Keenetic Voyager Pro and Orbiter Pro: access points with advanced functionality for the corporate network

Despite the fact that Keenetic routers were originally created for the home segment, they have firmly entered the business segment, or rather its niche, where it is necessary to quickly and easily connect the Internet to an object and service it remotely. First of all, this was facilitated by the KeenDNS cloud service, which provides the administrator with secure access to the device's Web interface, even if it is behind NAT or, more simply, uses a "gray" IP address (and up to working with the command line). Yes, more "senior" manufacturers of network equipment have similar solutions, but in a different price category, often with reduced functionality and are not as easy to configure as Keenetic. Later, the company supplemented KeenDNS with a purely corporate Keenetic RMM service for remote monitoring of a whole fleet of devices from a single window. Savvy integrators have long been building Mesh networks and wireless bridges from kinetics on objects, and it was a small matter: to present devices in a traditional form factor for access points, with PoE and ceiling mounting, so that the customer could see that he was being supplied with real access points, not home routers.

4 штуки Keenetic Orbiter Pro

And the milestone was taken when Keenetic introduced two new models: Voyager Pro and Orbiter Pro, focused specifically on mass installation at commercial facilities, on building wireless networks with seamless roaming, possibly with Mesh, with centralized management and a Wi-Fi controller. Since these models work under the same unified Keenetic OS operating system as in home routers, they are characterized by simplicity and convenience of configuration, and if something is unclear, the entire legacy of the huge online documentation writen in understandable words is at your service. Unfortunately, in the world of Enterprise devices, simplicity and openness of documentation are not often found, so specialists in configuring Wi-Fi equipment from Huawei or Ubiquiti are valued at their weight in gold and can put any price in the estimate for their work. At Keenetic, everything is different: any enikeyschik can configure the network, and we will show this in this article. But first of all, let's talk about the devices themselves.

Keenetic Voyager Pro vs Orbiter Pro

Voyager Pro and Orbiter Pro, identical from the outside, are built on the same processor, but differ in radio modules and RAM volume. The older Voyager Pro model supports Wi-Fi 6, BLE 5.1 and, remarkably, has the technology of constant background scanning of the 5-GigaHertz frequency range. This function is implemented, as a rule, in expensive access points by installing just another radio module. In Voyager Pro, the solution is based on an additional radio interface, which is already built into a pair of Mediatek 7915 + Mediatek 7975 chips and is designed to scan DFS channels, but the developer has programmed its wider use for continuous monitoring of the occupancy of all channels.

In the interface of the device — this is the item “Wi-Fi Spectrum Analyzer” — a visual diagram for the last 24 hours (with details for 3 hours or an hour) is displayed, demonstrating the channel load using a color scale. An important difference from the usual periodic scanning by the main radio module here is that not only other Wi-Fi devices are taken into account, namely any broadband interference, be it radar or faulty electrical appliances. On the Keenetic hardware forums, I have already met very interesting pictures proving that the analyzer does not always show relative quiet and smoothness, as in my case. In the future, the company plans to use this data to automatically select a freer channel, but for now, the spectrum analyzer will be useful for administrators to manually switch the point to free channels or to search for interference.

Анализатор спектра

In total, the differences between the models are summarized in the table below:

Technical specifications

Keenetic Orbiter Pro
KN-2810

Keenetic Voyager Pro
KN-3510

CPU

Mediatek MT6721A, 2 cores,
880 MHz

RAM

128 MB DDR3

256 MB DDR3

Flash ROM

128 MB, Dual Image

Wi-Fi

2,4 GHz, 5 GHz
AC1300

2,4 GHz, 5 GHz
AX1800

MU-MIMO

2x2

Antenna gain

4 dBi

Independent Spectrum Analyzer Wi-Fi

No

Yes

Bluetooth

No

5.1

Ethernet ports

2 x 1 Gbps:
1x RJ45
1x RJ45 PoE

Performance

Wi-Fi 2,4 GHz performance, Mbps

400

574

Wi-Fi 5 GHz performance, Mbps

867

1201

IPoE/PPPoE routing, duplex, Mbps

1800

L2TP/PPTP routing, Mbps

800

Having disassembled the case, we see that both Voyager Pro and Orbiter Pro have the same antenna part. Two emitters are used at once for both the 2.4 and 5 GHz bands, and interestingly, MCX-like sockets are left on the boards, used to calibrate the radio modules of each kinetic coming off the conveyor. The Voyager model has a huge heat exchanger plate installed on the board, cooling the high-frequency radio module and partly acting as a shield against RF interference.

Judging by the design of the antennas, the access points are designed for installation on the ceiling. If you have to hang them on the wall, it is better to place the device at a height of no more than 2 meters. The Orbiter Pro model does not have the same large heat exchanger from the front of the motherboard, but since the placement of the antennas is similar, it should be installed in the same way. The Orbiter Pro has the same screen installed on the back of the board, which reduces unwanted radiation passing through the floors and protects the access point from radiation from devices on the upper floor. I want to draw your attention to the fact that solid-state capacitors are used in the design, presumably manufactured by Sanyo. Unlike electrolytic routers used in home routers, these do not dry out over time and are more tolerant to high temperatures.

Both Voyager Pro and Orbiter Pro have two 1-Gigabit ports installed, one of which supports PoE. The second port can be used for both LAN and WAN connections, if the device is operating in router mode. VLAN tags can be assigned for each of the ports, and for ease of configuration, you can simply create a separate segment in the router interface, for example, “guest network”, put it on a separate VLAN and apply it to one of the ports, delimiting traffic at the physical level.

Next to the ports there is an inconspicuous, but important switch of the operating mode: router or access point (Router /Extender). We will talk about the importance of both below in the key of the advantages of the Keenetic ecosystem: it is really convenient and eliminates many unnecessary gestures. Accidental switching does not threaten anything, because the mode configs are stored independently and are not reset from this.

Since access points of this class are rarely installed singly, Keenetic has released sets of four identical devices in one box, delivered without power supplies in the expectation of mass installation in an existing PoE network. Since standard PoE compatible with 802.3af/at is used here, there are no connection features: on average, the access point consumes 4 watts in idle mode, so literally any PoE switch or PoE injector is suitable for it. So far, a set of four devices exists only for Orbiter Pro models, but it will not be possible to save much. The recommended retail price of a single Keenetic Orbiter Pro is 147 USD, and a 4-pack will cost 572 USD, that is, the savings are less than 20 USD. By the way, they promise that sets from Voyager Pro will appear in the near future, and there the discount may be more significant.

The basis of the fastener to the wall or ceiling is a traditional plastic plate, into which an access point is inserted, locking on latches. However, it is not every day that you meet an access point that has a mount specifically for suspended ceilings of the "Armstrong" type. Usually, integrators do not bother and fasten the device (or its mounting plate) to the mineral fiber plate itself, without thinking about the fact that if it gets very wet, it may not withstand a fairly heavy device. The kit of Keenetic access points includes metal clips for installation on an aluminum T-profile. If for some reason installation on plates is contraindicated, use this method. A good example of generosity is also that in addition to the standard concrete dowels that everyone has, Keenetic has added drywall dowels. That is, Voyager and Orbiter are ready right out of the box for any installation:

  • on concrete
  • on wood
  • on drywall
  • on the profile of suspended ceilings

But still, Keenetic access points are interesting primarily because you can use them to build a ready-made network infrastructure using technologies that either simply do not exist, or competitors “have but are expensive". Let's look at some examples of installing one Voyager Pro and 4 Orbiter Pro.

Connect directly to the Internet and Wi-Fi over VPN

Let's imagine a simple situation where there is no network infrastructure at the facility, except for an Internet cable sticking out of the wall and a AC outlet. In this case, the essence of Keenetic Voyager Pro or Orbiter Pro as an Internet gateway is fully revealed. You simply turn on the access point to the power supply network (the position of the mode switch is the router), connect via Wi-Fi from a laptop and perform basic configuration of the connection to the provider. The device itself will register a randomly generated domain name with a global SSL certificate, which you can immediately replace with a more convenient one, and then, by opening access exclusively via HTTPS from the outside, you can safely continue setting up via the Internet, including from the central office.

In this mode, your Wi-Fi network and all client devices are located behind a NAT with its own DNS, including via TLS, with its own firewall, access control at the layer-2 via VLAN and at the layer-3 by IP addresses. Yes, the access point works like a router, and that's the beauty of it. You have SSH management, authentication via RADIUS, Captive portal, your own SNMP server for collecting metrics from other devices, fault-tolerant Internet access (if you don't need a second port or via WISP), QoS functions and more.

The highlight here is that you can implement the concept of "Wi-Fi-over-VPN" by wrapping all wireless traffic through a VPN tunnel to a corporate security gateway, even if it is either free pfSense somewhere in the cloud, or expensive Fortigate in a data center. But in any case, it's something with intelligent security features, built-in antivirus, protection from visiting malicious sites… as you wish. Your Wi-Fi clients will never access the clean Internet, bypassing your security gateway, even if they are guests, even if they are IoT devices. All traffic from the office to the gateway will be encrypted, and you will not need to configure VPN access on client devices, you will not compromise the access keys to the tunnel and will not wonder about the routing prescribed on the end device.

We recently considered such a solution from Zyxel, implemented in a top-end WAX650S access point, and even there this technology worked only over IPsec, only with Zyxel branded gateways and only in point-to-point mode.

And with Keenetic, you can connect an access point to several gateways at once using all modern protocols:

  • IPsec for maximum compatibility with third-party equipment (IKEv2 approximately 150 Mbit/s)
  • SSTP as the most unusual protection solution (approximately 20 Mbit/s)
  • PPTP when security is not as important as speed
  • Wireguard as the perfect balance between speed, flexibility and security (approximately 150 Mbps)
  • OpenVPN when you need to use TCP transport, non-standard ports, obfuscation or unusual encryption methods (approximately 25 Mbit/s)

with a P2P or "star" topology, without licenses, without binding to the manufacturer of the VPN gateway, with the configuration of routing through tunnels…

The savings in this case can be huge. Just imagine: you have 10 objects, and all of them have one software security gateway hosted somewhere in the cloud and consolidating all Internet traffic coming via VPN. It is not difficult to make such a scheme fault-tolerant by installing a second virtual gateway in another cloud, and this does not require the purchase of any additional equipment on the client side. In principle, you can configure SD-WAN by having only one Keenetic Voyager Pro/Orbiter Pro access point on the object. For objects where all local traffic goes over Wi-Fi, this is already a reality.

You can also set up a reverse scheme in which Voyager Pro / Orbiter Pro will act as VPN gateways to access services on the site. I don't recall any such access point that by itself would have such advanced functionality — definitely, for connecting small objects to the Internet, Keenetic Voyager Pro / Orbiter Pro is out of competition.

Connecting to the corporate gateway and configuring Mesh

If the company already has an Internet gateway, but you want to use Keenetic access points for the Wi-Fi network, you have several options.

The first is to allocate Wi—Fi on kinetics to a separate network, hiding it behind NAT in relation to the company's local network. This will be especially reasonable if, for example, you decide to deploy a wireless Mesh network with a wireless or partially wired connection of repeaters (kinetics work in any combination), without resorting to PoE and without interfering with the existing infrastructure.

One of the kinetics will act as a controller directing the Mesh network and traffic routing, while the others will work as regular access points (Wi-Fi repeaters). To do this, configure the main Keenetic as a router (with all the advantages from the section above), and for the rest on the case, switch the checkbox to the “Extender” mode and, if necessary, reset any previously applied settings with the button. Next, we capture the repeaters (in the terminology of the Keenetic Wi-Fi system), having previously connected them to the controller “on the table” by wire or even over the air through the WPS buttons (all other WPS options are disabled by default at Keenetic, and after configuration, you can disable the buttons). Then we place the access points at the necessary installation locations and check or configure their mutual connection already through the controller interface.

Rarely realized by advanced users and administrators, the advantage of managing a Mesh Wi-Fi network through a kinetic controller is that, unlike household Mesh kits, up to four isolated network segments can be automatically routed to repeaters: home network (the default name in KeeneticOS, but can easily be renamed), guest (ready-made template) plus two more freely created via the web interface in the section “My networks and Wi-Fi”. And in addition, in the point of the web “Wi-Fi system” there is an extremely useful tab for debugging the operation of the network “Transition Log”, which helps to track the quality of seamless roaming of clients between points.

Here and for the following scenario, it is important to make a remark: if Keenetic repeaters are connected to their controller by wire through a switch, it is important that the latter passes through all L2 traffic. If the switch supports MSTP/RSTP/STP, these settings must be disabled on the ports used to connect the Wi-Fi system nodes.

We turn to the second option — when Keenetic access points and their clients are required to fully comply with the existing corporate Internet gateway (for example, from Mikrotik).

It should be noted right away that now Keenetic OS does not support the operation of the Wi-Fi system controller on a device switched to repeater mode. You will need to disable the DHCP server on the “main” kinetic operating in router mode and plug it into the corporate network with a LAN port, after which it will actually turn into a regular access point, but will retain the valuable ability to logically manage the Mesh Wi-Fi system from other Keenetic peer devices, ensuring the capture of repeaters and automatic configuration of seamless roaming between them, including isolated segments via VLANs, as well as control of physical connections between points and their clients. The unique access to such a controller via KeenDNS will also be preserved. The obvious disadvantage of this scheme, however, is that in addition to such quite traditional functions as setting up IP binding, speed limits and schedules, centralized viewing of statistics, proprietary traffic monitoring, content filtering, VPN and much more will not work, since the functions of the router and the DHCP server will be performed by another router. The Keenetic RMM control system described below is similarly still able to monitor a similar network with restrictions of the same kind.

Setting up seamless Wi-Fi roaming without a controller

The third option for a corporate network with an existing Internet gateway is that instead of Mesh and automatic backup from the controller, you can use Keenetic Voyager Pro and Orbiter Pro simply as independent manually configured access points that provide a single wireless network with seamless roaming according to 802.11r/k standards and Band Steering according to 802.11v (transfer customers from the 2.4GHz to 5 GHz band). Unlike Mesh, the STP protocol is not used here for interaction between repeaters and the router, so this technology will work independently of the switch.

We switch all the points to the “Extender” mode, connect them to the network, one way or another, go to the web interface of each of them and manually register in the Wi-Fi settings not only the single SSID and key of our network, but also the single mobile domain ID and its key for the selected segment - these data will be required for the points to synchronize client switching between each other.

In order not to get confused, each Voyager/Orbiter Pro has its own 4-digit number indicated on the case and corresponding to its host name. So by looking at the address table of the DHCP server, you can understand which address has which kinetic. Agree, such identification is much more convenient than using a MAC address.

If necessary, the created wireless networks (up to four SSIDs) can be included in the 802.1Q-tagged segments of the existing corporate network. For security reasons, the free Ethernet port on the Orbiter/Voyager can also be tagged to a secondary segment (for example, a guest network) or turned off altogether.

Subsequently, you still have the opportunity to individually create some other wireless networks on access points that are not part of one common network with seamless roaming. For example, make a separate network in the lobby or in the garage.

Monitoring and management via the Keenetic RMM cloud service

Today, all major manufacturers of network equipment offer a centralized device management system that allows you to quickly remotely overload network nodes via the Internet, update firmware or perform some configuration. Since Keenetic now has both gateways and access points, it is quite logical to expect some success from the company in this area, but such tasks are not solved on a one-two basis. Yes, Keenetic has an RMM cloud service, which is designed to monitor a large fleet of devices. It does not store any personal data or Wi-Fi passwords on its servers, but its functionality is limited to monitoring devices, updating firmware and sending notifications. If you think that this is not enough, here is an incomplete list of tasks that can be performed via Keenetic RMM:

    • Overload a large number of devices with one click
    • Share public networks for monitoring and set access for them to work as a team
    • Seamless transition to the web interface of any device without entering a login/ password
    • Network health monitoring with notification sending (integration with Telegram now, E-Mail support until the end of the year).
    • A single table with log output, with export to xls and csv (will appear before the end of the year)

    Setting up networks even using Keenetic RMM is done granularly: for each device separately, and in general, if you need to consolidate monitoring and management of the wireless fleet at one point, then for small networks and sporadic tasks, a mobile application for a smartphone may suit you no less well.

    Of course, since this is an actively developing beta version, it is very interesting what will appear in it in the near future. I think the ability to import/export configuration planned in Keenetic is very useful, thanks to which you will be able to change devices on the object while maintaining the configuration. For example, they built a network on Keenetic Giga (as the main router), and then they took and replaced it with Keenetic Peak for the sake of additional ports, or some model of the future. Thus, your once-created network will be able to safely experience the replacement of nodes with the preservation of settings.

    Management via the mobile app

    The Keenetic mobile app is a great alternative to cloud and centralized network controllers. With it, you can manage both a local gateway on the network and one located elsewhere by adding it via KeenDNS. Several networks can be added to one application at once, for example, at different facilities, so if an organization serves several objects on Keenetic at once, then its administrator can simply monitor all controlled networks in his mobile phone in 24x7 mode. In case of a network failure, a Push notification will come to the phone, and some problems can be fixed with minimal downtime.

    Through the mobile application, you can configure programs and services running on Keenetic, add devices to a wireless network, and view statistics on transitions between access points in wireless systems.

    Let's talk about the bad

    Alas, to build fully monobrand solutions on Keenetic, the company lacks its own PoE switches, and since it was said above about "disabling xSTP" on the ports allocated to the backhaul channel of the Mesh network, it is logical that Keenetic released its PoE switch and would also give some kind of compatibility list with third party switches.

    It is not clear to me why the top Keenetic routers have an SFP slot for optics, but the top access point does not. Connecting Wi-Fi via optics is a trend of the Wi—Fi 6 generation, which allows you to mount a network in large halls, and even with a reserve for increasing speed: today you lay a cable of 1 Gbit/s, and tomorrow you use it for 2.5-10 Gbit/s. Of the professional functions, suppression of fake access points (Rogue AP) has not yet been implemented and there is no way to upload your own room map or floor plan in order to see the location of devices in the Keenetic interface.

    In general, the Wi-Fi industry itself is striding by leaps and bounds, and Keenetic is also developing its ideas within this progress, offering its own solutions, which either competitors do not have, or have, but with a license fee. It all looks very interesting and promising, especially considering the completely democratic price of access points. I think that Keenetic may well repeat its success in the home segment and in the b2b world.

    Conclusions

    Today, Keenetic has not only access points designed for commercial use, but also management and monitoring technologies that are not inferior to other brands. The basis of the ecosystem of remote network management is the KeenDNS cloud service, secure and free for all customers, and it makes you not think about how many levels of NAT and how many security settings are located above your kinetics. By deploying the network at any facility, you can be sure that it will be accessible via the Web, as well as through a mobile application on a smartphone. Notifications will come, and the built-in software will be updated.

    The introduction of the new Voyager Pro model into the nomenclature has opened the access of Keenetic products to Wi-Fi 6 projects, and the built-in 5-gigahertz spectrum analyzer looks especially interesting here, which will definitely reveal itself in business centers, apartment buildings and production facilities with high utilization of the 5 GHz band.

    Keenetic has many features that have appeared and developed for home use and are rare in the business segment. For example, this is the ability to switch Internet access channels, a VPN client and a server, a built-in Firewall with network segmentation. All this is also stored in new access points (in router mode), which means that it allows the integrator to implement such features that are either too expensive to do on other brands, or impossible at all. As an example, I gave wrapping traffic in a VPN and directing it to a virtual gateway. Add to this switching between VPN channels - and your possibilities will be limited only by your imagination.

    Michael Degtjarev (aka LIKE OFF)
    31/05.2022


    Read also: