ZyXEL Keenetic router features on the second generation firmware NDMS v2.00

    Some time ago , a beta version of the firmware called NDMS 2.0 appeared on the ZyXEL website in the download section for the Keenetic Internet Center . The invitation to drive it was also received by the registered interested owners of ordinary Kinetics. The annotation says that this is not the next update, but the second generation of the software platform, radically different from the previous one and addressed to advanced users. The most interesting of the claimed (in comparison with the first generation microprograms):
    • Full-featured address translation mechanism (Full feature NAT) with support for multiple external IP addresses; port forwarding with the ability to select the destination port on the local network; reassignment of roles of network interfaces.
    • Support for multiple PPP tunnels for accessing the Internet and connecting to virtual private networks (VPNs).
    • The ability to assign several additional physical WAN interfaces to the ports of the integrated Ethernet switch.
    • Reserving Internet connection via 3G / 4G USB modems and optionally assigned WAN interfaces.
    • Professional configuration interface via the command line (Cisco like CLI). All functions can be configured from the command line and saved as a text file.
    • Batch firmware assembly “on demand”. The functionality of the device is selected by the user in the web interface of the device and is automatically updated.
    The draft command line manual for working with the command line attached to the firmware really "inspires" - a pure command line, the topic of individual articles. Here we’ll try to figure out what and to whom the new firmware is preparing at the web interface level (there are still no manuals for it yet), and why it is not recommended to be installed by “simple housewives”.

    So, the new firmware was downloaded from the ZyXEL website and successfully installed on Keenetic (there may be nuances, but they can be solved through the manufacturer’s support in a special topic and in this case are not important). Let's get to know each other. The web configurator also opens at with the username / password admin / 1234. Immediately we see that the new web interface has almost nothing to do with the previous version:

    He made a double impression on me: on the one hand, he became prettier, but on the other, I mastered it much longer. (Looking ahead, you can add that the skin organization of the web interface can then be selected from the two options to your taste in the list of components.)

    Like the first-generation firmware, NDMS 2.0 supports many types of connections, each of which now has a separate tab in the Internet section (IPoE, PPPoE, PPTP, L2TP, 802.1X, 3G, Yota, Wi-Fi client). Unlike V1.00, here you can configure several connections at once, and in any combination. Connections are connected either to physical interfaces (Ethernet ports, USB modem, Wi-Fi interface), or to an already created logical interface (for example, you can "nest" one PPTP tunnel in another). Each Internet connection is assigned its own priority, which allows you to determine which one will be the main one, and which one will be basic, secondary or backup, depending on your imagination and needs.

    In the default settings, there is only one Internet connection “Broadband connection (ISP)”, which is tied to the WAN port. It raised a DHCP client that automatically receives the address from the provider's network when the cable is connected to the WAN port (of course, provided that the provider issues this address). For the home network, by default, all LAN ports of the router and Wi-Fi access point are designed. They are combined into one logical interface (Home VLAN), on which a DHCP server is raised, distributing addresses from the network.

    To connect to the Internet service provider via PPTP, as well as via L2TP or PPPoE, you need to configure two (!) Interfaces: one for connecting to the provider's network (IPoE tab), and the second for the Internet itself. If the address in the provider's local network is automatically issued, then the first interface can be considered already configured - this is the predefined Broadband Connection (ISP) interface, which is mentioned above. If the provider gave you a static address, change the settings for the Broadband connection (ISP) interface and do not forget to set the specified DNS servers in the DNS tab. Next, open the PPTP tab (L2TP or PPPoE):

    Here, in addition to the usual settings typical for mass routers, the items “Connect via” and “Use to access the Internet” appeared. The first is needed to tell the router through which connection it should establish a PPTP connection (L2TP or PPPoE), in our case it is a Broadband connection (ISP), and the second speaks for itself: if you want to use this PPTP connection (L2TP or PPPoE ) to access the Internet, check the box, - then when the connection is established in the routing table of the router, the default route will be the gateway of this connection. After applying the settings and connecting to the WAN port of the cable from the provider, the device will connect to the Internet. If you need to use 802.1x (there are also such providers), then it is turned on even easier: as a separate connection it does not appear, but “comes to life” on the specified interface.

    In principle, we have already received a working router with Internet access via PPTP. But, of course, this whole garden (firmware and an article about it) is not for the sake of such a banality. Now let's take a look at how Internet connections via USB modems rise. Yota modems, as in the first firmware, are automatically recognized when plugged into a USB port, everything that is necessary for their operation is pre-configured. We take the popular Samsung SWC-U200 iotov modem and stick it into the router (the availability of money in the account is not important). The connection passes imperceptibly quickly, the modem winks off with a blue indicator, on the status page the Yota interface merrily lights up in green, and the connection parameters appear on the Yota tab. As we can see, the state of the SLEEP modem, because its priority is lower by default than the PPTP connection that continues to work:

    This, as far as I understood, is a very important feature of NDMS v2.00. Despite the normal working PPTP connection to the Internet, the system will immediately establish a connection with Yota, but will not use it for data transfer. The connection will be in reserve, since by default the priority of the Yota interface is lower than that of ISP and especially PPTP. A typical priority assignment is: ISP - 700, PPTP / L2TP / PPPoE - 1000, Yota - 400. What do these priorities mean? And here is what. If for some reason the PPTP session crashes and does not recover, nothing special will happen: the system will continuously try to restore it, but will not switch to Yota, because the priority of the physical connection to the provider's network is higher and it is operational. But if you pull out the cable from the WAN port, the system immediately switches to the iota Internet (I don’t lose a single ping when switching). Since a PPTP session can most likely fall off simply due to scheduled work on the provider's network, it is rational to set the connection through Yota a priority of, say, 900. Then, when the PPTP tunnel falls, it will switch to the mobile Internet, so to speak, without hesitation. As soon as she discovers that the connection through PPTP has come to life, Yota will be transferred to the reserve. Unfortunately, in the current firmware there is no more accurate check of the Internet connection by periodic pinging, but let's hope that in future versions the developers will add this feature. After all, reserving a connection and ensuring uninterrupted access to the Internet, I believe this is the main feature of NDMS v2.00 and this firmware,

    By the way, in order to deactivate the interface (that is, so that the system stops working with it and does not react to it at all), it is enough to remove the “Enable interface” checkbox in the interface parameters. To enable, you need to do the same, but in reverse order; parameters are not erased and remain “ready”.

    I see no reason why we cannot add another backup connection, for example, via ADSL. In the most common variant, the provider also issues addresses via DHCP (with static addressing it is not more difficult, but to describe a little longer). To create a backup ADSL link, we will need any ADSL modem with an Ethernet port and preferably with the condition that it is desirable to remove the IP address for controlling the modem from the IP subnets configured on Kinetics. But this is not fatal, since the modem will work in bridge mode. After setting up the ADSL connection on the modem and putting it into the Bridge mode, we connect it to a free LAN port on the router (in the current example, the LAN4 port). Next, in the settings of the Internet center, create another IPoE interface and bind it to LAN4:

    After creating the interface, it will appear in the list:

    Now we can do anything with this interface (up to deletion). Create a PPPoE connection through it. To do this, go to the PPPoE tab and click "Add Interface". After that, we enter the data received from the provider and save the PPPoE interface, not forgetting (!) To specify the IPoE connection that we created as the output, or, so to speak, “carrying” interface.

    Actually, it turned out that the router was simultaneously authorized by three providers: according to PPTP, PPPoE and Yota, in order to ensure uninterrupted access to the Internet. I set the priorities in the same way as in the screenshot:

    That is, the main connection is PPTP; if something happens with the connection (in particular, the link falls off), the router will automatically switch to PPPoE. If there is any kind of trouble, then Yota will enter the work. In this case, the router will constantly try to restore PPTP and PPPoE connections. WiFi client is listed by default.

    One could stop at this, but I cannot but share non-trivial knowledge about forwarding ports in this firmware. You can, of course, install the UPnP module, and let everything happen by itself, but, for example, RDP does not want to work on UPnP. In this regard, we will create a rule for forwarding a port to a home server. In relation to the scheme configured by us, the process will look as follows. First, go to the “Security” tab and immediately get to the NAT tab:

    Rules work only between Internet interfaces and local interfaces. We add a rule in which we indicate the “Input” interface, that is, the interface to which calls from the Internet will come (we have PPTP). Next, indicate the number of the external destination port and its type (TCP or UDP). After that, we write the IP address of the internal server and, if necessary, indicate which port to broadcast the request to. Similarly, port forwarding is configured for backup connections (if necessary, of course). After saving the rules, we need to allow the necessary ports to go through the firewall of the router to the local network. This is done in the "Firewall" tab:

    Here we can create rules for the entire device or for each interface individually. If we want to determine the interface on which the rules will spin, we must select it right away.

    In general, as it turned out, there is nothing super complicated in the settings, you just need to understand the logic of the firmware:
    1. There are logical interfaces that can be connected to both physical and other logical interfaces.
    2. The interface can be “for the Internet” - then the gateway it uses will be the default route for the entire system; and may be “not for the Internet” - such an interface can be used, for example, to connect to a remote network.
    3. Each Internet interface has a priority, according to which the backup algorithm of the Internet channel will sort them out.

    I will add also that in the NDMS v2.00 firmware there was an interesting and, by and large, working for the future, a feature that I had not previously seen in any other router or network device. This is the support declared at the very beginning of the component firmware assembly. That is, with the device or on the ZyXEL website, by design, the basic version of the firmware is supplied, sufficient for the initial setup and Internet access. Having connected to the Internet, we go to the component menu and create the firmware for ourselves by installing or removing specific modules. For example, we can remove support for 3G modems, but leave Yota support, you can remove the Transmission and WiFi client, while adding FTP and CIFS. It would be logical to leave only the type of authorization that is necessary to access a specific provider, and all the rest without regret, delete to free up device memory. I’ll make a reservation that at the moment you can safely leave all the components in the firmware, there is still enough space, but the developers promise support for “thick” components, such as DLNA, SIP client and other goodies. Then it will make sense to fine-tune the firmware.

    After choosing the necessary components, click the “Apply” button and wait a couple of minutes until Keenetic receives the firmware we ordered from ZyXEL server and installs it automatically. Settings do not need to be reset.

    I want to note that the choice of components is "a useful thing, but dangerous, like dynamite." There is no "protection from the fool." You can, for example, remove the component necessary for authorization in the network of your provider (which I, incidentally, accidentally did) and then not be able to put it back, since you no longer have Internet access. In this case, you will have to upload the firmware in the standard way by selecting the firmware file previously downloaded from the manufacturer’s website. Well, and according to a beautiful plan - the user’s firmware file should never be needed again, because here the components are not only selected again, but also updated as already installed if updates are available (as indicated in the table).

    In addition to the web configurator, both the command line interface (CLI) and the configuration file have been upgraded. Through the CLI, you can configure absolutely any scheme (of course, not beyond the functional limitations of the device) that is not subject to the web interface. I note that users familiar with Cisco routers, once in the new ZyXEL CLI, will feel like fish in water. Here is an example of what the CLI console looks like:

    The Keenetic configuration file is now a text file that can be downloaded to the local machine, edited in any text editor, and uploaded back to the device. After rebooting, the device will start working with the new settings.

    In general, the NDMS v2.00 firmware leaves a good impression and is quite functional. The advantages include the flexibility and logic of settings, which are completely not typical for home devices, as well as the well-functioning backup of the Internet channel, which allows you to create and simultaneously use several network interfaces. Among them can be wired interfaces (using VLAN or without), wireless (access point or WiFi client), connections via USB modems (3G / 4G, CDMA). The firmware supports many authorization methods for accessing the Internet (PPPoE, L2TP, PPTP and 802.1x), as well as the creation of secure VPN tunnels based on the common L2TP and PPTP protocols. For people who work remotely, now there is no need to create a secure tunnel to the office on their computer,

    The well-proven functionality of ZyXEL Keenetic Internet centers also seems to be in place (although so far, in beta status, judging by the forums, v2.00 does not work so smoothly). In particular, it remained possible to use the device’s USB port to connect external USB disks and printers with the ability to work with them simultaneously. There is a built-in torrent client Transmission, and work with USB-drives via FTP.

    The main drawback for me was the lack of support for IPTV over Wi-Fi. I will not write about minor flaws and shortcomings here, but they certainly are. We will wait until the firmware leaves the beta state. For now, I express my wishes and comments directly to developers in the ISK (my.zyxel.ru) and in the corresponding topic on iXBT.

    PS Screenshots were taken about a month ago, since then the versions of the components have changed significantly. IPTV over Wi-Fi has worked, but not yet perfectly.

    Also popular now: