Skip to content

Set up a subnet behind an Endpoint

By default, an Endpoint enables connectivity to the device it is hosted on.

To gain access to services not hosted on that device, it is necessary to add a subnet to the configuration, and ensure that the networking on the device is correctly configured to carry out the necessary routing.

For example, you may wish to enable access to the entire local network, or just make a single device available via the TAN (Trusted Area Network).


A subnet can be set up to enable access to anything from a single IP address to the entire IPv4 address space, and uses Classless Inter-Domain Routing, or CIDR for short, to achieve this.

If you're not familar with CIDR notation, is a good reference.

Add the subnet to the configuration


Adding a subnet behind an Endpoint that clashes with a subnet behind another Endpoint in the same TAN will mean that devices behind those Endpoints will not be reachable. The Endpoints themselves, and other Endpoints in the TAN, will still be reachable.

In the Connect control service, navigate to the relevant Endpoint within your Organisation, and select the Subnets tab.

Click on the Create Subnet button.

The Create Subnet form will be displayed.

Create Subnet form

Populate the following required fields:

  • Name: the name of the subnet
  • IP Address: the IP address component of the subnet definition; for example, a typical home network might be
  • Subnet Mask: the mask in CIDR notation; a typical home network might be 24
  • Description: a description of the subnet

Click the Save button to add the subnet to the endpoint.

Configure routing on the device


How routing is configured depends on the operating system and network configuration used on your device.



In this how-to, we'll explain how to achieve the required configuration on a Linux system, using iptables with the default network interface eth0.

If your system is configured differently, you will need to substitute the name of your default network interface in place of eth0.

Consult your operating system documentation for more information.

Enable routing

sudo sysctl net.ipv4.ip_forward=1

Accept forwarding requests from the connect interface to LAN

sudo iptables -A FORWARD -i connect -j ACCEPT

Masquerade traffic to make it appear it is coming from the LAN rather than the TAN.

sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Accept forwarding requests from LAN interface to TAN

sudo iptables -A FORWARD -i eth0 -j ACCEPT


The commands shown above will not persist across reboots.

Once you have configured and tested the changes, you can make them permanent as follows.

For sysctl, add the following entry to /etc/sysctl.conf (there may be an existing entry you can uncomment):


For iptables, run the following commands to save the current rules:

sudo mkdir -p /etc/iptables/
sudo iptables-save | sudo tee /etc/iptables/rules.v4

If your iptables rules are not automatically restored when you reboot, one method is to use cron. Add an entry to the root crontab, with sudo crontab -e:

@reboot /usr/bin/sleep 30 && /usr/sbin/iptables-restore < /etc/iptables/rules.v4

See man sysctl.conf and man iptables-save for more information.



In this how-to, we'll explain how to achieve the required configuration on a Windows system.

Enable routing and persistent connections by setting IPEnableRouter = 1 and EnableRebootPersistConnection = 1 in registry

Type 'regedit' in search and start the Registry Editor program.
Traverse the hierarchy to find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\.
Double click on IPEnableRouter and set 'Value Data' to 1.
Click OK.
Traverse the hierarchy to find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedAccess
Double click on EnableRebootPersistConnection and set 'Value Data' to 1.
Click OK.
Close the Registry Editor.

!! note If a registry parameter entry does not exist, add it as follows: Right click in the right hand pane and select 'New' -> DWORD (32 bit) Value. Assign a name to the parameter. Continue to set the value as instructed.

Enable the 'Routing and Remote Access' service and set Startup type to Automatic

Type 'services.msc' in search and start the Services settings editor.
Double click on 'Routing and Remote Access'.
Select 'Startup type' 'Automatic'.
Click OK.
Close the Services Settings page.

Reboot for the above settings to take effect.

Enable Internet Connection Sharing (ICS)

Type 'View Network Connections' in search.
Double click on the 'View Network Connections' match.
Right click on the LAN interface providing Internet connectivity (eg. 'Ethernet 3') and select 'properties'.
From the 'Sharing' tab tick 'Allow other users to connect through this computer’s Internet connection' and click OK.
Close the Network Connections page.

Create script to restart ICS

To work around a problem where the Internet Connection Sharing service fails to activate properly after a reboot, it is necessary to
create an event driven script to reactivate the service following a network activation.

Create a file C:\Program Files\CyberHive Connect\reset-ics.bat with the following content:

    net stop "SharedAccess"
    net start "SharedAccess"

!! note typing 'notepad "C:\Program Files\CyberHive Connect\reset-ics.bat"' in an administrator Powershell or Command prompt will allow file editing in this restricted location.

Create an event driven task to ensure ICS is active after a reboot

Type 'Task Scheduler' in search and double click on the Task Scheduler program.

Right click 'Task Scheduler Library' and click 'New Folder'. Name the folder 'connect-ics-restart'.

Right click the 'connect-ics-restart' folder and click 'Create Task'. Assign the name 'ics-restart'.

Under 'General' select 'Run whether user is logged on or not'

Under 'Triggers' click 'New'. 
    Under 'Begin the task' select 'On an event'.
    Under 'Log' select 'Microsoft-Windows-NetworkProfile/Operational'.
    Under 'Source' select 'NetworkProfile'.
    Under 'Event ID' select '10000'.
    Under '@'Advanced Settings' select 'Delay Task for 30 seconds'.
    Click OK.

Under 'Actions' click 'New'.
    Under 'Action' select 'Start a program'
    Under Program/script type 'C:\Program Files\CyberHive Connect\reset-ics.bat'
    Click OK.

Click OK. Enter credentials when prompted.

Close the Task Scheduler.