NetTEL 2520/2500, PoPToP
Manufacturer: Moreton Bay
Price: under $400 US
Reviewer: Jon Valesh
There are three words that go to the heart of Linux's appeal for many of us, words that define the spirit of Linux developers and users alike: “Do It Yourself”. It could be the Linux motto, but even with that great do-it-yourself spirit, there are times when having someone do it for you sure would be nice.
The new NetTEL VPN routers from Moreton Bay are great examples of how nice it can be. A NetTEL does nothing a network whiz couldn't do with their favorite Linux distribution, an old PC and a network card or two, but with a NetTEL, you don't need to be a network whiz. You can forget about understanding configuration files, and just tell the NetTEL what you need it to do. If you are feeling like a whiz, you can still learn those configuration files and do it yourself if the need or fancy takes you, because the NetTEL runs Linux and uses the same GNU tools you would have used to do the job.
Let's forget that attractive fact for a moment and concentrate on what the NetTEL does. The NetTEL is first and foremost a Virtual Private Network (VPN)/Network Address Translation (NAT) router. The 2500 model includes one Ethernet interface and two serial ports for modem or ISDN Internet access or incoming PPP connections to your LAN. The 2520 model adds a second Ethernet interface for ADSL or cable Internet services.
For its VPN role, the NetTEL uses the widely available point-to-point tunneling protocol developed by Microsoft to allow secure access to your local area network (LAN) by computers anywhere on the Internet.
As a NAT firewall router, the NetTEL allows every computer on your LAN to share a single Internet IP address, protecting your computers from Internet attacks, saving you money and allowing you to share resources more easily.
The NetTEL doesn't stop there, of course. Moreton Bay obviously made a real effort to cram as much network functionality into the NetTEL as they could. A DHCP server, dial-in support, transparent IP tunneling, configurable packet filtering, a good suite of diagnostic tools and more merge to form a very useful network tool for small to medium-sized businesses as well as home users who want the latest gadgetry.
Using a NetTEL, you can access the Internet from all computers on your LAN without paying for extra IP addresses or using expensive dedicated Internet services. That's because the NetTEL supports NAT, a feature derived from the Linux kernel networking support. NAT has one unchangeable rule: you can reach the outside world, but the outside world can't reach you. Great for security, but lousy if you want to transfer a file from your office computer to one at home. Moreton Bay has addressed this by implementing VPN, which allows you to create network links between any computer running the proper software and your LAN. Thus, you can access computers sequestered by the NAT firewall without exposing them to the hazards of being on a public network.
If you don't always have Internet access or you want to link remote offices without sending your data over the Net, the NetTEL's dial-in PPP feature allows modem-based wide area networking between NetTEL's or any PC or router supporting dial-out PPP. Incoming PPP and VPN connections are user ID- and password-authenticated, using information stored in the NetTEL. All that can be configured by anyone, even if they have never set up a network before and don't know VPN from PNG—that's the promise, anyway.
As with everything, the ultimate test is getting everything running the first time. A smooth start is doubly critical for a product like the NetTEL. After all, if it isn't easier to install than building your own, what's the point?
The NetTEL I received was a pre-release version shipped before the final packaging was ready, so a few details like a printed quick-start guide were omitted. The retail package should be a little easier to get working.
If you have some real work to do and no time to learn a new trade just to set up a network, the NetTEL's manual will come in very handy. You can download it in PDF format from the Moreton Bay web site to check out the installation and configuration process before spending any money. The manual doesn't limit itself to details on setting up the NetTEL, either, so if you are new to LANs and especially VPNs, you'll get a good introductory tutorial on the technologies and configuration of both to get you started. Die-hard Linux nuts will find the manual a bit too Windows-oriented. Fortunately, the instructions assume you will be using the web interface for configuring all the major features, and that keeps it platform-independent.
You configure and maintain the NetTEL through a slick web-based user interface, although the router ships without an assigned IP address which makes accessing those pages somewhat difficult to start. Before you can configure anything, you must assign the NetTEL an IP address on your network. Since you cannot connect a keyboard, monitor or serial console to the NetTEL, you need a working LAN with at least one computer on it to convince the NetTEL to do more than flash its lights dolefully.
The good news is you don't need to find a Windows machine or run any NetTEL-specific software to assign the NetTEL its address. You can use a standard DHCP server on Linux or Windows. Needless to say, this is going to be a problem for some users. If you already have enough of a network to be running a DHCP server, your network is probably enough that you don't need the NetTEL. On the bright side, setting up a DHCP server is less work than duplicating the features of the NetTEL, so it is still a fair trade. If you have a Windows machine around, an install wizard will transfer the spark of life to the NetTEL in minutes.
Once an IP address has been assigned, configuring the NetTEL is easy. Bring up your web browser, enter the IP address, and a nicely designed web page will guide you through setting up the Internet connection type, creating dial-in and VPN connections, dial-out Internet connections, configuring the internal DHCP server, security filtering, etc. If you are using the NetTEL for dial-up Internet access, you can configure it to remain connected all the time or automatically establish a dial-up connection whenever you go to access the Net. The configuration options are explained well on the web page, and the manual includes item-by-item instructions for each configuration page.
If you already have a DHCP server or use the Windows software, the complete installation and configuration can take less than 20 minutes.
In operation, the NetTEL usually does exactly what a router should—disappears into the background. It does its job, and you don't have to worry about it. If you do run into trouble, there are diagnostic tools available on the NetTEL's built-in web page. You can even set up the NetTEL to log error and status messages to your Linux machine using syslog, eliminating the need to check the web page for error messages.
When talking about network equipment, reliability is king. One of the strongest advantages of the NetTEL is the inherent reliability of its compact, solid-state design. No hard drive to trash, no fan to stop spinning, no keyboard to spill Coke on and no monitor to drop on your foot. It just silently does its job, and that's something very hard for a PC-based solution to compete with. I had no problems with the NetTEL hardware.
Moreton Bay put some thought into field-upgrading the NetTEL, too. The firmware can be upgraded using either tftp to a Linux machine or by using a Windows utility that is probably just a smart tftp server. Upgrading the firmware from a Linux box can be as simple as clicking a button on the web page. After an upgrade, the NetTEL will remember your old configuration options if possible.
It is all very fine to talk about sharing a single Internet connection, but sharing means slow, right? Not always, as I found out. I was amazed to see about a 20% throughput improvement with the NetTEL over dialing directly from my Linux desktop computer to access the Web. Fast serial ports and a dedicated CPU can truly help network performance. I didn't notice any improvement when using the 2520's second Ethernet connection to access the Internet like an ADSL or cable connection, but I didn't see a noticeable slowdown, either.
Not everything is rosy. The NetTEL does its job very nicely, but the job it does comes with some limitations. When using the NAT feature to share a single IP address, the NetTEL acts as a rigid firewall, blocking all incoming connections to your computers. This is normally a good thing, but not all network applications will work when you cannot make an incoming connection to the client computer. Unfortunately, there is no guaranteed workaround for those programs, and there is no way around the NAT feature when using the NetTEL to connect to the Internet.
The VPN feature provides the workaround for NAT's obstinate blocking of incoming packets, in some cases. If you know you will need to interact with a particular machine outside your physical network, you can set up a VPN link to bring that machine into your virtual network. Unfortunately, that works only for people you know and machines you or they control.
If you use the dial-on-demand feature, the NetTEL automatically connects to your ISP whenever you go to bring up a web page or run an Internet application like TELNET, but it isn't very selective about what programs cause it to dial. If you have software that periodically tries to make a connection to a remote host, such as a network time server, your dial-up connection will either stay up 24 hours a day or connect at seemingly random times. I had been testing the NetTEL for about three weeks when I got an e-mail from my ISP saying that perhaps I should lay off the caffeine because I was constantly dialing, staying on-line for fifteen minutes, and disconnecting for another five, only to dial back up again. I traced that back to xntpd running on one of my Linux boxes, but I've seen the same interaction from several other programs, most of them Windows applications. If you are unfamiliar with tcpdump or some other network monitoring tool, tracking down unsolicited dialing can be a bit of a trick.
I also had a minor problem with the modem I used to test the NetTEL's dial-up networking support. The NetTEL's modem initialization script is very generic, but wasn't able to reset the modem and place a call. That's where the NetTEL's Linux core appeals to anyone familiar with Linux networking. A minor change to the same chat script you'd find on a full Linux PC, and everything was working great.
In the end, these problems are just proof that there are no magic bullets—they are almost all unavoidable side effects of the good features of the NetTEL.
As VPN/NAT routers, the NetTEL 2500 line is excellent. At less than $400, it makes a lot of sense for any but the most die-hard do-it-yourselfers in the market for a NAT router or VPN solution.
But there's more. The NetTEL isn't a total loss for the do-it-yourselfer. In fact, the NetTEL (actually, the circuit board which forms the heart of the it) is one of the neatest toys I can imagine a hard-core do-it-yourselfer getting their hands on. Under everything, the NetTEL runs Linux (uClinux, specifically) and that means source code. The uClinux source is fairly monolithic, with code for the kernel and every application in one tree, sharing a common Makefile. The Makefile builds a compressed ROM image, including file systems, kernel and your application software, ready to load. The standard source tree gives you the network-heavy feature set of the NetTEL itself: pppd/diald, Ethernet support, the Boa web server, etc., missing only the NetTEL-specific web interface. From there, parts can easily be added or taken away. Don't expect the latest kernel features, though, as uClinux is based on the version 2.0 kernel, and the libraries have been trimmed with an eye to saving space over preserving functionality.
I must admit I looked over only the development tools. I didn't roll up my sleeves and start coding, but I did enough to learn that if you decide to use a NetTEL to build your own embedded Linux system, you will end up investing in some hardware debugging tools specific to the ColdFire CPU. The NetTEL hardware has a single FLASH ROM containing both the user-loaded code and the boot loader, so if you load a bad system image or in some way manage to disable the networking support, you will end up with a very attractive paperweight until you get those tools.
The Motorola ColdFire CPU is fast, and for those who decide to step below C for added performance, the commands and philosophy should be familiar to anyone who has worked with the Motorola 68K family. Some neat additions and odd changes are tossed in to keep it interesting. The serial ports support data rates of up to 230Kbps, and networking is harder to turn off than to leave on.
The memory and storage will seem vast to anyone used to microcontroller projects, but don't expect Emacs to fit. You've got 1MB of FLASH and 2MB of RAM, enough to do serious work. If you need more, upgraded versions are available from Moreton Bay. Size-induced limitations in the library may cause some ported software not to work without major changes, or to behave in strange and less than wonderful ways. For the most part, standard applications will port nicely to the uClinux platform.
Physically, the circuit board is a little larger than it needs to be because Moreton Bay left room for a PCI slot and support chips, yet the board is still smaller than almost any PC-based Linux solution. You cannot fault anyone for having too much expandability, and the ability to add a PCI card could actually change the development curve for some projects. The board has a very flexible power supply, able to accept AC or DC ranging from 6 to 12 volts, which should be perfect for running from a car battery or other alternative power source. The entire board draws less than five watts while running.
In talking with the folks at Moreton Bay, they are just as excited about the embedded applications for their design and uClinux as they are about the networking applications for the NetTEL. They have a lot of plans to add features specifically for embedded developers, and some special hardware packages are available too, so it is definitely worth thinking about if you are starting to develop a Linux-based embedded system.
Just to prove once and for all that the folks at Moreton Bay really do understand the spirit of Linux and open software, there is one other tool for the do-it-yourselfer. PoPToP, the Linux PPTP server, was originally developed by Matthew Ramsey at Moreton Bay but released under the GNU GPL. It is currently supported by a team of people around the world and has been ported to several platforms besides Linux. With PoPToP, you can implement your own VPN server, so if you really like the idea of a VPN router but finances or philosophy won't let you buy a NetTEL, you can just download the PoPToP software and install it on your own Linux machine for free. You will find a link to the PoPToP web page on Moreton Bay's web site.
I installed the PoPToP software on an Intel Pentium II machine running a 2.2.x kernel, and while installation was fairly painless, it was a compiler job, so don't be surprised if you run into problems getting the software to work on your computer. You will end up with the source for pppd and PoPToP, and you may need to recompile your kernel to get the software to work.
Once configured, the PoPToP software allows you to connect remote computers to your network through tunneled PPP links. PoPToP's configuration files are almost identical to those for pppd, so if you have ever configured your computer to accept incoming PPP connections, you'll have no trouble with PoPToP. If you haven't, the PoPToP FAQ provides sample configuration files that will work with a minimum of change, and the PoPToP web page is full of great links to VPN resources. Once everything is working, connections behave exactly like any serial PPP link. You can route subnets or individual IP addresses through the tunnels just as you can with standard PPP connections. It does what you always hoped networking tools would do—it disappears, never to need fiddling with again.
Born at the beginning of the Microcomputer age, Jon Valesh (firstname.lastname@example.org) has pushed and been pushed by computers his entire life. Having run the gamut from game programmer to ISP system/network administrator; he now occupies himself by providing technical assistance to ISPs and small businesses whenever his day job doesn't get in the way.