From NeoRouterWiki

Jump to: navigation, search


Network Bridge


NeoRouter (v0.9.9 - v1.7.0) supports the Network Bridge feature, which uses two very different means for interconnecting networks: routing and bridging. Once the feature is enabled, the ACL feature will be disabled automatically, as we cannot control the packets from the external networks anymore and may cause security issues if it's not setup properly. So, this is an advanced feature for the users who know about it every well.

Note: Since v1.9.0, NeoRouter Client does not support the feature anymore. We will provide a new product - NeoRouter Connector to link physical network into NeoRouter virtual network.

  • Routing - refers to the interconnection of separate and independent "sub-networks" (subnets) which have non-overlapping ranges of IP addresses. Upon receiving a packet sent to it, a network "router" examines the destination IP address to determine which of several connected networks should receive it, after which that packet is forwarded to the proper network.
  • Bridging - by comparison, is much simpler. A network "bridge" is simply an electrical interconnection between separate physical networks that are all carrying the same ranges of IP addresses. Standard dumb network "hubs" and "switches" are examples of network bridges. With a hub, packets arriving at any port are "bridged" and sent out to every other port. A switch is a bit smarter, since it is able to adaptively learn which network interface cards (NICs) are attached to which ports. But a switch is still interconnecting network segments carrying the same ranges of IP addresses.

Routing vs. Bridging

Although "routed" connections are the most common and straightforward to configure, they suffer from significant operational limitations. By comparison, "bridged" connections are generally much trickier to configure, and are not even natively available under all operating systems, so they are not the default connection type. But when bridging is properly setup it correctly does everything that we want.

Bridging and routing are functionally very similar, with the major difference being that a routed VPN will not pass IP broadcasts while a bridged VPN will.

  • Routing advantages
    • Efficiency and scalability.
    • Allows better tuning of MTU for efficiency.
  • Routing disadvantages
    • Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work.
    • Routes must be set up linking each subnet.
    • Software that depends on broadcasts will not "see" machines on the other side of the VPN.
    • Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.
  • Bridging advantages
    • Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows NetBIOS file sharing and network neighborhood browsing to work.
    • No route statements to configure.
    • Works with any protocol that can function over ethernet
    • Relatively easy-to-configure solution for road warriors.
  • Bridging disadvantages
    • Less efficient than routing, and does not scale well.

Setup network bridge

With either bridging mode or routing mode, one can create point-to-site VPN, site-to-site VPN or even multiple site-to-site networks. Once a network structure is well designed, one can use Feature.ini file to control NeoRouter client service to implement it.

  • The file Feature.ini is located in the main configuration folder, which can be various for different OS.
On Windows Xp:
X:\Documents and Settings\All Users\Application Data\ZebraNetworkSystems\NeoRouter

On Vista+:
X:\Users\All Users\ZebraNetworkSystems\NeoRouter
On Linux and Mac OSX:
On in-a-box:

If it does not exist, please create one.

  • The only thing to do is define the parameters in the Feature.ini file.
    • NetworkBridge=1
    • LANSegment parameter - this is a set of parameters used for mapping the external IP address or IP range to a virtual IP address, so that NeoRouter can route the packets to the proper tunnel. It's defined in the following format:
LANSegment[index]=[IP|IP range|segment],VIP
[index] - number, start from 1, for example: 1,2,3...
[IP] - a valid external IP address, for example:
[IP range] - a set of external IP addresses, in the format as IP_BEGIN-IP_END. For example:
[segment] - a set of external IP addresses, in the format as SUBNETWORK/NETMASK. For example:

For example:


In the sample above, the setting tells NeoRouter how to route packets.

Here are several common scenarios.

Bridging Setup – point to site VPN

  • Requirement: A company wants create a point-to-site VPN, so that the employees can remotely access the printers or computers in the office from home or customer site. Since NeoRouter client cannot be installed on the printers and some computers, that are running Unix OS (HP-Unix, Solaris or SCO Unix), the NeoRouter Network Bridge feature would the best choice.
  • Design:

Since we want to use the printer, it's better to use the bridging mode. Depending on the requirements, we split the network into 3 groups.

1. - used for computers or printers

2. - used for NeoRouter DHCP

3. Other IP address we don't want packets from these IP range go to our VPN

  • Setup:

1. Setup NeoRouter server and config the DHCP address to

2. Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter.

 On Windows XP+ (except WinXp x64), one can use Windows tool to create a bridge. 

(check out MSDN for details).

 Since some adapters may not fully support promisc mode, one has to enable it manually. 

(check out

 > netsh bridge show adapter
 > netsh bridge set a 1 e
 > netsh bridge set a 2 e
 On Linux, one can use brctl command to create a bridge
 > brctl addbr $br
 > brctl addif $br eth0
 > brctl addif $br nrtap
 > ifconfig nrtap promisc up
 > ifconfig eth0 promisc up
 > ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
 > ifconfig $br down
 > brctl delbr $br

3. Setup Feature.ini file on each member of the NeoRouter network. The content of the file is:


After setting the file, restart the nrservice or reboot computer.

Routing Setup – site to site VPN

  • Requirement: A company wants create a site-to-site VPN to link two offices located in different cities. They cannot install NeoRouter client software on their computers running Unix OS (HP-Unix, Solaris or SCO Unix). The NeoRouter Network Bridge feature would be the best choice.
  • Design:

To make the VPN fast, it's better to use the routing mode. From the requirements, we can see 3 networks.

1. Office 1

2. Office 2

3. NeoRouter virtual network

  • Setup:

1. Setup NeoRouter client on each gateway computers

2. One each gateway computer, enable the feature allowing the OS to forward packets

On Windows 2000+, create  HKEY_Local_Machine\System\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter 
 as a string value equal to 1 in the registry. This will require a system reboot to take effect. To confirm it 
 is enabled, do ipconfig /all from the command line. IP Routing Enabled should say yes. If not, confirm your 
 registry setting and reboot again. This setting is flaky in non-server versions of Windows. 
Also refer to
On Linux, 
 > echo 1 > /proc/sys/net/ipv4/ip_forward
On Mac OS X, 
  1) The easy way is to create or edit /etc/sysctl.conf and add net.inet.ip.forwarding=1
  2) > sysctl -w net.inet.ip.forwarding=1

3. Setup route on each gateway

On the gateway of the 192.168.3.x network:

> route –p add mask

On the gateway of the 192.168.129.x network:

> route –p add mask

4. Setup route table. When using routing method, you need to tell your other machines how to cross the VPN to access computers on the opposite network.


This requires more work, but limits configuration changes to be at the computer level.

On each computer of the 192.168.3.x network:

> route –p add mask

On each computer of the 192.168.129.x network:

> route –p add mask

Option 2: (not all routers support this, but it is the minimal configuration method)

On the router acting as the default gateway for 192.168.3.x network, add a static route that says any traffic destined for network go through 192.168.3.x (IP address of NeoRouter PC on 192.168.3.x network) On the router acting as the default gateway for 192.168.129.x network, add a static route that says any traffic destined for network go through 192.168.129.x (IP address of NeoRouter PC on 192.168.129.x network)

Bridging Setup – site to site VPN

With bridging mode, one can also create a site-to-site VPN.

Run scripts

When Network Bridge feature is enabled, one can define commands getting called by NR Client on the following events.

These commands should be defined in the Feature.ini file.

  • 1.When initialize the tap device, but not activate it yet


  • 2.When the tap device gets activated


  • 3.When tap device gets destroyed


These options are available on all platforms.

For example, one can define a script to setup static route table after the tap gets activated and has virtual IP address assigned.



Tips and troubleshooting


  • 1. When troubleshooting, it's a good idea to turn off the OS firewall on each computer to save your time.
  • 2. When changed the IPRouterEnable paramter in the registry on a Windows XP machine, sometimes you may want to reboot twice to make it work properly.
  • 3. Wireshark and tcpdump are best tools used for troubleshooting. When troubleshooting site-to-site VPN, you may want to add some extra routes to meet your specific requirements.
  • 4. If your application requires broadcast packets, you may want to choose "bridging" approach instead of "routed", which does not pass broadcast packets.
  • 5. If you use NeoRouter Professional (v1.1.3+), it is always a good idea to use the "Packet Filter" feature, which can drop unnecessary packets.
  • 6. If you use NeoRouter Free, you will be suggested to run the gateway on a dedicated server, there would be heavy workload of broadcast packets through the gateway.