (protocol)' field.

Then enter the name of the connection in the 'Connection name' field, and in the 'Server Address' field, enter the server's domain name or IP address. In the 'Username' and 'Password' fields, specify the account's data that is allowed to access the local network via L2TP/IPsec. In the 'Secret key' field specify the previously agreed key, which is installed on the server.

Click 'Show advanced settings' to configure the IP settings, work schedule, or the interface through which the connection should work.

Once the connection is established, put the switch in the 'On' state.

The same page will also show the status of the connection.

To test the connection, access a resource on the remote network or ping the host on the remote network (server local network) from the client computer.

L2TP/IPsec server configuration in Netcraze is described in detail in the article 'L2TP/IPsec VPN server'.

OpenVPN is one of the most popular protocols for VPN connection. It can be used to create a virtual private network or to interconnect local networks. OpenVPN is open source and distributed free of charge under the GNU GPL license. It provides faster connection speeds than other VPN protocols. In addition, OpenVPN can be called one of the safest protocols. All transmitted data is securely protected by the OpenSSL encryption library and SSLv3/TLSv1 protocols, which provides high security and anonymity.

Netcraze router features TCP and UDP mode for OpenVPN connection, TLS authentication, use of certificates and encryption keys to increase the security of VPN connection.

Installing the system component 'OpenVPN client and server' is necessary to configure the OpenVPN connection. With this component, you can use both client and OpenVPN server in your Netcraze. You can install the system component on the 'General System Settings' page in the 'NDMS Update and Component Options' section by clicking 'Component options'.

The OpenVPN mode (client or server) is mainly defined by its configuration file.

Let's consider an example of connecting OpenVPN of the 'site-to-site' type.

We will connect the Netcraze#2 client (Home-segment 192.168.2.0/24, tunnel address: 10.1.0.2) to the server on Netcraze#1 (Home-segment 192.168.1.0/24, tunnel address: 10.1.0.1)

We recommend that you read the following information:

SSTP (Secure Socket Tunnel Protocol) tunnels can be used to connect to the Netcraze router's local network remotely.

Data transfer via the Internet in the SSTP tunnel is carried out with the help of HTTPS protocol (the data is transferred over the SSL or TLS cryptographic protocols), which provides a high level of security.

To configure the SSTP connection, it is necessary to install the 'SSTP VPN client' system component. You can do this on the 'General System Settings' page in the 'NDMS Update and Component Options' section by clicking 'Component options'.

After that, go to the 'Other Connections' page and click 'Create connection' in the 'VPN Connections' section. Select 'SSTP' in the 'Type (protocol)' field in the 'VPN Connection Settings' window.

Then enter the name of the connection in the 'Connection name' field, and in the 'Server address' field, enter the server's domain name or IP address. In the 'Username' and 'Password' fields, specify the account allowed to access the local network via SSTP.

Once the connection is established, put the switch in the 'On' state.

The same page will also show the connection status.

To test the connection, access a resource on the remote network or ping the host on the remote network (server local network) from the client computer.

SSTP server configuration in Netcraze is described in detail in the article 'SSTP VPN server'.

Starting with NDMS 3.5, an IKEv1/IKEv2 clients has been added as a separate component that allows a router to establish client connections via IKEv1 and IKEv2 protocols.

IKEv2 (Internet Key Exchange) is a version 2 key exchange protocol included in the IPSec protocol suite. It provides high data security, speed and stability.

To set up secure IKE connections on your Netcraze router, you must install the 'IKEv1/IPsec and IKEv2/IPsec VPN clients' system component. You can do this in the web interface on the 'General System Settings' page under 'Update and component options' by clicking on 'Component options'.

Afterwards, in the 'Other Connections' page under 'VPN Connections' section, click 'Create connection' to add and set up an IKE client.

In the 'VPN Connection Settings' screen, enter the registration information provided by your VPN provider or VPN server administrator.

If you want to use this connection to access the Internet, enable the option.

Enter any name to identify the connection in the 'Connection name' field, set 'IKEv2' or 'IKEv1' in the 'Type (protocol)' field and specify the server address, user name and password. In our example, an IKEv2 VPN connection is used.

Once the connection has been established, toggle the switch to On.

The same page will show the status of this connection.

To set up an IKEv2 server on Netcraze, see the article 'IKEv2/IPsec VPN server'.

You can use OpenConnect VPN to connect remotely and securely to your Netcraze router's local network. A Netcraze router itself can act as an OpenConnect client. Starting with NDMS 4.2.1, an OpenConnect VPN server and client have been added.

To set up an OpenConnect client connection, you need to install the OpenConnect VPN client system component. You can do this on the General System Settings page in the NDMS Update and Component Options section by clicking Component options.

After that, go to the Other Connections page, and in the VPN Connections section, click + Create connection. In the VPN Connection Settings window, select OpenConnect in the Type (protocol) field. Then, in the Connection name field, enter the name of the connection, and in the Server address field, enter the domain name of the server (automatically generated on the Netcraze router acting as the VPN server). In the Username and Password fields, respectively, enter the credentials of the account that allows access to the router and the local network via the OpenConnect protocol.

After creating the connection, set the switch to Enabled.

The same page displays the connection status and statistics.

To check the connection, access any resource on the remote network (the VPN server's local network) from a computer on the client side or ping a remote network host.

To set up the OpenConnect server on a Netcraze router, see the article OpenConnect VPN server.

ZeroTier allows individual devices and network routers to access your LAN via a distributed interconnection overlay that automatically chooses the optimal route between nodes. The protocol's design ensures easy deployment, centralized management, stable performance, and data protection. As a result, connections are secure, providing low latency and high throughput.

To configure your Netcraze device to connect to your ZeroTier network using the command-line interface (CLI), we must first create an interface with the following CLI command.

      interface ZeroTier{X}   

Where {X} is the index of the new interface, the number you choose.

Then, let's specify the NETWORK ID of your ZeroTier network.

      zerotier network-id {network_ID}   

Replace {network_ID} with your ZeroTier NETWORK ID without quotes or brackets. You can find your network's NETWORK ID on the ZeroTier Central management portal, as shown in the image.

Next is to enable the acceptance of addresses and routes distributed over your ZeroTier network.

zerotier accept-addresses
zerotier accept-routes

Then, bring the interface up and save the configuration.

up
system configuration save

The whole set of commands listed above should look like the following.

(config)> interface ZeroTier0
Network::Interface::Repository: "ZeroTier0" interface created.
(config-if)> zerotier network-id 0123456789abcdef
ZeroTier::Interface: "ZeroTier0": set network ID to "0123456789abcdef".
(config-if)> zerotier accept-addresses
ZeroTier::Interface: "ZeroTier0": enabled addresses accept.
(config-if)> zerotier accept-routes
ZeroTier::Interface: "ZeroTier0": enabled routes accept.
(config-if)> up
Network::Interface::Base: "ZeroTier0": interface is up.
(config-if)> system configuration save
Core::System::StartupConfig: Saving (cli).

After entering the commands, your Netcraze node should appear on your ZeroTier Central network dashboard. To simplify network management, enter a name and description for the new node. You may also need to authorize the new member if your network's Access Control mode is Private (the default setting).

You may use the show command to review the connection state on your Netcraze device. The connected: yes line indicates that the connection status is positive.

(config)> show interface ZeroTier0
id: ZeroTier0
index: 0
interface-name: ZeroTier0
type: ZeroTier
description:
traits: Mac
traits: Ethernet
traits: Ip
traits: Ip6
traits: Supplicant
traits: EthernetIp
traits: ZeroTier
link: up
connected: yes <------
state: up
mtu: 2800
tx-queue-length: 1000
address: 172.26.81.177 <------
mask: 255.255.0.0
uptime: 312
global: no
security-level: public <------

ipv6:
addresses:
address: fe80::cc56:2aff:fed4:d8a3
prefix-length: 64
proto: KERNEL
valid-lifetime: infinite

mac: 32:dd:64:a3:fa:73
auth-type: none

zerotier:
via: GigabitEthernet1
local-id: 4aac294d2f
network-id: 0123456789abcdef
network-name:
status: OK

summary:
layer:
conf: running
link: running
ipv4: running
ipv6: disabled
ctrl: running

Note that the created interface has a security-level: public setting. This means that incoming connections must be explicitly allowed by the Firewall. Considering your ZeroTier network is trusted, one rule allowing all incoming traffic is enough. Add a new Permit rule for the created ZeroTier interface, and select IP for Protocol and Any for Source IP and Destination IP, as shown.

Tip

To inform other devices on your ZeroTier network about the LAN behind your new node, create a route in the Advanced section of your network's settings on ZeroTier Central. Use the Managed IPs address (the address: 172.26.81.177 line in the output above) as the Via address. Enter your router's LAN subnet address (192.168.1.0/24 by default) in the Destination field.

Netcraze has a built-in IPsec VPN client/server. Thanks to this function, it is possible to combine several Netcraze routers into one network via an IPsec VPN tunnel following the strictest security requirements.

In most cases, IPsec VPN is used for secure connection to the office network (e.g., from the home network to corporate server) or for combining networks (e.g., two remote offices). With the IPsec VPN tunnel, you don't have to worry about file server data privacy, IP telephony or video surveillance streams. IPsec is one of the most secure VPN protocols due to crypto-resistant encryption algorithms.

Let's take a look at an example of combining two local area networks (192.168.2.x and 192.168.0.x) over an IPsec VPN.

Two Netcraze routers will be needed for an IPsec VPN connection. This type of connection is called a 'site-to-site IPsec VPN'.

One Netcraze will act as an IPsec responder (let's call it a server), and the other Netcraze will act as the initiator of the IPsec connection (let's call it a client).

The router acting as an IPsec server has a static public IP address to connect to the Internet. The second Keenetc, which acts as an IPsec client, uses a private IP address.

So, let's move directly to configuring the routers to establish a secure IPsec VPN tunnel between them and connect the two networks.

Both routers must have an 'IKEv1/IPsec and IKEv2/IPsec VPN servers, L2TP/IPsec VPN client, Site-to-site IPsec VPN' system component installed on them.

You can do this by clicking 'Component options' on the 'General System Settings' page in the 'Updates and component options' section.

Netcraze routers have the ability to create IPIP (IP over IP), GRE (Generic Routing Encapsulation), EoIP (Ethernet over IP) tunnels both in pure form and in combination with IPSec tunnel, allowing to use IPSec VPN security standards to protect these tunnels.

The support of IPIP, GRE, EoIP tunnels in Netcraze routers allows you to establish a VPN connection with hardware gateways, Linux routers, computers and servers with UNIX/Linux OS, as well as with other network and telecommunications equipment that support these tunnels.

It is necessary to install additional corresponding components of the NDMS system to work with tunnels:

You can do this on the 'General Sstem Settings' page in the 'Updates and component options' section by clicking on 'Component options'.

Brief description

IPIP and GRE tunnels are network layer tunnels (L3 of the OSI model), where IP addresses of both sides are available. They are presented in the system as GreX and IPIPX interfaces, and routing (including the default route) can be configured through them just like through any other interface. Also, these interfaces can be configured with a security level of access - private, protected, or public (information on access levels can be found in the article 'Configuring firewall rules with the command-line interface)'.

IPIP (IP over IP) is one of the easiest tunnels to set up (it encapsulates only unicast IPv4 traffic). You can configure it on a UNIX/Linux system and on different routers (e.g. Cisco).

GRE (Generic Routing Encapsulation) tunnel is one of the popular VPN types. GRE tunnels are compatible with hardware security gateways, Mikrotik routers, Linux routers and other similar equipment (e.g. Cisco, Juniper, etc.).

EoIP tunnel (Ethernet over IP) is a Datalink layer tunnel (L2 of the OSI model) over the network layer (L3). Data is transmitted through this tunnel at the Ethernet frame level. EoIP provides a transparent network environment that emulates a direct Ethernet connection between networks. All MAC addresses are visible, and it is possible to connect two L2 LANs over the Internet using this type of tunnel. EoIP uses GRE as its transport. The EoIP tunnel can work over IPIP, PPTP and any other connection capable of transmitting IP packets. Any traffic other than IP can be sent through it, including ARP, DHCP, PPPoE, IPv6, etc. Subnet scanning via ARP will work in the tunnel by default when the security level changes to private/protected. In the system, it is presented as an EoIPX interface.

EoIP is developed by MikroTik, so there is compatibility with them and Linux routers that know how to work with EoIP.

You can use the Ping Check function on IPIP, GRE and EoIP tunnel interfaces to check its availability.

The IPIP, GRE and EoIP tunnels work directly over the IPv4 protocol. IPIP uses IP protocol number 4, GRE and EoIP use IP protocol number 47.

Examples

The following examples show private IP addresses, which can only be used within the local network. There must be public IP addresses at both ends of the tunnels to create tunnels over the Internet.

For GRE the interface name will be Gre0, for IPIP the interface name will be IPIP0.

Setting up a GRE/IPIP tunnel between two Netcraze routers

Setting up an EoIP tunnel between two Netcraze routers

For EoIP, the interface name will be EoIP0.

In the case of the EoIP tunnel, the settings will be absolutely the same, except for two things:

One end of the tunnel setup:

(config)> interface EoIP0
(config-if)> tunnel destination router1.example.com
(config-if)> tunnel eoip id 1500
(config-if)> ip address 192.168.100.1 255.255.255.0
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save

The 'mirror' setting is at the other end of the tunnel:

(config)> interface EoIP0
(config-if)> tunnel destination 8.6.5.4
(config-if)> tunnel eoip id 1500
(config-if)> ip address 192.168.100.2 255.255.255.0
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save

You can then try to ping the address of the remote side of the tunnel from any side to check if the tunnel is working correctly.

The EoIPx interface can be included in the Bridge to join local networks. To do this, configure the EoIP interface without an IP address on both sides and then add it to the Bridge Home:

(config)> interface Home
(config-if)> include EoIP0
(config-if)> exit
(config)> system configuration save

Using IPIP, GRE and EoIP tunnels with IPSec

If a special system component IPSec VPN is installed, it is possible to protect these tunnels using IPSec safety standards, both in automatic and fully manual mode. We will not describe the manual mode because experienced users can set up an IPSec tunnel with the correct mode and then raise the tunnel over IPSec. In the case of automatic configuration, several manual mode problems are solved at once:

The IPSec VPN component appends the following settings to tunnels:

Since IPSec separates a client from a server, to configure the client (the initiator, the side that will try to establish the connection), you must use the command interface tunnel destination, and to enable the server mode (the party that will respond to connection attempts), you must use the command interface tunnel source.

Example of EoIP tunnel configuration with IPsec (in our example, the side with the WAN address 8.6.5.4 is the server):

Server:

(config)> interface EoIP0
(config-if)> tunnel source ISP
(config-if)> tunnel eoip id 1500
(config-if)> ipsec preshared-key mytestingkey
(config-if)> ip address 192.168.100.1 255.255.255.0
(config-if)> ipsec ikev2
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save

Client:

(config)> interface EoIP0
(config-if)> tunnel destination 8.6.5.4
(config-if)> tunnel eoip id 1500
(config-if)> ipsec preshared-key mytestingkey
(config-if)> ip address 192.168.100.2 255.255.255.0
(config-if)> ipsec ikev2
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save

In the interface tunnel source command, you can specify both the source interface and the IP address where the server will be waiting for the connection. However, preference is given to the interface, because in this case, all the reconfiguration when changing the address and other events will take place automatically.

Starting with NDMS 3.9, a proxy client component has been added. This component will be useful for complex tunnelling applications, as well as for the simple task of connecting your network to the Internet via a proxy server. This functionality allows you to configure a connection via proxy servers using HTTP, HTTPS and SOCKS5.

To use a proxy connection, you must first install the appropriate Proxy client system component on your router. You can do this in the web interface on the General System Settings page in the NDMS Update and Component Options section by clicking Component options.

To configure Internet access via a proxy, go to the Other Connections page, scroll to Proxy Connections and click the Add connection button.

You will then be prompted to fill in certain fields. Enter the registration details provided by your proxy server administrator.

After establishing the connection, set the switch to the On position.

Next, in the Connection Policies menu, configure Internet access via the proxy connection you created. Drag it to the top of the list to make it the primary connection.

After that, all clients connected to the router will access the Internet via a proxy connection. If you need to configure access for only certain clients, you will need to create a separate profile and link specific clients to it. Instructions on how to do this are provided in the Connection policies article.

The setup is complete.

To test it, you can use any public internet service to check the IP address and the country where the IP is located.

Netcraze routers support multiple simultaneous uplink connections (this feature is sometimes called Multi-WAN). It is possible, for example, to plug in two Ethernet cables from different ISPs to the same Netcraze router and set up a primary and a backup connection, or you can, for instance, use a dedicated Internet connection via Ethernet for a primary link, and an Internet connection via a 3G/4G, LTE modem as a backup.

Every Netcraze device supports this feature set.

Let's take a closer look at the example of connecting a Netcraze router to two different ISPs over a leased Ethernet line and configuring the backup of the main Internet channel.

The primary Internet channel should be connected to the router's blue port 0 (WAN/Internet). The cable of the backup Internet channel can be connected to any of its available ports.

When using Multi-WAN on a router to load balance Internet connections, you can configure the binding of certain devices to different Internet connections using Policy-Based Routing (PBR). Refer to the instructions for more information:

Let's assume you have two internet connections (Multi-WAN) on your Netcraze: a primary connection via a leased line and a backup connection via a 3G/4G USB modem. And you need to configure the Netcraze router so that all home devices have internet access from the primary connection and one computer has access to the internet via the backup connection.

This can be done using Policy-Based Routing (PBR) and configuring the router in the Connection policies menu.

The setup process can be summarized as follows:

In the router's web interface, in the 'Connection Policies' page on the 'Policy Configuration' tab, add a new policy and only include a backup connection. Then, on the 'Policy Binding' tab, move the desired device from the Default policy to the newly created access policy. Now the device added to the new policy will access the internet via the backup connection, while the other devices (they are in the Default policy) will work via the default one.

Let's take a closer look at this setting with an example.

The router has two internet connections: the default one via a wireless provider and the backup via a 3G/4G mobile network.

Go to the 'Connection Policies' page. In the 'Policy Configuration' tab, you will see two internet connections (in our example, they are 'Ethernet connection' and 'Mobile Broadband'). Click on '+ Add policy'.

Create a new connection policy, give it a name and click Save.

In the newly created policy (in our example, it is a policy called 'Backup'), check the box for the backup connection (in our case, it is 'Mobile Broadband').

Click on the 'Policy Binding' tab. Click on 'Default policy' to see all local network devices that use this connection policy.

Click on the desired device (in our example, the computer named 'PC'), and in the 'Move to' field, select the newly created policy for the backup connection (in our case, it is the profile named 'Backup') and click 'Confirm'. You can also perform this action in another way: drag and drop the device from the right column to the name of the desired policy in the left column.

We have now added the desired device to the newly created connection policy, for which only the backup connection is used.

Once the settings have been made, the computer will access the internet via a backup connection (in our example, via the 3G/4G network of the mobile operator), and all other devices on the local network will work via the default connection.

Starting with NDMS 3.9, smart traffic balancing is implemented when multiple Internet connections are used. In Netcraze routers, this mechanism is called Multipath Mode.

In the router's web interface, you can create a new multipath policy that will optimize the use of several Internet connections and speed up and balance traffic.

In multipath mode, all connections included in the policy automatically transmit traffic. This mode can be used to aggregate the bandwidth of your ISPs.

Multipathing can only work under an optional policy (you cannot enable this mode in the Default Policy). To configure it, follow the steps below:

For example, to test bandwidth aggregation, the router uses two 100 Mbps (12.5 Mbyte/s) wired Internet connections from different ISPs. Let's create a policy that supports multipath mode. Let's start downloading the file and in the torrent client we will see that the download speed is summed up from the two Internet connections. In our example we got download speed up to about 179.2 Mbps (22.4 Mbyte/s).

For router old models with NDMS 2.14 - 3.8, you can set up balanced mode connections through the router's command-line interface (CLI). See 'Using multiple WAN connections in load balancing mode (configuring from the CLI)' for a configuration example.

Since NDMS 3.8, the speed limit option for incoming and outgoing traffic has been added to the router's web interface on the 'Connection priorities' screen.

This screen allows you to configure connection policies and assign them to devices and network segments. For each connection in the policy, you can specify individual traffic handling priority and incoming and outgoing speed limits. Note that bandwidth management is unavailable for the default policy; this setting is only possible for manually created additional policies.

Let's show it with an example. On the 'Connection Policies' page on the 'Policy Configuration' tab, let's add a new policy named speedlimit-10Mbit. In the bandwidth control settings, in the 'Inbound/outbound bandwidth control' fields, we will select 'Manual', and in the 'Limit speed for incoming/outbound data' fields, we will specify the speed in kbps or Mbps. In our example, the speed limit is 10 Mbit/s:

In the 'Policy Bindings' tab, let's add the desired home network devices to the speedlimit-10Mbit policy. To do this, select the connection policy in the left column and then drag the devices to the name of the desired policy in the left column.

Now an Internet connection policy with specified bandwidth will be applied to these devices (in our example, with a speed limit of 10 Mbit/s for incoming and outgoing traffic). Let's test the speed limit using the Speedtest online service, running the test from a computer which has been added to the speedlimit-10mbit access policy:

You can find more information in the article 'How to measure the Internet connection speed?'.

You can also set up bandwidth management for multiple Internet connections at once. For example:

To connect a Netcraze router to the Internet via IPv6 protocol, you need no special settings. In most cases, it is enough to install the 'IPv6' system component and enable IPv6 in the settings of the external interface, which you will use for the connection.

To set up an IPv6 connection, proceed as follows:

show ipv6 prefixes

(config)> show ipv6 prefixes

prefix:
 prefix: 2a02:2698:24::/64
 interface: PPPoE0
 valid-lifetime: 86349
 preferred-lifetime: 3549

<!-- show ipv6 prefixes -->
 <prefix>
  <prefix>2a02:2698:24::/64</prefix>
  <interface>PPPoE0</interface>
  <valid-lifetime>86349</valid-lifetime>
  <preferred-lifetime>3549</preferred-lifetime>
 </prefix>

<!-- show ipv6 prefixes -->
 
<!-- show ipv6 addresses -->
 <address>
  <address>2a00:1370:8024::</address>
  <link-local>fe80::5a8b:f3ff::</link-local>
  <interface>ISP</interface>
  <valid-lifetime>infinite</valid-lifetime>
 </address>

IPv6 over IPv4 tunnels are used to access Internet resources over IPv6 protocol when your public address is IPv4. To set up your connection, register with an IPv6 virtual provider (tunnel broker) running 6in4 technology. You will get the connection settings when you register.

A Netcraze router allows you to connect to multiple ISPs simultaneously (called Multi-WAN) and enable continuous Internet availability verification (Ping Check). Ping Check detects whether an Internet connection is available by polling a given network host. If the primary ISP's network fails, the router will automatically connect to the backup channel.

You can configure Internet availability checks for wired IPoE connections (including the ones with the authentication at the ISP: PPPoE, PPTP and L2TP), as well as WISP, ADSL / VDSL. But especially the Ping Check feature will be helpful if you have an Internet connection via a 3G/4G USB modem.

You do not need to care about configuring Ping Check. All you need to do is connect the supported USB modem to the Netcraze and ensure that it is detected and ready for operation (this can be done in the web interface on the System Dashboard page). The Ping Check function is activated automatically when a USB modem is connected to the router. It will use the Automatic mode as a check method.

This mode is designed to simplify the Ping Check function setup for ordinary users (those who do not want to learn about the additional parameters). It checks the availability of hosts google.com, facebook.com, yahoo.com on the port TCP/443 (HTTPS). ISPs do not block this port as a rule. If there is no connection to the hosts, the router will try to reconnect by restarting the modem interface, or if there is a backup connection, it will automatically reconnect to the backup channel.

In addition to the default functionality, it is possible to configure the Ping Check function by yourself. In addition to the Automatic mode, 3 more options are available: ICMP echo (Ping), TCP/TLS port check and TCP port check. For details, refer to the instruction Ping Check fine-tuning.

Implementation of the Ping Check function in the web interface of a Netcraze router supports flexible configuration.

Ping Check can be configured for wired IPoE connections (including those authenticated with an ISP using PPPoE, PPTP and L2TP protocols) and 3G/4G, WISP, ADSL / VDSL.

On the connection page, under Check the availability of the Internet (Ping Check) in the Mode field, you can manually specify which check requests to use — ICMP or TCP.

There are 5 options available:

'Automatic' mode

It is designed to make it easier for ordinary users (those who do not want to know about additional parameters) to set up the Ping Check function.

It checks the availability of google.com, facebook.com, yahoo.com nodes on the TCP/443 (HTTPS) port. Service providers do not block this port as a rule. The check interval is 10 seconds. The minimum number of successful attempts to switch from the Off to the On state is 5. The number of unsuccessful attempts to switch from the On to the Off state is 5.

'ICMP echo (Ping)' mode

In the Check interval (time in seconds between checks) and Trigger threshold (number of unsuccessful tests) fields, the default values are 10 and 5, respectively.

In the Check IP address or domain field, enter the host's IP address or its domain name, the response from which will serve as the network access criterion. For example, you can use the address of a reliable fail-safe DNS server (our example shows the IP address of a public DNS server from Google). We recommend that you specify the IP address to avoid DNS-related problems.

When using the ICMP echo (Ping) mode and specifying public servers (services) as the IP address to check Internet availability, there may be delays in responding to ping. The waiting time for a response to a request from the server is 10 seconds. If the reply is not received after this time, the router considers the request unsuccessful and sends the next request. This value is constant.

In the Check interval field, you can specify the interval between checks. The starting point for the second and further requests is the time of receiving the previous response (or the waiting time for the response has expired), not the time of sending the last request. For example, 0 sec — the first request is sent, in 3 sec — the first response is received (it can wait up to 10 sec), then the waiting time specified in the Check interval field (10 sec by default), i.e. 3+10=13 sec — sending the second request, etc. Thus, there cannot be any conflict of timing (when the request is sent earlier than the previous response).

If there are constant delays in responses from some public server, it is not recommended to excessively increase the check interval and trigger threshold, as this may cause blocking of traffic on the server side. It is preferable to choose the address of another resource, which is permanently available on the Internet, and that will not cause significant delays in response to ping.

'TCP/TLS port check' mode

The TCP/TLS port check mode improves the operation of the Ping Check mechanism to provide protection against Internet access failures. This mode will prevent false positives when the ISP redirects traffic to an authorised portal, such as its billing service.

We recommend that you specify the IP address to avoid DNS-related problems:

'TCP port check' mode

In the Check interval (time in seconds between checks) and Trigger threshold (number of unsuccessful checks) fields, the default values are 10 and 5, respectively.

In the Check IP address or domain field, enter the IP address of the host or its domain name that you want to check for availability. For example, you can use the address of a DNS server (in our example, the IP of a public DNS server from Google is specified). We recommend that you enter the IP address to avoid DNS-related problems.

In the TCP port field, specify the number of the TCP port that will be used to check Internet availability. The TCP/53 (DNS) port is used in our example.

'Disabled' mode

If you want to disable the Ping Check mechanism, set Disabled in the Mode field.

Usually, an ISP automatically provides its users with their domain servers (DNS). Still, you may need to stop using these servers and replace them with public DNS or VPN provider addresses in some cases.

Starting with NDMS 3.1, you can enable the option to ignore (disable) DNS servers automatically received from your provider in the web interface. This option is available for connections on 'Wired' page (enabling PPPoE/PPTP/L2TP), 'Wireless ISP', 'DSL connection'.

Let's look at an example. In the router's web interface, on the 'System Dashboard' page in the 'Internet' panel, in the 'DNS servers' line displays the DNS addresses automatically received from the ISP, and additional servers specified manually. In our example, the DNS server 192.168.100.1 is obtained from the ISP, and the addresses 8.8.8.8 and 8.8.4.4 are added manually.

Enable the 'Ignore DNSv4 from ISP' option on the 'Ethernet Cable Connections to Internet' page. It blocks the use of DNS server addresses received via DHCP for the current connection.

When using an IPoE connection (without authentication) or with authentication via PPPoE/PPTP/L2TP protocol, you can find this setting on the 'Ethernet Cable Connections to Internet' page in the 'IPv4 Settings' section. The settings for WISP and ADSL connections are on the respective 'Wireless ISP' and 'DSL connection' pages.

After disabling DNS, the 'DNS servers' line on the 'System Dashboard' page will no longer display the addresses automatically received from the ISP.

You can find more information in the 'Using public DNS servers' article.