User Guide

Getting a Valibox Device

To start with, you will need a device to turn into a Valibox. If you are reading this because you have already created or received a Valibox device, please proceed to the next section.

You can make one yourself by downloading an image from our Downloads page, and following the installation instructions there. Currently we have images for three GL-Inet devices: the 4641 and the AR-150. If the images there are not suitable for your specific device, please let us know and we can make a test version for that device. After testing we can add it to the downloads page.

Installing the Valibox

To install the Valibox in your network, follow the following steps:

  1. Connect the Valibox to your network by plugging a UTP cable to the 'WAN' port on the back of the device.
  2. Connect a micro-usb cable to the power port of the device.

The USB cable does not need to be connected to a computer, it is just there for power.

Initial boot

The first time you start the Valibox, it may take a few minutes while the device is getting settled.

  1. At some point you should see a new WiFi network called 'SIDN-Valibox-(code)'. The code should match the last 3 letters of the MAC address printed on the bottom of the Valibox. Connect to this network. The default wifi PSK is 'goodlife', but you will be prompted to change it as soon as you connect.

  2. Open a browser and go to http://valibox. or if that does not work

You should get the following page:

Screenshot First run

If you get an error '502 Bad Gateway' you may need to wait a little bit longer until the device has finished starting up.

On this screen you can set up 3 things:

  • A new name for the wireless network
  • A password for the wireless network
  • A password to administer the machine

Once this is done, the Valibox will reboot and you are ready to go.

Valibox usage

Connecting computers

Just use the wifi or plug in a cable to the LAN port on the back of the device.

Browsing the web

The Valibox works similarly to other routers or access points.


If you want to have any special configuration, browse to http://valibox.. and click 'configuration'. You will be presented with the OpenWRT configuration screen. The login name there is 'root' and the password is the password you have set on first use.

There is a tab there with Valibox-specific settings. All other pages there are the standard OpenWRT configuration pages.

Handling DNSSEC failures

If you try to visit a website that fails DNSSEC validation, instead of the normal 'host not found' message in the browser, you will be redirected to the NTA managment page:

Screenshot NTA managment

This page shows the error and gives you the option to ignore it, and visit the website anyway.

Screenshot NTA OK

If you want to remove NTAs; either reboot the Valibox or go to http://valibox. and select NTA management.

Screenshot NTA OK


  • If you ignore DNSSEC errors, you do so at your own risk! While it could be an administrative error, it could also indicate an attack!
  • If the DNSSEC error occurs on an https website, you will get an https error as well (since it is the Valibox that is answering, not the original website)

Managing and Updating the Valibox

You can check whether there is an update for the Valibox by visiting the website http://valibox. and selecting 'firmware upgrade'.

  • If there is an update available, you will be prompted to install it.
  • With the update, you get the option to delete all local configuration.

Screenshot Update

Note: older versions (1.2 or below) may have problems updating through this method on some devices; it will say it is updating but the new version is not installed. If that happens, you can download a clean image from and install it from the LuCi-interface, which can be reached from the main menu on http://valibox./.

SPIN Network monitor prototype

The Valibox also contains the prototype of our SPIN software. In its current version, it allows you to see and block the network traffic of the connected devices.

If you connect a computer to the Valibox wireless or wired connection, you can go to https://valibox./spin/graph.html to use SPIN.

SPIN Screenshot

The grey nodes are 'internal' nodes; if the name of this device has been configured (in DHCP settings of LuCi) it will show that name, but otherwise it will show a MAC address. You can click on the node and give it a new name if you wish; it will use that name from then on.

Other options when clicking on the node are:

  • Ignore: no longer show any traffic of this device. This option is useful when there are real computers or laptops (or phones) that simply cause so much traffic that you are not interested in, and you wish to focus on your IoT devices.
  • Block: drop all traffic from and to this device. This will essentially remove the device from the Internet. It can still talk to the Valibox, and it can still do DNS queries, but it will not be allow to cause or receive any actual traffic. Any attempts to do so will show up as red bubbles in the interface.
  • Allow: The inverse of block. This will allow traffic to and from a node that was blocked by the previous option. The use-case here is that you may wish to block a specific device, but allow traffic to the server of the manufacturer of that device. In that case you click the device, click block, then click the bubble(s) representing the manufacturer (identifiable for instance by domain name), and click allow.
  • Download PCAP Traffic: When clicked, this opens a popup screen, from where you can start a remote tcpdump session. PCAP data can be downloaded directly to your desktop machine without having to log in over SSH and copy pcap files. This option is only present on device nodes, and the resulting pcap file will only contain traffic from and to that specific device.

On the top right are four global options:

  • (un)lock view: Disable or enable automatic zoom and scroll as new information appears
  • Show filter list: show the list of ignored addresses; you can remove elements from the list here. If you select 'reset', it will return to the default (only ignore the valibox itself).
  • Show blocked list: show the list of blocked addresses; you can remove elements from the list here.
  • Show allowed list: show the list of allowed addresses; you can remove elements from the list here.

SPIN Screenshot

The bubbles and arrows can have several colours:

  • Grey: This is a local device / node
  • Green: This shows a node that was involved in recent traffic (less than 30 seconds)
  • Blue: This shows a node that was involved in slightly older traffic (30 seconds to 10 minutes)
  • Orange: This shows a DNS query for a node, which has not resulted in any traffic (yet).