KeeneticOS 3.8
Highlights at a glance
Welcome to KeeneticOS release 3.8! This release introduces completely reworked Internet safety provisions, improved traffic classification and prioritization, and multiple other performance improvements and fixes:
Block annoying ads and trackers, protect your privacy, defend against security threats and enforce clean Internet access for children with the new Cloud-based content filtering and ad blocking component — the new filter combines seven popular public DNS resolvers into one configuration, allowing you to mix filtering profiles from different service providers to your devices in one setup. Supported public DNS resolvers include AdGuard DNS, CleanBrowsing, Cloudflare DNS, Neustar UltraDNS Public, OpenDNS, Quad9, and Yandex.DNS.
Add custom DNS profiles for even greater flexibility when public DNS presets are not enough.
Assign default filtering profiles to network segments.
Get complete peace of mind with the new NextDNS integration. NextDNS protects you from all kinds of security threats, blocks ads and trackers on websites and inside apps and provides a safe and supervised Internet for kids.
The traffic classification engine now detects and prioritizes various types of traffic inside a single app independently — for example, a video call and a file transfer via the same messenger app will have different traffic priorities according to your IntelliQoS rules.
New inbound and outbound bandwidth control options are now available for Internet connection policies to further improve traffic prioritization and minimize "buffer bloat."
The Mesh Wi-Fi system initialization on startup now happens considerably faster.
The Mesh Wi-Fi system’s new Conditional Wi-Fi broadcast option prevents the connection of wireless clients to the non-operatable extender, which loses connection to the controller.
Behind the scenes, not visible in the generic version, we have also developed a feature set for regional ISPs, covering initial device provisioning and centralized monitoring and management. Drop us a mail at help@keenetic.ru if you are interested.
As always, if you have any feedback (or want to say hi ), drop us a line in the forum. To learn more about Keenetic, visit the Help Center.
KeeneticOS 3.8.5.4
27/10/2022
Fixed
Fixed an error in the Keenetic Mobile Application component that was causing the Web Interface to respond slowly or become unresponsive. [SYS-662]
KeeneticOS 3.8.5
07/09/2022
Improved
Backward compatibility with the
Europe/Kiev
time zone was added after it was renamed toEurope/Kyiv
. See Release 2022b - 2022-08-10 notes. [NDM-2362]
Fixed
The device schedule assignment is now applying as expected. [NWI-1306]
The subnet mask validator now acts appropriately with the
255.255.255.255 (/32)
network mask. [NWI-1310]The embedded File browser in KeeneticOS now includes a scrollbar, which provides a better user experience with multiple file upload tasks. [NWI-1356]
Fixed Fast transition (FT) compatibility with the Samsung Galaxy A52 smartphone. [SYS-608]
The positioning of tooltips and tables in the Web Interface has been changed to provide a better view on screens with
1366x768
resolution. [NWI-1365]
KeeneticOS 3.8.4
15/08/2022
Improved
The
source IP address
is appended to the HTTP/HTTPS serverauthentication failure
message, providing advanced network maintenance information. The logging of failed authentication to the Web Interface is disabled by default. Use the following CLI command to enable:ip http log auth
[NDM-2317][E] Jul 25 16:16:30 ndm: Core::Scgi::Auth: authentication failed for user "admin" from "92.162.143.77".
Fixed
Renaming an Extender no longer causes unnecessary reconfiguration of the Wi-Fi System. [NWI-1188]
The empty Traffic Monitor page has been fixed. [NWI-1290]
The Enter button acts as the Next string action instead of the Save action during editing of the OpenVPN connection. [NWI-1286]
The legend captions for the Spectrum analyser and Wi-Fi monitor have been corrected. [NWI-1285]
Fixed the font size of the IPsec VPN input fields in the Safari browser. [NWI-1287]
USB modems of
UsbQmi
andUsbLte
types now operate correctly on IPv6 connections. [NWI-1257]Restored DNS over TLS (DoT) operation with custom Domain setting. [NDM-2286]
Fixed the inability to upload files larger than 4 GBytes via the Web Interface File browser. [NDM-2300]
Reissuing the KeenDNS certificate no longer causes the
ndm:Acme::Client: unable to use account key
error message under certain conditions. [NDM-2351]
KeeneticOS 3.8.3
18/07/2022
Fixed
Restored frequency band selector for 3G band choice of the QMI-type modems. [NDM-2288]
Corrected the Address pool size calculation for the DHCP server of the Segment settings. [NWI-1119]
Fixed the TLS domain name and Domain fields mixing up in DNS configuration settings under certain conditions. [NWI-1222]
Adding a custom DNS server no longer requires a double saving action in the Web Interface. [NWI-1223]
Restored the Speed limit saving for unregistered devices in the Device lists menu. [NWI-1239]
The message telling that the ISP is managing the Keenetic device appeared in the wrong context under certain conditions. [NWI-1246]
Keenetic mobile application no longer sends the alert about an empty administrator password after the initial setup. [SYS-583]
The Download station Web UI is now more responsive when accessed via the KeenDNS domain. [NDM-2293]
KeeneticOS 3.8.2
27/06/2022
New
The new Channel number option for Wireless ISP connections allows setting of a specific channel number instead of automatic channel selection based on an SSID. This setting significantly reduces the air scanning time, leaving more slots for Wi-Fi distribution and Mesh Wi-Fi backhaul operation. Use this setting for scenarios when the uplink ISP or Hotspot has a fixed Wi-Fi channel number. [NWI-938]
Added support for the 4G Cat4 8330FT USB modem branded by mobile operator MTS. [NDM-2210]
The new default setting Auto for time synchronization selects NTP servers automatically from Keenetic's cloud infrastructure, with the option to manually set up custom servers. [NWI-1107]
Added support for the 4G LTE Cat4 Quectel EC200T modem module. [NDM-2164]
Added support for the 3G Huawei K4201 modem. [NDM-2186]
The new MAP-T option is available for tunnelling IPv4 protocol packets over an ISP's internal IPv6-only network according to the RFC7599. Please check whether your ISP supports this feature. [NDM-1824, NWI-906]
The new Conditional Wi-Fi broadcast option is available for the Mesh Wi-Fi System. When enabled, Wi-Fi System Extenders stop wireless network broadcasting when the Wi-Fi System Controller is inaccessible. [NWI-895]
The Internet connection policy now has the Adaptive Outbound Speed Limit option, currently available through the CLI only, as follows: [NDM-2109]
ip policy rate-limit output ({rate} | auto)
Added a drop-down setting - 3G/4G frequency band selection - for
UsbLte
-type modems supporting this feature. [NWI-919]
Added per-host sessions counters on the Management > Diagnostics > Active connections screen. [NWI-844]
The new Session expiry timeout parameter is available in the Captive portal settings. The session terminates when the Captive portal client does not renew the DHCP lease for a specified period. The maximum lease time is 72 hours (4320 minutes). [NWI-867]
Extended flexibility with a secure DNS setup: Resolve specified domain names via a preset secure DNS server with the following CLI commands for DoT (DNS over TLS) and DoH (DNS over HTTPS) options. [NDM-2040]
dns-proxy tls upstream {address} [port] [sni {sni}] [spki {spki}] [on {interface}] [domain {domain}]
dns-proxy https upstream {url} {json | dnsm} [spki {spki}] [on {interface}] [domain {domain}]
Support for USB modems with password-protected configuration API is now available. Use the following CLI commands for settings. [NDM-289]:
interface {name} web-api login {login}
— set modem login;interface {name} web-api password {password}
— set modem password.
Added an option to assign a static IP address for the USB modem with configuration API. [NDM-1749]:
interface {name} web-api address {address}
— set modem IP address WEB Interface used for the management.
Added DDNS update status on the Domain name > DDNS configuration page. [NWI-818]
New content filtering option: NextDNS service is available now as the KeeneticOS system component. Install the NextDNS component and register an account with the service before use. [NDM-1870]
The following CLI commands are available to configure the NextDNS component:
nextdns check-availability
;nextdns authenticate {login} {password} [{pin}]
— please register with NextDNS before authentication;show nextdns profiles
— look for the token associated with the filtering profile and apply it with the following command;nextdns assign ( ({host} {token}) | (interface {iface} {token}) | {token} )
;dns-proxy filter engine nextdns
— to enable NextDNS.
New configuration option for Traffic classification engine: Use the
no ntce memory-watcher
CLI command to disable the memory "pressure watcher" mechanism enabled by default. [NDM-1995]More content filtering and ad blocking choices with outstanding flexibility: AdGuard DNS, CleanBrowsing, Cloudflare DNS, Neustar UltraDNS Public, OpenDNS, Quad9, Yandex.DNS are now available at once with the redesigned Public DNS resolvers & custom DNS profiles option. Mix and match content filtering services with registered devices for complete control. Install the all-new Cloud-based Content Filtering and Ad Blocking system component of KeenetiсOS and give it a try. [NDM-1820, SYS-361, NWI-784]
Warning
We suggest making a configuration backup before trying the new version of KeeneticOS 3.8. The new Cloud-based Content Filtering and Ad Blocking component settings are incompatible with previous versions of KeeneticOS.
When installing version 3.8, the existing settings of Yandex.DNS, AdGuard DNS, and Cloudflare DNS components automatically migrate to the new Cloud-based Content Filtering and Ad Blocking component.
Native support for more 4G modems:
MM200-1 4G LTE Cat4 USB-modem as branded by the mobile operator Tele2. [NDM-1990]
New control option for Mesh Wi‑Fi system: Reboot Wi-Fi system extenders from the controller using the new CLI command
mws member {member} reboot
. [NDM-1946]
Improved
Renaming of the Extender now executes faster, and no longer causes re-calculation for the whole Mesh Wi-Fi system. [NDM-1838]
Using the Web Interface to assign an Ethernet port to the Guest segment enables its operation if wireless networks are disabled. [NWI-1029]
The new Bandwidth control mode selector (Auto / Manual / Disabled) for inbound and outbound traffic is now available for configuring connections in the Internet Connections policies. [NWI-1070]
The OpenSSL library is updated to the latest version,
1.1.1o
, fixing the CVE-2022-1292 and CVE-2022-1473 vulnerabilities. [SYS-551]
Added
MTU
control to IKEv2 VPN client configuration in the advanced settings section, providing better interoperability with certain VPN providers, for example, Surfshark VPN. [NWI-974]Added a warning message while setting up a Port forwarding rule for the HTTPS or 443/TCP protocol. [NWI-977]
Increased the maximum PSK key size up to
196
characters for IPsec VPN and IPsec/L2TP connections, providing proper connection to corporate networks with firm security policies. [NDM-2128]Added the display of the
regional code
next to the Model name field on the About the system tile. [NWI-1027]Improved IPv4 availability criteria for
MAP-T
-enabled connections for the proper display on the Dashboard page. [NWI-1025]Added links to the NextDNS account configurations on the Internet safety page, providing easy access to the NextDNS management portal. [NWI-1020]
Added support for two-factor authentication (2FA) for the NextDNS service on the Internet safety page. [NWI-1021]
The Mesh Wi-Fi System controller now configures multiple extenders simultaneously. This improvement dramatically reduces start-up times for the systems with many extenders. [NDM-2003]
The Captive portal option is now available for multiple network segments simultaneously. [NWI-916]
The Application traffic analyser now identifies different types of traffic within one application, for example, Video/Voice call or File transfer within the WhatsApp application. Based on this data, IntelliQoS can further enhance traffic priority. [NWI-951]
Added MAP-T connection information to the System dashboard. [NWI-960]
The user properties menu is now directly accessible from the Applications settings with user credentials. [NWI-893]
Updated the metadata file of the Web Interface to comply with the Progressive Web App (PWA) specification. [NWI-904]
Improved traffic classification through additional attribute parsing. [NDM-2021]
Changed the RTP (Real-time Transport Protocol) classification category to Voice over IP for the Cloud-based content filtering and ad blocking system component. [NDM-2110]
We replaced Service Class with a Traffic Priority setting for registered devices and IntelliQoS. [NWI-939]
New configuration option for devices in the Extender mode: a network Segment can have No IP address. [NWI-847]
The L2TP/IPsec VPN connection operates more stably under heavy load. [SYS-39]
Added a cautionary note for the Negotiation mode selector in IKEv1 IPsec connection setup. [NWI-877]
Note
Use the Aggressive mode for compatibility purposes only as it introduces security risks. If this Keenetic device has the IPsec server (Virtual IP) or L2TP/IPsec VPN servers enabled, the IPsec VPN connections enforce the Main negotiation mode regardless of this setting.
Added an option to save KeeneticOS and configuration files before a manual system update. [NWI-871]
The controls of the User-defined routes section are moved to the top, providing easy management, with a long list of the routes. [NWI-862]
Improved Network ports tile of the System dashboard now links to System settings > Network ports for all operating modes of the Keenetic. [NWI-822]
System dashboard improvement: Use the Change link to modify the schedule of Wi‑Fi network availability when Wi-Fi is disabled. [NWI-840]
More details for mobile connection: 3G DC-HSPA+ connection mode indication is now available for QMI-type modems. [NDM-1983]
Fixed
The Unregister action for the network host is now executed more carefully, with forced deletion of the Static IP setting. [NWI-1113]
The validator for the requested KeenDNS domain name now acts according to RFC 5890. The '
-
' symbol is prohibited at the KeenDNS domain's beginning and end. [NWI-1159]
Switching wireless networks on/off at the Home segment configuration page of a Keenetic device in Access point/Extender mode no longer leads to loss of device control for a while. [NDM-2178]
Fixed DoT (DNS over TLS) operation after reconnection of a PPPoE session. [NDM-2215]
The Wi-Fi SMPS (Spatial Multiplexing Power Save) feature now correctly handles requests from Qualcomm 835/845/855 wireless clients providing a dynamic switching MIMO scheme from 2x2 to 1x1 and vice versa. [SYS-560]
The WPS enrollee mode is disabled on the Access Point, providing a correct wireless connection flow for specific devices. [SYS-540]
Fixed the reason for a sporadic
VLAN ID is busy
error message on the device in the Extender mode. [NDM-2252]
Fixed the misbehaviour of tabs across the Web Interface while changing orientation from portrait (vertical) to landscape (horizontal) and vice versa in mobile browsers. [NWI-1026]
Updated and unified toggle behaviour for the Application section. [NWI-1037]
The L2TP reception window is increased to 1024 packets to fine-tune performance. [NDM-2138]
The Keenetic will not serve DNS requests when not in the Router mode. [NDM-2205]
Fixed erroneous Connection priority selector behaviour occurring under certain conditions. [NWI-1068]
Corrected hint descriptions and wrongly allowed zero Off-hook and Dial digit timers in Phone station settings. [NWI-1090]
Added hint with allowed values for Registration timeout in Phone Lines setting. [NWI-1091]
The Default content filtering profiles for multiple network segments now act correctly. [NDM-2230]
Fixed the reason for the
fastvpn
service operation causing the following messagesfastvpn: len = 56, head = ...
in the System log. [SYS-557]
Wi-Fi radio turned off by the Wi-Fi button now keeps this state after a system reboot or power-off event. [SYS-78]
UPnP port forwarding now works accurately with multiple Internet connections policies in place. [NDM-1382]
Fixed the WireGuard® outgoing packet loop when the underlying WAN link goes down. [NDM-852]
Moving registered devices between Internet Connection policies profiles won't break their work schedule(s) anymore. [NDM-1716]
DNS servers configured for WireGuard® connections now work accurately. [NDM-2122]
Fixed the configuration logic of the automatic default route for MAP-T. [NDM-2125]
Internet connection via IPv6 MAP-T now supports the
1:1 IPv4
sharing ratio option. [NDM-2127]
Fixed the selection of an optimal backhaul connection to the Mesh Wi-Fi System node based on Wi‑Fi RSSI and STP distance metrics. [SYS-486]
Fixed the
invalid domain name
error messages for the DHCP server with an enabledupdate-dns
option upon receiving DHCP requests with special symbols in thehostname
field. [NDM-2085]Fixed invalid remote RADIUS server requests with WPA2 Enterprise network protection. [NDM-2081]
The menu list of the Web Interface now displays with full height on the mobile Safari® browser. [NWI-914]
The Port Forwarding page now displays correctly on mobile screens. [NWI-883]
The sorting of the User-defined routes table now functions appropriately. [NWI-873]
The Wi-Fi beacon frames broadcasted during the auto-channel selection (ACS) routine had invalid channel numbers. [SYS-473]
Keenetic RMM service polls no longer produce
ndm: Hotspot::Account: data is absent for host "aa:bb:cc:dd:ee:ff"
error messages for devices that have been offline since system restart. [NDM-2057]
The CLI command for disabling ARP discovery
ip hotspot auto-scan no interface Home
now operates correctly when the corresponding Segment uses a wide IP subnet mask255.255.240.0
. [NDM-1940]
Fixed
ntce: unknown protocol.
error message in the System log of the Traffic classification engine component triggered by IPv6/Teredo packets. [NDM-2044]Fixed an
Invalid username or password
error displaying on the Web Interface Login page under certain conditions. [NWI-805]Fixed hint layout and uptime label on dashboard tiles for mobile screens. [NWI-832]
Corrected Network access naming for VPN server settings. [NWI-838]
The inbound and outbound Speed limits of the custom Internet connection policy now operate accurately. [NDM-1889]
Fixed concurrent operation of the Speed limit for a Registered device and a custom Internet connection policy with speed limits. [NDM-1751]