KeeneticOS 4.2
KeeneticOS release notes for Keenetic Carrier (KN-1711) in the Preview Channel
KeeneticOS releases in this channel provide the chance to be among the first to try the latest updates, performance improvements and new features, all with minimal risk. It is updated roughly every two weeks, with major updates about every two months. Releases here are typically more than a month in advance of release to the general audience in the Main Channel.
Keenetic Carrier (KN-1711) is currently in the Limited Updates support period and only receives security updates to address critical issues. Yet, to support our community, we will keep the latest Development channel updates available for Keenetic Carrier (KN-1711) for as long as we can.
KeeneticOS 4.2 Beta 1
24/07/2024
New
We are introducing the next-generation Web interface as the standard UI for configuring and managing your Keenetic device. [NDM-3378]
You can now assign Network ports on Extender devices to any configured network segment using the Command Line Interface (CLI). Alternatively, you may wish to disable the Network ports for security reasons. [NDM-3162]
mws member {member} port {port} [no] access {interface}— assign{port}on a{member}node to access an{interface}segment;mws member {member} port {port} [no] disable— disable{port}on a{member}node.
Enhanced software packet processing engine to enable acceleration for traffic with a manually set TTL value. [SYS-1157]
The new IntelliQoS option allows 802.1p priority code point (PCP) mapping for egress packets in the command line interface (CLI). [NDM-3318]
interface {name} vlan qos egress map {priority} {pcp}{priority}— NTCE priority queue number. Use0to assign the same PCP value to any outgoing packet on the interface;{pcp}— set the new value of the 802.1p priority code point.
The implementation of a ZeroTier connection now includes accepting managed routes and DNS servers published on the ZeroTier network controller. [NDM-3319]
The
camouflagemode option has been added to both SSTP VPN and OpenConnect VPN servers and clients, providing greater security against remote service scanning. [NDM-3257]oc-server camouflage— enablecamouflageoption for the OpenConnect VPN serversstp-server camouflage— enablecamouflageoption for the SSTP VPN server
The new OpenConnect VPN client system component is now available, allowing you to establish a secure connection to a remote server via the command line interface (CLI). [NDM-3207]
A new CLI
grepextension is now available to filter the output of theshowcommand. [NDM-3075]grep [-A <n>] [-B <n>] [-C <n>] regex— trim theshowcommand output using theregexregular expression.-A— number of XML nodes to show after match.-B— number of XML nodes to show before match.-C— displayed XML cluster depth.
For example:
(config)>
show interface | grep addressInterface, name = "Home" address: 192.168.2.1 ipv6: Interface, name = "Guest" address: 10.1.30.1 ipv6: (config)>show system | grep cpuloadcpuload: 5
A new segment default policy for hosts has been implemented and is now enabled by default. Registered devices with this connection policy assigned will follow the default connection policy of the network segment they are connecting to. [NDM-2237]
ip hotspot host {MAC} conform— set host with specified{MAC}to follow the current segment's connection policy.
The new application filtering option is now available in the Application traffic analyser service via command line interface (CLI). This option allows to create a filtering profile, add required applications, assign a host or segment to the filtering profile and enable the operation schedule. [NDM-3069]
ntce filter profile {name} application {application}— add an application to the profile.ntce filter profile {name} group {group}— add an application group to the profile.ntce filter profile {name} type {type}— set the profile type, which can bepermitordeny.ntce filter profile {name} description {description}— set the profile description.ntce filter profile {name} schedule {schedule}— set the profile schedule.ntce filter assign host {host} {profile}— assign a profile to a registered host (MAC address).ntce filter assign interface {interface} {profile}— assign a profile to an interface.
The new option to automatically register hosts in the Home segment is now available (enabled by default). You can disable this behaviour using the command line interface (CLI). [NDM-3101]
ip hotspot auto-register disable— disable automatic host registration for the Home segment.
The new OpenConnect VPN server system component is now available, providing a remote SSL VPN connection to your Keenetic. [NDM-3141]
oc-server interface {interface}— bind OpenConnect server to an interface.oc-server pool-range {begin} {size}— set OpenConnect address pool.oc-server static-ip {name} {address}— set static IP address for a user.oc-server mtu {mtu}— set OpenConnect server MTU.oc-server multi-login— enable multiple connections with the same user account.ip nat oc— enable NAT for OpenConnect clients.service oc-server— enable OpenConnect service.
The Keenetic Phone Station system component now supports the filtering of incoming calls. [VOX-271]
nvox sip {id} whitelist {digitmap}— create whitelist for SIP{id}with specified{digitmap};for example:
nvox sip 1 whitelist +1111x.|+2222x.|2389x.|32756— allows phone calls with numbers starting from+1111,+2222,2389and an32756number.nvox sip {id} blacklist {digitmap}— create blacklist for SIP{id}with specified{digitmap};for example:
nvox sip 1 blacklist +3333x.— block phone number starting from+3333.nvox sip {id} enable-whitelist— enable whitelist for SIP{id}.nvox sip {id} enable-blacklist— enable blacklist for SIP{id}.show nvox sip {id} whitelist— display allowlist settings.show nvox sip {id} blacklist— display blocklist settings.
The Keenetic Phone Station system now supports import of the phonebook from a file. [VOX-326]
nvox phonebook import {filename} {mode}— import contacts in the vCard format.filename— *.vcf filename;mode— import mode:replace,overwrite,extend, orduplicate.
nvox phonebook delete— delete all contacts from the phonebook.nvox sip {id} enable-whitelist-phonebook— enable phonebook as an allowlist filter for incoming calls.show nvox phonebook— display all phonebook records.
Improved
Implemented dynamic table size adjustment with
nf_conntrack_maxvalue forsoftware ppe(Packet Processing Engine) when the user changes maximum NAT sessions via command line interface (CLI). [NDM-3344]
The SNTP service compatibility enhancement adds support for
Reference IdentifierandReference Timestampvalues in SNTP responses based on RFC4330. [NDM-3368]
The OpenSSL library has been moved to a different branch with the latest version
3.0.13. [SYS-1152]Improved robustness of the DNS over TLS and DNS over HTTPS server cache. [NDM-3320]
The clients of the VPN Server (PPTP, SSTP and OpenConnect) now access the Internet following the Connection Policy of the local network to which the server is bound. [NDM-3295]
The implementation of IKEv1/IKEv2 IPsec VPN servers now allows to avoid IP address conflicts with other interfaces. [NDM-3250]
Improved host detection using
EchoReqin theICMPv6protocol to ensure correct operation of port forwarding rules for the IPv6 protocol. [NDM-3265]Optimized the memory consumption of the SMB file and printer sharing system component when using the Cx File Explorer mobile application. [NDM-2927]
Added SMS subsystem support for Fibocom FM350 and Quectel RM500U modem modules. [NDM-3267]
The Phase 2 of the site-to-site IPsec tunnel now supports the SHA512 HMAC algorithm. [NDM-3269]
crypto ipsec transform-set {name} hmac esp-sha512-hmac— enableesp-sha512-hmacalgorithm for transform-set{name}
Added MAC address and registration time information to the name of devices registered automatically. This will help you easily identify and keep track of the devices on your network. [NDM-3253]
Implemented an
aggressivemode option for the IKEv1 client in the command line interface (CLI) for compatibility with VPN (IPsec) servers running on Fritz!Box routers. [NDM-3227]interface {name} ipsec aggressive— set theaggressivePhase 1 mode for VPN connection{name}
A new read/send timeout option allows the session lifetime for Web applications of the KeenDNS proxy service to be set via the command line interface (CLI). [NDM-3157]
ip http proxy {name} timeout {timeout}— set{timeout}for KeenDNS{name}proxy.
The WireGuard advanced security configuration (ASC) parameters are now available in the command line interface (CLI). [NDM-3202]
interface {name} wireguard asc {jc} {jmin} {jmax} {s1} {s2} {h1} {h2} {h3} {h4}— set additional ASC parameters for WireGuard{name}tunnel.
Disabling Port Forwarding (
ip static) rules now forces matching active sessions to be dropped. [NDM-3067]Implemented new options to preserve Referer and Origin headers for Web applications of the KeenDNS proxy service in the command line interface (CLI). [NDM-3089]
ip http proxy {name} preserve-referer— preserve Referer header for{name}of the web proxy rule.ip http proxy {name} preserve-origin— preserve Origin header for{name}of the web proxy rule.
A NetFlow monitor system component can now collect IPv6 traffic information and monitor network flows. [NDM-3109]
The
MOBIKEextension (RFC 4555) has been enabled for both the IKEv2/IPsec VPN Server and the IKEv2 client. [NDM-3164]
Fixed
Fixed incorrect application of a DNS query filtering rule for IPv6 link-local addresses that occurred under certain conditions. [NDM-3379]
Fixed an issue where the channel number would incorrectly display as zero when connected via Wireless ISP (WISP). [SYS-1171]
Fixed the PPTP VPN connection stalling on the backup connection after the primary connection is restored. [NDM-3376]
A problem that caused the
OpenVPN: Connection reset, restartingerror message to appear in the System log has been fixed. [NDM-3355]
Fixed IPv6 ULA (Unique local address) prefix announcements with incorrect
Abit. [NDM-3350]The L2TP/IPsec VPN client now uses a random source port to avoid connection problems when multiple VPN L2TP/IPsec connections are established behind NAT on an upstream router. [NDM-3349]
Fixed selection of the best node for wireless backhaul connection in the Mesh Wi-Fi System. [SYS-1161]
Fixed remote access over an IKEv2/IPsec VPN connection to a local network host for which a SNAT mapping rule is configured. [NDM-3310]
Fixed the DynDNS domain name validation; now it's possible to use only one domain. [NDM-3309]
Enabled the SNMP reports by OID
ifAdminStatusto monitor the operational state of device ports via third-party software. [NDM-3296]
Fixed the forwarding of the source IP address in the
X-Real-IPheader when accessing web applications via KeenDNS. [NDM-2214]Fixed access to the KeenDNS Web Applications configured with prohibited remote access (
security-level private) from the home network. [NDM-3264]
Incomplete application of static IPv6 routes when re-establishing an associated VPN connection after a reboot fixed. [NDM-3248]
UPnP service rules are now correctly applied to clients accessing the Internet using the Connection policy with active multipath mode. [NDM-3251]
Fixed DNS query interception in the additional network segments. [NDM-3228]
Fixed priority of user-defined
ip staticrules over automatic UPnP port forwarding rules to a host. [NDM-3078]Fixed home network access for L2TP/IPsec VPN server clients when
ip staticrules are configured on WAN IP aliases. [NDM-3110]Fixed binding to the WAN address and inbound access to the service port for the ZeroTier client connection. [NDM-3216]
Fixed iOS L2TP/IPsec client disconnecting under heavy load. [NDM-3180]
The CloudFlare content filter has been corrected to work properly on networks that do not support IPv6. [NDM-3163]
Fixed port forwarding issues after Hotspot (
ip hostspot) code refactoring. [NDM-3127, NDM-3171]