English

Русский

English

Русский

Appearance

Network Management

This section describes the tools available in the “Network Management” panel.
They allow you to build a flexible, scalable, and secure network for internal services and employees.
All components are designed to work together: firewall rules filter traffic, N2N eliminates unnecessary hops between critical nodes, WireGuard provides secure connections for manual use, and the proxy is a powerful tool for applications.

Firewall

The firewall is the central tool for controlling incoming network traffic.

Node Groups

  • Combine machines into logical groups (e.g., db-cluster, app-frontend, ci-runners).
  • All nodes within a group are allowed to communicate with each other.
  • Rules apply only to incoming traffic.

Note

Traffic for interfaces such as local [lo] (127.0.0.0/8) and docker [docker0] is allowed by default.
However, for others, such as those starting with [br-..., veth...] (subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ...), you may need to manually add their subnets to the allowlist.

Blackhole

  • Blackhole — temporary, instant blocking of incoming traffic for selected nodes.
  • Implemented via API: bulk setting of IPv4/IPv6 addresses to a "drop" state without creating persistent rules.
  • Useful during incidents (DDoS, mass compromise) — quickly disable incoming traffic.

Warning: Blackhole immediately stops receiving packets but does not remove connection states on the peer side.

N2N

Netip N2N (Node to Node) — a high-speed secure tunnel established directly between two nodes with flexible
configuration of allowed ports.

When to Use

  • For private data exchange between critical services without intermediate relays.
  • When minimal latency and predictable bandwidth are required.

WireGuard

WireGuard is a lightweight and fast VPN protocol focused on simplicity and security.

Deployment and Management

  • From the panel, you can deploy a WireGuard server and create client profiles.
  • Connection monitoring and tx/rx traffic control are supported.

Proxies

The goal is to enable browsers and other programs that use the TCP protocol to work through a proxy.

HTTP/S and CONNECT

  • HTTP/S proxy — the main way to set up proxying for browsers and TCP applications.
  • The CONNECT method is used for tunneling.
  • A single instance can be deployed on all nodes.

SSRF Protection

Built-in checks prevent the proxy from being used as a vector for SSRF (Server-Side Request Forgery).

HTTPS Certificate

An HTTPS proxy requires a valid certificate for the domain upon connection.
If not installed, a self-signed certificate is generated automatically — proper functionality is not guaranteed.