Why Keenetic Peak is an ideal router for peripheral (Edge) projects
If your company is faced with the task of connecting dozens of small objects to the Internet, such as off-site retail outlets, village shops, eco-hotels in remote corners of the planet, and just small offices in business centers, you will probably be unpleasantly surprised at how much specialized equipment for peripheral (Edge) installations costs. I suggest considering the option of using top-end Keenetic home Internet routers for such cases, and I will tell you why following my advice you will not only save money, but also solve the maximum of emerging problems, but first let's talk a little about Edge.
The Edge concept, to put it simply, is "harsh conditions": no cooled data center racks, no wall cabinets, but rather the opposite: that's all there is in the IT field of the worst, you will meet it all at facilities that have not previously connected to the Internet, and your equipment should be ready for this: wall mounting, dust clogging fans, eternal cleaners, tearing wires - these are still flowers. You may have different Internet connections at different sites: Ethernet from a home provider, backbone optics, 3G, Wi-Fi, or all at once, while you really want to keep the same range of equipment at each point for prompt replacement and the same maintenance. So why Keenetic, and in particular the Peak model?
Since we mentioned the connection types, let's start with them. Keenetic Peak allows you to connect both via RJ45 to the regular cable Internet and via optics, for which the model has an SFP slot. In addition, the router is compatible with 3G/4G modems connected to a USB port. But the most interesting thing is that this model has a Wi-Fi controller with a 4x4 formula that can work in bridge mode: connect to the Internet via Wi-Fi and support local Wi-Fi in the same range.
Of course, there are some limitations: since the same radio module is used for receiving and distributing Wi-Fi, the local wireless network will work on the same channel as the Internet, which is not always convenient, but not essential.
To test the performance of the router, a stand was launched using several virtual machines and network devices:
- Windows Server 2019 - in the range of external IP addresses, generating load from the WAN side
- 2 x Windows Server 2019 - in the range of internal IP addresses connected to the LAN ports of the router, generating load from the local network
- Huawei AirEngine 8760-X1-Pro in the range of external IP addresses for testing WISP
- 10G LAN switch Zyxel XS1930-12HP at LAN
- 2x Intel X550-T2 NICS
To generate the load, iPerf3 was used over the TCP protocol in 8 threads.
It is much more important that the router can reserve an Internet connection: for example, use a cable as the main way to connect to the network, and Wi-Fi and/or 4G as a backup. At the same time, if you look at wired connections, then any of the ports can be assigned to both a local network and a WAN, and this is not the only feature of the built-in switch.
Keenetic Peak has 10 ports, that is, even if you use a wired connection to the NAS, MFP and workstations, you will almost always do without buying an additional switch. At the router level, VLAN operation is supported on the principle of "1 port - 1 virtual network", which will allow you to segment the LAN in order to increase security, especially when you have devices with a closed operating system installed (various sensors, projectors, IP phones and other devices that do not guarantee that there are no "bookmarks" in them).
Also, at the switch level, technologies are implemented to improve network reliability, which are usually not used in home routers. First of all, it is a well-known loop protection (STP protocol with support for MSTP/RSTP/STP).
Surely you have encountered a situation when someone connects the network cable to the wrong place, and the switch "hangs" due to the resulting loop, stopping the network. If such a loop forms on the Keenetic Peak port, the router simply stops the problematic ports, but the rest of the network continues to work, and the interface indicates the formation of a loop.
Starting with Keenetic version 3.7.0, a cable tester has appeared in the device, capable of showing an open or incorrect crimping on the line.
What is especially nice, Keenetic Peak shows you the distance to the cliff with an error of about 1 meter. In conditions when the cable is laid behind furniture, in baseboards or behind a false ceiling, and this is enough to cut out the problematic piece and install the insert.
Another property of expensive managed switches is channel aggregation (XOR logic is used here, not LACP). In Keenetic Peak, two ports can be combined in pairs: 5+6 and 9+10. On the response device, in the settings, you need to specify the type of bond "ip addr+port". That is, you can connect your computer to the NAS and get double the file transfer rate. But in most cases, Keenetic itself can act as a NAS.
Keenetic Peak has a USB 3.0 port, into which you can connect both a USB flash drive and an external SSD and set up a shared file exchange via the SMB/CIFS protocol. Unless, today it makes sense to use solid-state drives instead of external HDDs - the speed of both USB 3.0 and the processor and even the simplest docking station allows you to fully load the network port. For testing, I used an Intel DC S3500 SATA drive for the server segment. Initially, I bought a simple USB30-SATA adapter without external power for the test, but he didn't pull this SSD, and I had to exchange it for a $20 dock with a power supply. This bundle worked perfectly!
For testing, a server with two virtual machines running Windows Server 2019 was used, in each of which a hardware 10-gigabit Intel X550-T2 network controller was inserted. The virtual machines were connected directly to the LAN ports of the Keenetic router, to which the SSD was connected via a docking station. The IOmeter test package was used for speed measurements.
That is, on a connected SSD, you can not only write documentation, equipment logs or files from a video surveillance system, but also generally use a network drive to install programs on it and run them over the network.
At the moment, the SMB protocol is supported, and the connected disk can act as a Time Machine for backups of Apple equipment. The drive itself can have an NTFS file system (that is, it is enough to format it for Windows), exFAT (the file system with which many external SSD drives are sold), FAT/FAT32, HFS+ (used in Apple technology) or EXT2 / EXT3 / EXT4.
Outstanding results! In terms of bandwidth, this NAS shows performance comparable to the combined speed of two network ports, while CPU utilization exceeds 75%. Obviously, the device can easily be used for sequential read/write tasks such as archiving, restoring backups, writing to a network folder from removable media via a PC and video surveillance. Moreover, there is one caveat: some IP cameras, for example Hikvision, can save videos only in password-protected folders, and if you offer them a public folder with open guest access, they will refuse to write. To solve this problem, Keenetic has an access rights management module. The number of read/write operations and the delay of disk commands are suitable enough for office programs, for hosting microservices, for backup and for saving the metrics of IoT sensors. Here, perhaps, there is a lack of volume quotas, but you can manually mark up the drive to the desired volumes.
Today, many engineers prefer to build networks on the principle of "everything via VPN": a gateway is installed at the facility, which directs all outgoing traffic through a tunnel to a centralized gate in the cloud or central office. There, traffic passes through IDP protection and antivirus, and is considered safe. Here Keenetic can act both as a client and as a server that supports all modern protocols: PPTP, IPsec, universal OpenVPN, exotic SSTP and very fast WireGuard.
For testing, the same configuration from virtual machines was used as for the speed of the switch. Here I was interested in both the speed between two VPN server clients connected from the WAN side (for example, Wireguard-to-Wireguard is indicated in the diagram) and the speed between the VPN server client and the machine connected to the LAN (for example, Wireguard-to-LAN is indicated in the diagram). To generate the load, iPerf3 was used in 8-stream mode.
Previous Keenetic models had AES hardware offloading, but this is no longer present in the Peak model, and all traffic processing is done programmatically. However, a powerful 2-core processor pulls the VPN operation so well that you can not limit yourself to a 100-megabit channel, but connect a higher-speed Internet and set up a direct connection, for example, between the storage in the main data center of the company and a surveillance camera at the facility connected via VPN. The router can unlock the potential of 1-Gigabit Internet channels.
Regardless of whether your provider uses dynamic IP addresses or even keeps all clients behind NAT, the KeenDNS domain service will allow you to always have access to the router's web interface. For "gray" IP addresses, there is also the ability to configure remote access to the web interface of any network devices, for example, a NAS or a power management system. In conditions when the router periodically switches between backup and main channels, this is especially important: whenever there is Internet, you can go to the Web panel and view logs, reboot or check usage statistics.
The whole procedure for accessing the device via the cloud is minimized: just type in the future domain name, and if it is free, your Keenetic will be accessible via the Internet via an encrypted connection to the specified address. You don't need to register anywhere, or enter an E-Mail, you don't need to confirm anything - everything is just like in a fairy tale. However, if you still register in the system, you will be able to receive email notifications, have access to advanced statistics, etc.
What is the hottest feature among network equipment manufacturers today? Of course, a centralized monitoring and management service for the entire fleet of devices, in different parts of the world. Recently, Keenetic launched its own RMM cloud (still in beta and only in English) to facilitate mass management of "Keenetics" in a large organization.
To configure it, go to https://rmm .keenetic.com and register in the system. After registration, you can and should set up two-factor authentication. Now make sure that cloud access via KeenDNS is enabled for all routers that you want to add to the centralized management interface, as we discussed two paragraphs above, and then just enter their addresses and log in as an administrator. There is a very pleasant moment here: the very fact of adding a router to the cloud does not affect its configurations in any way, in this process it does not even overload and does not disconnect clients.
It takes a few minutes to download information from the router, but in the end you get:
- beautiful dashboard with traffic distribution charts
- statistics on connected wired/wireless clients
- the ability to remotely restart the router
- notifications in telegram about the status of the device
- access to the router's web interface without entering a login/ password
What can I do at the moment with routers? First of all, to overload and update the firmware, and for several devices at once. You can assign tags to connected clients, but there is no influence on them from the dashboard: everything you want to do at a more detailed level, you will have to do directly through the router's Web interface. Of course, this is a very pleasant step for Keenetic users building projects on this equipment, especially Mesh networks, because in Keenetic RMM you can view existing networks and devices included in them, but still I would like to see in the future the placement of devices on the map, easy VPN setup between nodes, uniform authentication rules for Wi-Fi, log export and other chips of "adult" corporate employees.
Application-based traffic prioritization
Recently, due to the growth of traffic on the network, the ability to configure the sequence of packets passing, depending on which application or at least the kind of applications they belong to, has become especially relevant. In high-load networks, where WAN channels are fully loaded during peak hours, QoS helps to hold video conferences and use IP telephony without delay. Today, it is considered good form for Internet gateways to use signatures containing connection parameters of the most common applications (IP addresses and server domains, as well as ports and packet sizes). Sufficiently powerful gateways can classify outgoing packets without delay, building a queue for priority passage of delay-sensitive applications - the same VoIP, conference calls and games. Such an opportunity has also appeared in Keenetic: today the gateway can classify over 1600 applications, it is enough just to install the IntelliQoS application.
There is no need to make any custom settings - just turn on this function and select with the mouse which category of applications to put in the list higher and which one lower. Naturally, we are talking only about outgoing traffic, because when a packet from the Internet has already arrived on your router, it is useless to give it priority.
And if Keenetic knows to which class each network packet of each client belongs, then there is nothing difficult to display in the dashboard, and who exactly generates what traffic, and actually who downloads torrents :). By the way, the traffic analyzer is very convenient to use for detecting anomalies, and in general for understanding channel bottlenecks and optimization opportunities, for example, to move the device backup window, switch to higher-speed cloud services, or detect the work of malicious software on the network.
Keenetic is actively moving into the business segment, and this has a good effect both on home users implementing complex network projects linking several apartments and cottages into a single system, and on those companies that create quite viable fault-tolerant solutions at peripheral facilities of large companies. The fact that Keenetic has enough processor power to implement a VPN at a speed comparable to the provider's tariff, we have seen before - today this will not surprise anyone, because the network world has moved towards simplifying deployment, security inside the perimeter and facilitating maintenance.
What is already there
Here, it turns out, Keenetic has also had everything for a long time: client isolation in subnets, a centralized wireless network controller with easy addition of links, access to devices with gray IP, and now a centralized management system via the Web. The interface has a convenient traffic shaper and analytics of client network activity, which, when IntelliQoS is turned on, also shows the type of applications. If there is a lack of coverage with a built-in Wi-Fi controller, you can buy another Keenetic simpler, and organize a seamless network. All this is enough for peripheral objects of low complexity.
What is not, but I would like to
Such a router as Keenetic Peak lacks PoE on at least 2-3 ports for IP cameras or desktop phones, so that it is possible to fully equip a small object with a single range of network equipment without buying PoE injectors and switches. I would like to be able to disconnect connections between devices connected to a single segment.
What is not and is not needed
I would not dream of any advanced security tools, because in peripheral scenarios, the bulk of customers are automation devices, and the threat comes from them, not from outside. Keenetic has a convenient and visual isolation of devices over subnets and over VLANs, and this is already enough.
In general, the implementation of projects on Keenetic is not something new or out of the ordinary. You will not be surprised to learn that Keenetic-and are often used in HoReCa segments, in business centers and small shops.
Michael Degtjarev (aka LIKE OFF)