====== NRSW Factsheet ====== This factsheet outlines the feature set as of version 3.8 of NetModule Router Software (NRSW). See also the [[configuration:gui-simulator|GUI simulator]] for illustration. The Linux based software is composed of more than 130 applications and [[packages|packages]] containing both NetModule proprietary and [[documentation:oss-notice|open source software]]. For detailed description of specific features please refer to {{http://www.netmodule.com/products/software.html#_tabs_0|overview}}, [[documentation:feature-list-details|detailed]] or the [[https://share.netmodule.com/public/system-software/latest/|user manual]]. ===== User Interfaces (Web Manager/CLI) ===== ==== Web Manager ==== A big asset of the NetModule Routers is the self explanatory, hence easy to use Web Manager. ==== Command Line Interface ==== The[[configuration:cli-commands| Command Line Interface (CLI)]] offers a generic control interface to the router and can be used to get/set configuration parameters, apply updates, restart services or perform other system tasks. For power users root login with full Linux shell is available. ==== Web Service Interface ==== CLI-PHP, the HTTP frontend to the CLI application, can be used to configure and control the router remotely. It is enabled in factory configuration, thus can be used for deployment purposes, but disabled as soon as the administrator account has been set up. ===== Status Overview ===== Web Manager and CLI offer comprehensive status information to the user including system information. ===== Interface Management ===== We basically distinguish between Wide Area Network (WAN) and Local Area Network (LAN) interfaces. WAN interfaces, e.g. Mobile network, WLAN and Ethernet, are directed towards the WAN. Typically the router acquires an IP address on a WAN interface from the service provider. In case of multiple WAN interfaces the router needs to make a decision on which interface a packet shall be sent out. This is called routing. In contrast, on a LAN interface, e.g. Ethernet or WLAN, the router typically runs a DHCP server and assigns IP addresses to the hosts in its LAN. ==== WAN Link Manager ==== Multiple WAN interfaces (Mobile network, Ethernet, WLAN) can be prioritized in a list or the traffic can be distributed to multiple interfaces based on the session or the source address. Every interface can be [[app-notes:Supervision|supervised]] with ICMP messages. Custom configuration (reference host, interval, emergency actions, etc.) is possible. In case of restrictions on the maximum packet size, the router can adjust the maximum size of TCP packets. ==== Ethernet, WAN, LAN, VLAN, and Switch Manager ==== Ethernet ports are in LAN mode by default, but can be set into WAN mode. The capabilities of the Ethernet interfaces depend on the actual hardware. NB1600 has two separate interfaces that can be operated as two different IP networks with routing in between or combined using bridging. NB2700 and NB3700 have an integrated switch that can be configured as separate ports (port based LAN) or as switch. In addition, VLANs according to IEEE 802.11Q can be configured. On each VLAN traffic shaping is supported. ==== Mobile Network Manager ==== Each cellular modem requires a SIM card for making connections. The software assigns SIM cards dynamically according to the configuration. In most cases, the Access Point Name (APN) has to be configured at minimum in order to make an Internet connection. If the SIM is protected by a PIN, the software automatically enters the PIN which has been configured by the user in advance. ==== WLAN Access Point and Client ==== The software supports client mode (wpa_supplicant) and access point mode (hostapd). Simultaneous operation is only supported when your router model includes two WLAN modules (e.g. NB3700-2L2W-G). In client mode, the router can be configured to connect to one or multiple networks. In access point mode, the router will receive connection requests from clients and assign IP addresses to them at connection setup. See also the captive portal extension [[app-notes:coova-chilli-standalone|Coova Chilli Standalone]] for Public WLAN solutions. ==== USB Host Manager ==== The system provides drivers for several USB devices. Supported devices include memory sticks and USB to RS-232 adapters /*, USB to Ethernet adapters and Microsoft RNDIS devices */ . Unsupported USB devices can be forwarded via IP to another host where a device driver is available. Software update and configuration via USB memory stick is possible. For advanced scenarios, an autorun script can be executed when plugging the stick in, see [[configuration:usb autorun|USB Autorun]] for more details. ==== Serial Port Manager ==== Serial interfaces can be forwarded via IP with a serial to network proxy (ser2net) or being accessed from the SDK. Most routers have one physical interface. A second interface can be added via a USB serial adapter. ==== Digital I/O Manager ==== The logic for the digital inputs and outputs is normally implemented in the [[sdk:sdk|SDK]]. For example, the IOs can be controlled via SMS or a UDP server. ==== Global Navigation Satellite System (GNSS) Manager ==== The GNSS receivers in our products currently support GPS and some of them also Russia's Global Orbiting Navigation Satellite System (GLONASS). The received GNSS data is collected and served on a local TCP server, more specifically this is [[http://www.catb.org/gpsd/ | GPS Daemon (GPSD)]]. Output formats include [[http://www.catb.org/gpsd/NMEA.html | NMEA 0183]] and [[http://www.catb.org/gpsd/gpsd_json.html | GPSD JSON]]. The GPSD project provides client-side libraries in C, C++, and Python for easy interaction with GPSD. If you just want to do a quick test, you can use Telnet or one of the Linux GPSD clients such as gps, xgps, xgpsspeed, cgps or lcdgps. To significantly improve the time-to-first-fix (TTFF) the software supports assisted GPS (A-GPS), which relies on a Secure User Plane Location (SUPL) server for getting additional data. ===== Routing and Traffic Shaping ===== ==== Static Routes ==== Destination based static routes have to be configured by the user. However, routes can also be configured via SDK which allows more dynamic scenarios. ==== Extended Routing and Load Balancing ==== Policy-based routing (PBR) allows to configure routing rules that make a routing decision based on the source address. Multipath routing can be applied to distribute the traffic load on multiple interfaces, also called load balancing. Weighted round robin queuing (WRR) will then be configured using the [[http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 | iproute2 utilities]] and applied by the kernel to distribute the load. ==== Mobile IP Home Agent and Mobile Node ==== [[configuration:mobile ip|Mobile IP (MIP)]] can be used to enable seamless switching between different kinds of WAN links (e.g. Mobile networks and WLAN). The router can play both roles, mobile node and the home agent. ==== Quality Of Service ==== NetModule routers are able to prioritize and shape certain kinds of IP traffic making use of [[http://tldp.org/HOWTO/Traffic-Control-HOWTO/ | Linux Advanced Routing & Traffic Control]]. This is currently limited on egress, which means that only outgoing traffic can be handled. The current QoS implementation uses Stochastic Fairness Queueing (SFQ) classes in combination with Hierarchy Token Bucket (HTB) queuing disciplines. In case of demands for other classes or classless queuing disciplines (qdiscs), please contact our support team in order to evaluate the best approach for your application. ===== Firewall and NAPT ===== ==== Stateful Inspection ==== NetModule routers use Linux’s [[http://www.netfilter.org | netfilter/iptables]] firewall framework which supports stateful inspection, that is, granting the same permissions for inherited connections within an IP session (e.g. FTP which builds up a control and data connection). The administration page can be used to enable and disable firewalling. When turning it on, a shortcut can be used to generate a predefined set of rules which allow administration (over HTTP, HTTPS, SSH or TELNET) by default but block any other packets coming from the WAN interface. ==== NAPT ==== Network Address & Port Translation (NAPT) basically translates IP and ports. The feature is typically used for [[configuration:NAPT|port forwarding]] scenarios when operating multiple virtual servers behind a single IP address. ===== Tunneling, Security and VPN ===== ==== OpenVPN Client and Server ==== OpenVPN is a software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations. It uses a custom security protocol (Blowfish) that utilizes SSL/TLS for key and data exchange. It is capable of traversing network address translators (NATs) and firewalls as it relies on a single USD port only. OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and certificate authority. NetModule Routers support 4 OpenVPN tunnels in client mode. In server mode it can terminate connections from 10 clients. 25 clients are possible with a [[faq:licenses|server license]]. ==== IPsec Initiator and Responder ==== Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. NetModule Routers support 4 IPsec tunnels and can operate as initiator (client) or responder (concentrator). We use the Openswan implementation and have [[configuration:ipsec|tested the interoperability]] against many third party firewall and VPN concentrator manufacturers. ==== PPTP Client and Server ==== The Point-to-Point Tunnelling Protocol (PPTP) is a method for implementing virtual private networks between two hosts. PPTP is easy to configure and widely deployed amongst Microsoft dial-up networking servers. However, due to its weak encryption algorithms, it is nowadays considered insecure but it still provides a straightforward way for establishing tunnels. NetModule Routers support 4 tunnels in client mode and can also operate as server. ==== GRE Client and Server ==== Generic Routing Encapsulation (GRE) is a tunnelling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network. NetModule Routers support up to 4 GRE tunnels. ==== CSD Dial-in Client and Server ==== Circuit Switched Data (CSD) Dial-in means terminating a circuit switched data call from another mobile or ISDN device. This feature is only supported for legacy reasons. Future modems might not support it and the feature may be dropped from the software somewhen. ===== Services ===== ==== DHCP Server ==== A Dynamic Host Configuration Protocol (DHCP) service for each LAN/WLAN interface which will provide dynamic IP addresses to hosts in the local network. The lease time can be configured and various DHCP options are supported. For a deterministic behaviour, hosts can be bound to its MAC address so that they will always receive a certain IP address. ==== DNS Server ==== The DNS proxy server can be used to resolve or forward DNS requests towards servers on the Internet which have for instance been negotiated during WAN link negotiation. By pointing DNS requests to the router, one can reduce outbound DNS traffic as it is caching already resolved names but it can be also used for serving fixed addresses for particular host names. ==== NTP Server ==== A Network Time Protocol (NTP) server is included. Supported time sources are other NTP servers, the GPS and the mobile network (e.g. GSM). ==== Dynamic DNS Client and Server ==== The included dynamic DNS client can be used to tell one or more DynDNS providers the current WAN address of this router. This address can be either derived from the current hot-link address or by querying an HTTP service in the Internet for the current public IP address. The latter might be applicable in NAT scenarios. ==== E-Mail Client ==== The E-Mail client can be used to send notifications to a particular E-Mail address upon certain events or by SDK scripts. ==== Event and Notification Manager ==== By using the event manager you can notify one or more recipients by SMS or E-Mail upon certain [[documentation:system-events|system events]]. The messages will contain a description provided by you and a short system information. ==== SMS Client ==== On NetModule routers, it is possible to receive or send short messages (SMS) over each mounted cellular modem (depending on the assembly options). Messages are received by querying the SIM card via the modem. Received messages are pulled from the SIM cards and temporarily stored on the router but get cleared after a system reboot. Please consider to consult an SDK script in case you want to process or copy them. Using the [[sdk:scripts:sms-control|SMS control script]] from the SDK, the router and even other hosts can be operated via SMS. ==== SSH/Telnet Server ==== Apart from the Web Manager, the Secure Shell (SSH) and Telnet services can be used to log into the system. Valid users include //root// and //admin// as well as additional users as they can be created in the User Accounts section. Please note, that a regular system shell will only be provided for the root user. For all other users the CLI will be launched. Whereas normal users will only be able to view status values, the admin user will obtain privileges to modify the system. ==== SNMP Agent ==== NetModule routers are equipped with an Simple Network Management Protocol (SNMP) agent, supporting basic Management Information Base (MIB) tables (such as ifTable), plus additional enterprise MIBs to manage multiple components. Our [[configuration:mib|MIB]] can be downloaded directly from the router. ==== VRRP Redundancy ==== A redundant pair of NetModule routers (or other systems) can be set up by running the Virtual Router Redundancy Protocol (VRRP) between them. A typical VRRP scenario defines a first host playing the master and another the backup device, they both define a virtual gateway IP address which will be distributed by gratuitous ARP messages for updating the ARP cache of all LAN hosts and thus redirecting the packets accordingly. A takeover will happen within approximately 3 seconds after the partner is not reachable anymore (checked via multicast packets). This may happen when one device is rebooting or the Ethernet link went down. Same applies when the WAN link goes down. ==== SIP Client, SIP Server and Voice Gateway ==== Depending on your hardware, you can set up a voice gateway on the router which can be connected by any VoIP client from the local network capable of the SIP protocol. It hereby listens for arriving SIP calls and forwards them as a mobile call using the configured cellular modem. ===== Software Development Kit ===== NetModule routers are shipping with a [[sdk:sdk|Software Development Kit (SDK)]] which offers a simple and fast way to implement customer-specific functions and applications. The SDK API provides more than 50 functions, e.g. for SMS, E-mail, RS-232, file transfer and [[sdk:sdk#sdk-api-functions|much more]]. Over 40 [[http://wiki.netmodule.com/sdk/sdk#built-in-scripts | real-world sample applications]] making use of these functions are included in the software. ===== System Administration ===== ==== User Management and Authentication ==== The system comes with two user accounts //root// and //admin//. Further users can be created and roles assigned to them. A Remote Authentication Dial In User Service (RADIUS) server can be used for authenticating remote users. This applies for the Web Manager, the WLAN network and other services supporting and incorporating remote authentication. ==== Fail-safe Software Update ==== Fail-safe software update is provided also over the air (OTA). When issuing a software update, the current configuration will be backed up and reapplied after the update. Any other modifications to the file system will be erased. The configuration is generally backward-compatible. We also apply forward compatibility when downgrading to a previous software within the same release line. For mass update and configuration automatic provisioning is provided as well as smooth integration with popular network monitoring and management systems such as [[monitoring:zabbix|Zabbix]]. ==== File Configuration ==== Configuration via the Web Manager becomes tedious for larger volumes of devices. The router therefore offers automatic and manual file-based configuration to automate things. Once you have successfully set up the system you can back up the configuration and restore the system with it afterwards. You can either upload a single configuration file (.cfg) or a complete package (.zip) containing the configuration file and a packed version of other essential files (such as certificates) in the root directory. System integrators may define their own factory settings, so that the router will fall back to their default settings when the end user presses the reset button. ==== Keys and Certificates Management ==== The router includes certificate management capabilities for Root CA, HTTPS, SSH and OpenVPN certificates. The Simple Certificate Enrollment Protocol (SCEP) is supported in order to securely transfer certificates from the certificate authority to the router. ==== Troubleshooting Tools ==== From the Web Manager you can inspect the system log, debug log and boot log. You can generate and download a tech support file. We strongly recommend providing such a file when getting in touch with our support team, either by e-mail or via our on-line support form, as it significantly speeds up the process of analyzing and resolving your problem. More detailed information is available [[documentation:feature-list-details|here]].