KeeneticOS 3.4

KeeneticOS 3.4.12

16/7/2020

New

The single-band Wi‑Fi Keenetic models can now acquire dual-band Wi‑Fi extenders to Wi‑Fi system and deploy 2.4 GHz back-haul connections between Wi‑Fi System nodes. [NDMS-819]
Further modem support: The high-speed LTE Cat6 Sierra EM7455 modem is now supported. [NDMS-805]
In case of Wireless ACL using Blacklist access control mode, newly registered devices will no longer be automatically added to the blacklist. [NDW-1108]
For the purpose of Keenetic firmware image size optimization, the maximum number of installed languages in the system is limited to three. [NDW-1127]
The new firmware signing certificate is deployed to the cloud infrastructure. Previously saved firmware files can be uploaded using the TFTP recovery mode only. [NDMS-828]

Improved

The single-band Wi‑Fi Keenetic models can now acquire dual-band Wi‑Fi extenders to Wi‑Fi system and deploy 2.4 GHz back-haul connections between Wi‑Fi System nodes. [NDMS-819]
Further modem support: The high-speed LTE Cat6 Sierra EM7455 modem is now supported. [NDMS-805]
In case of Wireless ACL using Blacklist access control mode, newly registered devices will no longer be automatically added to the blacklist. [NDW-1108]
For the purpose of Keenetic firmware image size optimization, the maximum number of installed languages in the system is limited to three. [NDW-1127]
The new firmware signing certificate is deployed to the cloud infrastructure. Previously saved firmware files can be uploaded using the TFTP recovery mode only. [NDMS-828]

Fixed

The single-band Wi‑Fi Keenetic models can now acquire dual-band Wi‑Fi extenders to Wi‑Fi system and deploy 2.4 GHz back-haul connections between Wi‑Fi System nodes. [NDMS-819]
Further modem support: The high-speed LTE Cat6 Sierra EM7455 modem is now supported. [NDMS-805]
In case of Wireless ACL using Blacklist access control mode, newly registered devices will no longer be automatically added to the blacklist. [NDW-1108]
For the purpose of Keenetic firmware image size optimization, the maximum number of installed languages in the system is limited to three. [NDW-1127]
The new firmware signing certificate is deployed to the cloud infrastructure. Previously saved firmware files can be uploaded using the TFTP recovery mode only. [NDMS-828]

KeeneticOS 3.4.6

10/6/2020

New

Further modem support: The 3G modem Huawei E3131 is now supported. [NDMS-775]
The colon symbol : in HTTP Cookie headers is now supported. It allows the support of non-RFC based Web interfaces of network devices which are available via the Port forwarding setting. [NDMS-779]
The description of WebDAV server password status has been rewritten if the setting Ignore access control is active. [NDW-1004]
The incorrect empty list of Extenders in Wi‑Fi System is fixed. It occurred if one of Extenders was in offline mode. [NDW-1044] [Reported by AndreBA]

The evaluation of nesting of bridged interfaces is corrected. Currently, the configuration order of interface bridge[x] interfaces is processed rightly. [NDMS-765] [Reported by Кинетиковод]
The QMI interface for 4G/3G USB modems system component now works properly with certain operator branded Huawei E392 modems. [NDMS-758]
An error in the Wi‑Fi Protected Setup (WPS) pairing process with WPA2-PSK + WPA3-PSK security enabled is fixed. [NDMS-747]
Dragging and dropping connections in the Internet connection policies now works as expected. [NDW-758] [Reported by AndyFM]
Selecting and deselecting hosts in Host traffic monitor is improved. [NDW-991] [Reported by r777ay]
Ports and VLANs settings are now properly locked on extenders acquired to Wi‑Fi system. [NDW-989] [Reported by enterfaza]
Highlighting of selected time zone is fixed. [#3644] [Reported by enterfaza]
The undefined status of Extender connection in the Wi‑Fi system view is fixed. [NDW-1015] [Reported by AlexUnder2010]
The internet access Schedule for the host can now be edited even when it is blocked manually in the Web Interface. [NDMS-753]
The Speed limit setting and Asymmetric checkbox for unregistered devices are now saved correctly. [NDW-1020]
Wrong DHCP pool calculation and assignment of the DHCP server for newly created segments is fixed. [NDW-1017]
The use NAT setting for Segment page is now saved properly. [NDW-1018]
The Inbound management access control setting in the Web Interface of the Wi‑Fi system controller will apply to all Wi‑Fi system extenders. [NDW-1006]

Improved

Further modem support: The 3G modem Huawei E3131 is now supported. [NDMS-775]
The colon symbol : in HTTP Cookie headers is now supported. It allows the support of non-RFC based Web interfaces of network devices which are available via the Port forwarding setting. [NDMS-779]
The description of WebDAV server password status has been rewritten if the setting Ignore access control is active. [NDW-1004]
The incorrect empty list of Extenders in Wi‑Fi System is fixed. It occurred if one of Extenders was in offline mode. [NDW-1044] [Reported by AndreBA]

The evaluation of nesting of bridged interfaces is corrected. Currently, the configuration order of interface bridge[x] interfaces is processed rightly. [NDMS-765] [Reported by Кинетиковод]
The QMI interface for 4G/3G USB modems system component now works properly with certain operator branded Huawei E392 modems. [NDMS-758]
An error in the Wi‑Fi Protected Setup (WPS) pairing process with WPA2-PSK + WPA3-PSK security enabled is fixed. [NDMS-747]
Dragging and dropping connections in the Internet connection policies now works as expected. [NDW-758] [Reported by AndyFM]
Selecting and deselecting hosts in Host traffic monitor is improved. [NDW-991] [Reported by r777ay]
Ports and VLANs settings are now properly locked on extenders acquired to Wi‑Fi system. [NDW-989] [Reported by enterfaza]
Highlighting of selected time zone is fixed. [#3644] [Reported by enterfaza]
The undefined status of Extender connection in the Wi‑Fi system view is fixed. [NDW-1015] [Reported by AlexUnder2010]
The internet access Schedule for the host can now be edited even when it is blocked manually in the Web Interface. [NDMS-753]
The Speed limit setting and Asymmetric checkbox for unregistered devices are now saved correctly. [NDW-1020]
Wrong DHCP pool calculation and assignment of the DHCP server for newly created segments is fixed. [NDW-1017]
The use NAT setting for Segment page is now saved properly. [NDW-1018]
The Inbound management access control setting in the Web Interface of the Wi‑Fi system controller will apply to all Wi‑Fi system extenders. [NDW-1006]

Fixed

Further modem support: The 3G modem Huawei E3131 is now supported. [NDMS-775]
The colon symbol : in HTTP Cookie headers is now supported. It allows the support of non-RFC based Web interfaces of network devices which are available via the Port forwarding setting. [NDMS-779]
The description of WebDAV server password status has been rewritten if the setting Ignore access control is active. [NDW-1004]
The incorrect empty list of Extenders in Wi‑Fi System is fixed. It occurred if one of Extenders was in offline mode. [NDW-1044] [Reported by AndreBA]

The evaluation of nesting of bridged interfaces is corrected. Currently, the configuration order of interface bridge[x] interfaces is processed rightly. [NDMS-765] [Reported by Кинетиковод]
The QMI interface for 4G/3G USB modems system component now works properly with certain operator branded Huawei E392 modems. [NDMS-758]
An error in the Wi‑Fi Protected Setup (WPS) pairing process with WPA2-PSK + WPA3-PSK security enabled is fixed. [NDMS-747]
Dragging and dropping connections in the Internet connection policies now works as expected. [NDW-758] [Reported by AndyFM]
Selecting and deselecting hosts in Host traffic monitor is improved. [NDW-991] [Reported by r777ay]
Ports and VLANs settings are now properly locked on extenders acquired to Wi‑Fi system. [NDW-989] [Reported by enterfaza]
Highlighting of selected time zone is fixed. [#3644] [Reported by enterfaza]
The undefined status of Extender connection in the Wi‑Fi system view is fixed. [NDW-1015] [Reported by AlexUnder2010]
The internet access Schedule for the host can now be edited even when it is blocked manually in the Web Interface. [NDMS-753]
The Speed limit setting and Asymmetric checkbox for unregistered devices are now saved correctly. [NDW-1020]
Wrong DHCP pool calculation and assignment of the DHCP server for newly created segments is fixed. [NDW-1017]
The use NAT setting for Segment page is now saved properly. [NDW-1018]
The Inbound management access control setting in the Web Interface of the Wi‑Fi system controller will apply to all Wi‑Fi system extenders. [NDW-1006]

KeeneticOS 3.4.3

27/5/2020

New

The new WPA3-PSK Fast Transition (FT-SAE) mode is implemented. [NDMS-670, NDW-929]
The independent Pairwise Master Key (PMK) cache storage for Fast Transition and WPA3 is implemented.
Group Temporal Key (GTK) re-key process for FT-transitioned Wi‑Fi clients is fixed. [NDMS-709]
Pairwise Master Key PMK-R1 key storage overflow is fixed.
SSTP VPN server compatibility with AnyVPN SSTP Connector application is improved. [NDMS-697]
Quectel EP06 series LTE Cat6 QMI-type modem module is now supported. [NDMS-718]
Initialization of attached USB storage is improved to prevent errors on certain volumes. [NDMS-750]

Improved

The new WPA3-PSK Fast Transition (FT-SAE) mode is implemented. [NDMS-670, NDW-929]
The independent Pairwise Master Key (PMK) cache storage for Fast Transition and WPA3 is implemented.
Group Temporal Key (GTK) re-key process for FT-transitioned Wi‑Fi clients is fixed. [NDMS-709]
Pairwise Master Key PMK-R1 key storage overflow is fixed.
SSTP VPN server compatibility with AnyVPN SSTP Connector application is improved. [NDMS-697]
Quectel EP06 series LTE Cat6 QMI-type modem module is now supported. [NDMS-718]
Initialization of attached USB storage is improved to prevent errors on certain volumes. [NDMS-750]

Fixed

The new WPA3-PSK Fast Transition (FT-SAE) mode is implemented. [NDMS-670, NDW-929]
The independent Pairwise Master Key (PMK) cache storage for Fast Transition and WPA3 is implemented.
Group Temporal Key (GTK) re-key process for FT-transitioned Wi‑Fi clients is fixed. [NDMS-709]
Pairwise Master Key PMK-R1 key storage overflow is fixed.
SSTP VPN server compatibility with AnyVPN SSTP Connector application is improved. [NDMS-697]
Quectel EP06 series LTE Cat6 QMI-type modem module is now supported. [NDMS-718]
Initialization of attached USB storage is improved to prevent errors on certain volumes. [NDMS-750]

KeeneticOS 3.4.1

13/5/2020

New

Disabled dns-proxy rebind protection for the loopback IP address 127.0.0.1 since it caused some mobile applications to fail. [NDMS-688] [Reported by Andrew Voronkov]
Disabled dns-proxy rebind protection for the plex.direct domain, providing for proper operation of the Plex application. [NDMS-696]
Added the 4G/3G network signal level icon for USB modems. [NDW-800]
The Device list page now shows the Ethernet port number for wired devices. [NDW-829]
Gateway and DNS server information is added to the System dashboard page in extender mode. [NDW-872]
Fixed Schedule editor operation in mobile browsers. [NDW-738]
Fixed the toggle switch operation for the Private Cloud components on the Applications tile in the dashboard. [NDW-885]

Added IEEE 802.11h DFS (Dynamic Frequency Selection) support for Mesh Wi‑Fi System, to prevent interference with satellite and weather radar systems using the same 5 GHz frequency band. In the case of detection of a radar signal, the Keenetic acting as Controller of the Wi‑Fi System will switch to another Wi‑Fi channel for all extenders included in the Wi‑Fi System. [NDMS-632]
Implemented an option to turn off printer polling status. It's helpful for the printer models which do not return correct status. By default, polling status is turned on. [NDMS-209]
- printer {name} no status-polling
Implemented upstream speed limit for registered hosts. [NDW-815]
Redesigned the Private Cloud tile within the Applications section to provide easy management of WebDAV server, SFTP server and FTP server in one place. [NDW-825]

Fixed the long reconnection time for backhaul links between Wi‑Fi System nodes. [NDMS-612]
Implemented automatic updating of shared disk resources via the Change Notification mechanism of the File and printer sharing (TSMB CIFS) system component. [NDMS-192] [Requested by WMac]
Configuration saving with activated Mode — ICMP echo (ping) for Check the availability of the Internet (Ping Check) section on Web Interface is now working correctly. [NDW-780]
Updated to the latest OpenSSL library version 1.1.1f, which fixes the CVE-2020-1967 vulnerability.

Added KrØØk/CVE-2019-15126 vulnerability protection against decryption of Wi‑Fi WPA2 traffic. [NDMS-589]
Removed IPsec forced rekey for every 20 GBytes of transferred traffic, to improve stability of high load VPN tunnels. [NDMS-483]
Added randomization for source port of L2TP/IPsec VPN connection, to reduce reconnect time. [NDMS-483]
Restored client-to-client communication between VPN clients of different VPN servers of KeeneticOS, for example, PPTP and L2TP/IPsec. [NDMS-588]
Traffic counter for incoming and outgoing VPN IPsec tunnels on the Host traffic monitor page of Web Interface. [NDMS-228]
Handling of IP alias for IPIP (IP over IP) with IPsec protection. [NDMS-590] [Reported by KorDen]
IPsec VPN tunnel connection now follows a user-defined schedule. [NDMS-594] [Reported by keshun]
Folders with restricted permissions are now appropriately displayed in the File browser. [NDW-285] [Reported by Joe D]
Link to KeeneticOS Release notes is now visible on the Updates and component options section of the System setting page. [NDW-739] [Reported by r13]
Unregistered devices and Multicast traffic tabs of the Host traffic monitor used to disappear on page refresh. [NDW-632] [Reported by bigpu]
Updated to the latest OpenSSL library version 1.1.1e, which fixes the CVE-2019-1551 vulnerability.

Implemented advanced host traffic filtering based on MAC address ,to reduce discovery time on the Device lists page of the Web Interface and prevent devices with blocked access to the Internet from any outbound transactions. [NDMS-585, NDMS-586]
Listing files and directories of File and printer sharing (TSMB CIFS) application yields an empty response when uninstalled the Folder permissions control component. [NDMS-536] [Reported by psm68]
The printing via File and printer sharing (TSMB CIFS) system component is not possible on the Epson L120 printer due to an invalid printer name in the OpenPrinterEx response. [NDMS-381]

Implemented a new feature for ping-check service, which allows restarting a manually-specified interface. [NDMS-569]
- interface {name} ping-check restart [interface] — enable {interface} restart. Optional {name} argument is omitted (resulting in restarting the same interface) by default;
- ping-check {name} restart-interface — prior syntax is made obsolete.
The default MTU (Maximum transmission unit) size for WireGuard® VPN connections is set to 1324 bytes to optimize transfer of data through external networks. [NDMS-486]
The Device lists are now cleared of hosts mistakenly retrieved from OpenVPN connections. [NDMS-567] [Reported by unuixsoid]

Router icon display on particular DLNA clients or Smart TV for Media Server component of KeeneticOS. [NDMS-181]
IGMP proxy service deactivation on the bridge interface of the network Segment for the case when both the multicast source and clients are in the same Segment. [NDMS-231]
Reset to the default values of Phase 1 — IKE lifetime and Phase 2 — SA (Security Association) lifetime for L2TP/IPsec and Virtual IP VPN connections when some other VPN settings are changed. [NDMS-546]
Folder creation errors while copying folder to WebDAV server on attached USB storage. [NDMS-531] [Reported by tld14]
KeeneticOS service internet-checker adds captive portal examination for reliable Internet availability detection. [NDMS-553] [Reported by Space Alex]
Excessive logging of WireGuard® handshake has been reduced to save space for helpful messages in the System log. [NDMS-555] [Reported by r13]
The reason for lock precedence violation: IPV6_SUBNETS error messages in the System log. [Reported by r13]
Network mask parsing in ip nat command. It's now possible to use a short notation of IP network mask — ip nat 192.168.1.0/24. [NDMS-552] [Reported by KorDen]
Private key validation in the Connection settings section of the WireGuard® VPN. [NDW-653]

The new configuration option upstream-rate allows asymmetric Internet access speed restriction in the upload direction for any given interface/host/unknown-host. [NDMS-512]
- interface traffic-shape rate {rate} [asymmetric {upstream-rate}]
- ip traffic-shape host {mac} rate {rate} [asymmetric {upstream-rate}]
- ip traffic-shape unknown-host rate {rate} [asymmetric {upstream-rate}]
Added the Safe eject button for USB storage devices to the USB drives and printers section of the System dashboard. It's best practice to do a proper eject before removing your USB drive from your Keenetic device. [NDW-648]
Added WebDAV settings in the Private Cloud application page, providing easy management to your WebDAV (Web Distributed Authoring and Versioning) resources on the attached USB drive. [NDW-291]
DNS response with IP address 0.0.0.0 is removed from the anti-rebind list of the dns-proxy service of KeeneticOS because some supported Internet security and content filtering services use such IP address to filter blocked media content and links. [NDMS-528] [Reported by r3L4x]
Updated pppd daemon responsible for Point-to-Point Protocol (PPP protocol) of KeeneticOS, which fixes the CVE-2020-8597 vulnerability.
gspca_sonixj kernel module added to the OPKG (Open Package) system for KeeneticOS, supporting GSPCA based webcam devices.

Implemented PMF (Protected Management Frames) and WPA3-PSK/OWE (Opportunistic Wireless Encryption) for Wireless ISP (WISP) client providing wireless connection to the Internet. [NDMS-498, NDMS-226]
Added the new CLI commands — for safe disconnect and for detailed information display about connected USB drives. [NDMS-510]
- system eject {name} — unmount partitions and eject a USB media device cleanly;
- show media [name] — show information about attached USB media devices.
The SSH server system component of KeeneticOS now supports new modern and robust security algorithms: ChaCha20 symmetric cipher encryption and Poly1305 message authentication code across ed25519 public-key cryptography. [NDMS-516, NDMS-517]
Fixed one-way RTP (Real-time Transport Protocol) voice communication for VoIP calls via WireGuard VPN tunnel. Now both subscribers can hear each other well. [NDMS-503]
Addressed the shared network discovery issue with the Popcorn PCH-C300 and Dune media players. [NDMS-456]
Fixed the uptime calculation in the show ip hotspot CLI command. The uptime value is now refreshing properly for all Registered devices. [NDMS-520] [Reported by bigpu]
There are no changes for Keenetic Carrier(KN-1711).

Repaired the task queue corruption related to the Linux kernel CONFIG_COMPACTION option. The change avoids system restart under the heavy system load of applications that use external storage, e.g. Media Server and Download Station. [NDMS-423] [Reported by Nikolaiyka]
WireGuard® VPN tunnel sometimes could not reconnect, after system restart and in some other circumstances. [NDMS-497] [Reported by bigpu]
Fixed the System name field's validation to prevent the use of the space symbol. [NDW-620] [Reported by Vvlysov]
Fixed the KeenDNS domain name proxy option to preserve the HTTP Host header. [NDMS-490]

Added the WebDAV (Web Distributed Authoring and Versioning) file server. To access, use https://{hostname}/webdav link. The CLI commands for setting up the WebDAV server are listed below: [NDMS-275] [Requested by MDP]
Note
WebDAV stands for Web Distributed Authoring and Versioning, which is an extension to HTTP that lets clients edit remote content on the web. In essence, WebDAV enables a web server to act as a file server, allowing authors to collaborate on web content. WebDAV enriches the standard set of HTTP headers and methods to let you create, move and edit files, as well as delete or copy files and folders.
- ip http webdav enable — enable the service;
- ip http webdav security-level (public | private) — enable or disable access from the Internet;
- ip http webdav permissive — ignore filesystem ACL;
- ip http webdav root {directory} — set the root directory;
- user {name} tag webdav — enable WebDAV access for the user;
- show ip http webdav — show the current status of the WebDAV server.
Added the SFTP (SSH File Transfer Protocol) file server. The following CLI commands are available for setting up the SFTP server: [NDMS-244] [Requested by krass]
Note
The SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management functionalities over a secure connection.
- ip ssh sftp enable — enable the service;
- ip ssh sftp permissive — ignore filesystem ACL;
- ip ssh sftp root {directory} — set root directory;
- user {name} tag sftp — enable SFTP access for the user;
- show ssh sftp — show the current status.
Added support for the following modems with QMI (Qualcomm MSM Interface) type control interface:
Tip
To connect an LTE module to your Keenetic device, you can purchase a third-party USB adapter with a SIM card slot for the Mini PCI-E LTE module or M.2 LTE module.
- Qualcomm-based modems with Cat 1 LTE module — MDM9207 (pid 9025);
- SIMCom modem modules: Cat 3 LTE — 7100E, Cat 4 LTE — 7230E, Cat 1 LTE — 7600E;
- Sierra Cat 3 LTE modem module — MC7710; [NDMS-462]
- Quectel Cat 4 LTE modem module — EC25-E;
- ZTE USB modem: Cat 3 LTE — MF821D.
Wireless Backhaul connection shutdown for the Wi‑Fi system controller is now available. It helps to maximize the performance of the Wi‑Fi system if all nodes are connected via wired Ethernet connection. The CLI command is below. [NDMS-314] [Requested by Loredan]
- mws backhaul shutdown
Added DNS Rebinding protection feature for the dns-proxy service of KeeneticOS. [NDMS-437] [Requested by SecretSanta]
- [no] dns-proxy rebind-protect (strict | auto)
  - auto — block IP addresses of the security-level private segments (default);
  - strict — block IP addresses from the list: IANA IPv4 Special-Purpose Address Registry.
Implemented NOTIMPL response to IQUERY for the dns-proxy service of KeeneticOS, which means Not Implemented error for DNS requests from network devices. The IQUERY method of performing inverse DNS lookups is made obsolete. [NDMS-465]
Added DLNA accessibility for PPP-based VPN servers like PPTP or L2TP/IPsec. It enables the access to DLNA server content via external VPN connection. [NDMS-284]
- user {name} tag vpn-dlna — enable DLNA over PPP tag for a certain user account.
PEAP/MS-CHAPv2 authentication now works properly for 802.1x connections. [NDMS-402] [Reported by Алексей Подвойский]
Accelerated WEB Interface response time when thousands of dynamic routes are uploaded to KeeneticOS routing table via OPKG (Open Package) system packages. [Reported by Alexander Kudrevatykh]
Updated the mini_snmpd system service with fixes for the CVE-2020-6058, CVE-2020-6059, CVE-2020-6060 vulnerabilities.

Improved

Disabled dns-proxy rebind protection for the loopback IP address 127.0.0.1 since it caused some mobile applications to fail. [NDMS-688] [Reported by Andrew Voronkov]
Disabled dns-proxy rebind protection for the plex.direct domain, providing for proper operation of the Plex application. [NDMS-696]
Added the 4G/3G network signal level icon for USB modems. [NDW-800]
The Device list page now shows the Ethernet port number for wired devices. [NDW-829]
Gateway and DNS server information is added to the System dashboard page in extender mode. [NDW-872]
Fixed Schedule editor operation in mobile browsers. [NDW-738]
Fixed the toggle switch operation for the Private Cloud components on the Applications tile in the dashboard. [NDW-885]

Added IEEE 802.11h DFS (Dynamic Frequency Selection) support for Mesh Wi‑Fi System, to prevent interference with satellite and weather radar systems using the same 5 GHz frequency band. In the case of detection of a radar signal, the Keenetic acting as Controller of the Wi‑Fi System will switch to another Wi‑Fi channel for all extenders included in the Wi‑Fi System. [NDMS-632]
Implemented an option to turn off printer polling status. It's helpful for the printer models which do not return correct status. By default, polling status is turned on. [NDMS-209]
- printer {name} no status-polling
Implemented upstream speed limit for registered hosts. [NDW-815]
Redesigned the Private Cloud tile within the Applications section to provide easy management of WebDAV server, SFTP server and FTP server in one place. [NDW-825]

Fixed the long reconnection time for backhaul links between Wi‑Fi System nodes. [NDMS-612]
Implemented automatic updating of shared disk resources via the Change Notification mechanism of the File and printer sharing (TSMB CIFS) system component. [NDMS-192] [Requested by WMac]
Configuration saving with activated Mode — ICMP echo (ping) for Check the availability of the Internet (Ping Check) section on Web Interface is now working correctly. [NDW-780]
Updated to the latest OpenSSL library version 1.1.1f, which fixes the CVE-2020-1967 vulnerability.

Added KrØØk/CVE-2019-15126 vulnerability protection against decryption of Wi‑Fi WPA2 traffic. [NDMS-589]
Removed IPsec forced rekey for every 20 GBytes of transferred traffic, to improve stability of high load VPN tunnels. [NDMS-483]
Added randomization for source port of L2TP/IPsec VPN connection, to reduce reconnect time. [NDMS-483]
Restored client-to-client communication between VPN clients of different VPN servers of KeeneticOS, for example, PPTP and L2TP/IPsec. [NDMS-588]
Traffic counter for incoming and outgoing VPN IPsec tunnels on the Host traffic monitor page of Web Interface. [NDMS-228]
Handling of IP alias for IPIP (IP over IP) with IPsec protection. [NDMS-590] [Reported by KorDen]
IPsec VPN tunnel connection now follows a user-defined schedule. [NDMS-594] [Reported by keshun]
Folders with restricted permissions are now appropriately displayed in the File browser. [NDW-285] [Reported by Joe D]
Link to KeeneticOS Release notes is now visible on the Updates and component options section of the System setting page. [NDW-739] [Reported by r13]
Unregistered devices and Multicast traffic tabs of the Host traffic monitor used to disappear on page refresh. [NDW-632] [Reported by bigpu]
Updated to the latest OpenSSL library version 1.1.1e, which fixes the CVE-2019-1551 vulnerability.

Implemented advanced host traffic filtering based on MAC address ,to reduce discovery time on the Device lists page of the Web Interface and prevent devices with blocked access to the Internet from any outbound transactions. [NDMS-585, NDMS-586]
Listing files and directories of File and printer sharing (TSMB CIFS) application yields an empty response when uninstalled the Folder permissions control component. [NDMS-536] [Reported by psm68]
The printing via File and printer sharing (TSMB CIFS) system component is not possible on the Epson L120 printer due to an invalid printer name in the OpenPrinterEx response. [NDMS-381]

Implemented a new feature for ping-check service, which allows restarting a manually-specified interface. [NDMS-569]
- interface {name} ping-check restart [interface] — enable {interface} restart. Optional {name} argument is omitted (resulting in restarting the same interface) by default;
- ping-check {name} restart-interface — prior syntax is made obsolete.
The default MTU (Maximum transmission unit) size for WireGuard® VPN connections is set to 1324 bytes to optimize transfer of data through external networks. [NDMS-486]
The Device lists are now cleared of hosts mistakenly retrieved from OpenVPN connections. [NDMS-567] [Reported by unuixsoid]

Router icon display on particular DLNA clients or Smart TV for Media Server component of KeeneticOS. [NDMS-181]
IGMP proxy service deactivation on the bridge interface of the network Segment for the case when both the multicast source and clients are in the same Segment. [NDMS-231]
Reset to the default values of Phase 1 — IKE lifetime and Phase 2 — SA (Security Association) lifetime for L2TP/IPsec and Virtual IP VPN connections when some other VPN settings are changed. [NDMS-546]
Folder creation errors while copying folder to WebDAV server on attached USB storage. [NDMS-531] [Reported by tld14]
KeeneticOS service internet-checker adds captive portal examination for reliable Internet availability detection. [NDMS-553] [Reported by Space Alex]
Excessive logging of WireGuard® handshake has been reduced to save space for helpful messages in the System log. [NDMS-555] [Reported by r13]
The reason for lock precedence violation: IPV6_SUBNETS error messages in the System log. [Reported by r13]
Network mask parsing in ip nat command. It's now possible to use a short notation of IP network mask — ip nat 192.168.1.0/24. [NDMS-552] [Reported by KorDen]
Private key validation in the Connection settings section of the WireGuard® VPN. [NDW-653]

The new configuration option upstream-rate allows asymmetric Internet access speed restriction in the upload direction for any given interface/host/unknown-host. [NDMS-512]
- interface traffic-shape rate {rate} [asymmetric {upstream-rate}]
- ip traffic-shape host {mac} rate {rate} [asymmetric {upstream-rate}]
- ip traffic-shape unknown-host rate {rate} [asymmetric {upstream-rate}]
Added the Safe eject button for USB storage devices to the USB drives and printers section of the System dashboard. It's best practice to do a proper eject before removing your USB drive from your Keenetic device. [NDW-648]
Added WebDAV settings in the Private Cloud application page, providing easy management to your WebDAV (Web Distributed Authoring and Versioning) resources on the attached USB drive. [NDW-291]
DNS response with IP address 0.0.0.0 is removed from the anti-rebind list of the dns-proxy service of KeeneticOS because some supported Internet security and content filtering services use such IP address to filter blocked media content and links. [NDMS-528] [Reported by r3L4x]
Updated pppd daemon responsible for Point-to-Point Protocol (PPP protocol) of KeeneticOS, which fixes the CVE-2020-8597 vulnerability.
gspca_sonixj kernel module added to the OPKG (Open Package) system for KeeneticOS, supporting GSPCA based webcam devices.

Implemented PMF (Protected Management Frames) and WPA3-PSK/OWE (Opportunistic Wireless Encryption) for Wireless ISP (WISP) client providing wireless connection to the Internet. [NDMS-498, NDMS-226]
Added the new CLI commands — for safe disconnect and for detailed information display about connected USB drives. [NDMS-510]
- system eject {name} — unmount partitions and eject a USB media device cleanly;
- show media [name] — show information about attached USB media devices.
The SSH server system component of KeeneticOS now supports new modern and robust security algorithms: ChaCha20 symmetric cipher encryption and Poly1305 message authentication code across ed25519 public-key cryptography. [NDMS-516, NDMS-517]
Fixed one-way RTP (Real-time Transport Protocol) voice communication for VoIP calls via WireGuard VPN tunnel. Now both subscribers can hear each other well. [NDMS-503]
Addressed the shared network discovery issue with the Popcorn PCH-C300 and Dune media players. [NDMS-456]
Fixed the uptime calculation in the show ip hotspot CLI command. The uptime value is now refreshing properly for all Registered devices. [NDMS-520] [Reported by bigpu]
There are no changes for Keenetic Carrier(KN-1711).

Repaired the task queue corruption related to the Linux kernel CONFIG_COMPACTION option. The change avoids system restart under the heavy system load of applications that use external storage, e.g. Media Server and Download Station. [NDMS-423] [Reported by Nikolaiyka]
WireGuard® VPN tunnel sometimes could not reconnect, after system restart and in some other circumstances. [NDMS-497] [Reported by bigpu]
Fixed the System name field's validation to prevent the use of the space symbol. [NDW-620] [Reported by Vvlysov]
Fixed the KeenDNS domain name proxy option to preserve the HTTP Host header. [NDMS-490]

Added the WebDAV (Web Distributed Authoring and Versioning) file server. To access, use https://{hostname}/webdav link. The CLI commands for setting up the WebDAV server are listed below: [NDMS-275] [Requested by MDP]
Note
WebDAV stands for Web Distributed Authoring and Versioning, which is an extension to HTTP that lets clients edit remote content on the web. In essence, WebDAV enables a web server to act as a file server, allowing authors to collaborate on web content. WebDAV enriches the standard set of HTTP headers and methods to let you create, move and edit files, as well as delete or copy files and folders.
- ip http webdav enable — enable the service;
- ip http webdav security-level (public | private) — enable or disable access from the Internet;
- ip http webdav permissive — ignore filesystem ACL;
- ip http webdav root {directory} — set the root directory;
- user {name} tag webdav — enable WebDAV access for the user;
- show ip http webdav — show the current status of the WebDAV server.
Added the SFTP (SSH File Transfer Protocol) file server. The following CLI commands are available for setting up the SFTP server: [NDMS-244] [Requested by krass]
Note
The SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management functionalities over a secure connection.
- ip ssh sftp enable — enable the service;
- ip ssh sftp permissive — ignore filesystem ACL;
- ip ssh sftp root {directory} — set root directory;
- user {name} tag sftp — enable SFTP access for the user;
- show ssh sftp — show the current status.
Added support for the following modems with QMI (Qualcomm MSM Interface) type control interface:
Tip
To connect an LTE module to your Keenetic device, you can purchase a third-party USB adapter with a SIM card slot for the Mini PCI-E LTE module or M.2 LTE module.
- Qualcomm-based modems with Cat 1 LTE module — MDM9207 (pid 9025);
- SIMCom modem modules: Cat 3 LTE — 7100E, Cat 4 LTE — 7230E, Cat 1 LTE — 7600E;
- Sierra Cat 3 LTE modem module — MC7710; [NDMS-462]
- Quectel Cat 4 LTE modem module — EC25-E;
- ZTE USB modem: Cat 3 LTE — MF821D.
Wireless Backhaul connection shutdown for the Wi‑Fi system controller is now available. It helps to maximize the performance of the Wi‑Fi system if all nodes are connected via wired Ethernet connection. The CLI command is below. [NDMS-314] [Requested by Loredan]
- mws backhaul shutdown
Added DNS Rebinding protection feature for the dns-proxy service of KeeneticOS. [NDMS-437] [Requested by SecretSanta]
- [no] dns-proxy rebind-protect (strict | auto)
  - auto — block IP addresses of the security-level private segments (default);
  - strict — block IP addresses from the list: IANA IPv4 Special-Purpose Address Registry.
Implemented NOTIMPL response to IQUERY for the dns-proxy service of KeeneticOS, which means Not Implemented error for DNS requests from network devices. The IQUERY method of performing inverse DNS lookups is made obsolete. [NDMS-465]
Added DLNA accessibility for PPP-based VPN servers like PPTP or L2TP/IPsec. It enables the access to DLNA server content via external VPN connection. [NDMS-284]
- user {name} tag vpn-dlna — enable DLNA over PPP tag for a certain user account.
PEAP/MS-CHAPv2 authentication now works properly for 802.1x connections. [NDMS-402] [Reported by Алексей Подвойский]
Accelerated WEB Interface response time when thousands of dynamic routes are uploaded to KeeneticOS routing table via OPKG (Open Package) system packages. [Reported by Alexander Kudrevatykh]
Updated the mini_snmpd system service with fixes for the CVE-2020-6058, CVE-2020-6059, CVE-2020-6060 vulnerabilities.

Fixed

Disabled dns-proxy rebind protection for the loopback IP address 127.0.0.1 since it caused some mobile applications to fail. [NDMS-688] [Reported by Andrew Voronkov]
Disabled dns-proxy rebind protection for the plex.direct domain, providing for proper operation of the Plex application. [NDMS-696]
Added the 4G/3G network signal level icon for USB modems. [NDW-800]
The Device list page now shows the Ethernet port number for wired devices. [NDW-829]
Gateway and DNS server information is added to the System dashboard page in extender mode. [NDW-872]
Fixed Schedule editor operation in mobile browsers. [NDW-738]
Fixed the toggle switch operation for the Private Cloud components on the Applications tile in the dashboard. [NDW-885]

Added IEEE 802.11h DFS (Dynamic Frequency Selection) support for Mesh Wi‑Fi System, to prevent interference with satellite and weather radar systems using the same 5 GHz frequency band. In the case of detection of a radar signal, the Keenetic acting as Controller of the Wi‑Fi System will switch to another Wi‑Fi channel for all extenders included in the Wi‑Fi System. [NDMS-632]
Implemented an option to turn off printer polling status. It's helpful for the printer models which do not return correct status. By default, polling status is turned on. [NDMS-209]
- printer {name} no status-polling
Implemented upstream speed limit for registered hosts. [NDW-815]
Redesigned the Private Cloud tile within the Applications section to provide easy management of WebDAV server, SFTP server and FTP server in one place. [NDW-825]

Fixed the long reconnection time for backhaul links between Wi‑Fi System nodes. [NDMS-612]
Implemented automatic updating of shared disk resources via the Change Notification mechanism of the File and printer sharing (TSMB CIFS) system component. [NDMS-192] [Requested by WMac]
Configuration saving with activated Mode — ICMP echo (ping) for Check the availability of the Internet (Ping Check) section on Web Interface is now working correctly. [NDW-780]
Updated to the latest OpenSSL library version 1.1.1f, which fixes the CVE-2020-1967 vulnerability.

Added KrØØk/CVE-2019-15126 vulnerability protection against decryption of Wi‑Fi WPA2 traffic. [NDMS-589]
Removed IPsec forced rekey for every 20 GBytes of transferred traffic, to improve stability of high load VPN tunnels. [NDMS-483]
Added randomization for source port of L2TP/IPsec VPN connection, to reduce reconnect time. [NDMS-483]
Restored client-to-client communication between VPN clients of different VPN servers of KeeneticOS, for example, PPTP and L2TP/IPsec. [NDMS-588]
Traffic counter for incoming and outgoing VPN IPsec tunnels on the Host traffic monitor page of Web Interface. [NDMS-228]
Handling of IP alias for IPIP (IP over IP) with IPsec protection. [NDMS-590] [Reported by KorDen]
IPsec VPN tunnel connection now follows a user-defined schedule. [NDMS-594] [Reported by keshun]
Folders with restricted permissions are now appropriately displayed in the File browser. [NDW-285] [Reported by Joe D]
Link to KeeneticOS Release notes is now visible on the Updates and component options section of the System setting page. [NDW-739] [Reported by r13]
Unregistered devices and Multicast traffic tabs of the Host traffic monitor used to disappear on page refresh. [NDW-632] [Reported by bigpu]
Updated to the latest OpenSSL library version 1.1.1e, which fixes the CVE-2019-1551 vulnerability.

Implemented advanced host traffic filtering based on MAC address ,to reduce discovery time on the Device lists page of the Web Interface and prevent devices with blocked access to the Internet from any outbound transactions. [NDMS-585, NDMS-586]
Listing files and directories of File and printer sharing (TSMB CIFS) application yields an empty response when uninstalled the Folder permissions control component. [NDMS-536] [Reported by psm68]
The printing via File and printer sharing (TSMB CIFS) system component is not possible on the Epson L120 printer due to an invalid printer name in the OpenPrinterEx response. [NDMS-381]

Implemented a new feature for ping-check service, which allows restarting a manually-specified interface. [NDMS-569]
- interface {name} ping-check restart [interface] — enable {interface} restart. Optional {name} argument is omitted (resulting in restarting the same interface) by default;
- ping-check {name} restart-interface — prior syntax is made obsolete.
The default MTU (Maximum transmission unit) size for WireGuard® VPN connections is set to 1324 bytes to optimize transfer of data through external networks. [NDMS-486]
The Device lists are now cleared of hosts mistakenly retrieved from OpenVPN connections. [NDMS-567] [Reported by unuixsoid]

Router icon display on particular DLNA clients or Smart TV for Media Server component of KeeneticOS. [NDMS-181]
IGMP proxy service deactivation on the bridge interface of the network Segment for the case when both the multicast source and clients are in the same Segment. [NDMS-231]
Reset to the default values of Phase 1 — IKE lifetime and Phase 2 — SA (Security Association) lifetime for L2TP/IPsec and Virtual IP VPN connections when some other VPN settings are changed. [NDMS-546]
Folder creation errors while copying folder to WebDAV server on attached USB storage. [NDMS-531] [Reported by tld14]
KeeneticOS service internet-checker adds captive portal examination for reliable Internet availability detection. [NDMS-553] [Reported by Space Alex]
Excessive logging of WireGuard® handshake has been reduced to save space for helpful messages in the System log. [NDMS-555] [Reported by r13]
The reason for lock precedence violation: IPV6_SUBNETS error messages in the System log. [Reported by r13]
Network mask parsing in ip nat command. It's now possible to use a short notation of IP network mask — ip nat 192.168.1.0/24. [NDMS-552] [Reported by KorDen]
Private key validation in the Connection settings section of the WireGuard® VPN. [NDW-653]

The new configuration option upstream-rate allows asymmetric Internet access speed restriction in the upload direction for any given interface/host/unknown-host. [NDMS-512]
- interface traffic-shape rate {rate} [asymmetric {upstream-rate}]
- ip traffic-shape host {mac} rate {rate} [asymmetric {upstream-rate}]
- ip traffic-shape unknown-host rate {rate} [asymmetric {upstream-rate}]
Added the Safe eject button for USB storage devices to the USB drives and printers section of the System dashboard. It's best practice to do a proper eject before removing your USB drive from your Keenetic device. [NDW-648]
Added WebDAV settings in the Private Cloud application page, providing easy management to your WebDAV (Web Distributed Authoring and Versioning) resources on the attached USB drive. [NDW-291]
DNS response with IP address 0.0.0.0 is removed from the anti-rebind list of the dns-proxy service of KeeneticOS because some supported Internet security and content filtering services use such IP address to filter blocked media content and links. [NDMS-528] [Reported by r3L4x]
Updated pppd daemon responsible for Point-to-Point Protocol (PPP protocol) of KeeneticOS, which fixes the CVE-2020-8597 vulnerability.
gspca_sonixj kernel module added to the OPKG (Open Package) system for KeeneticOS, supporting GSPCA based webcam devices.

Implemented PMF (Protected Management Frames) and WPA3-PSK/OWE (Opportunistic Wireless Encryption) for Wireless ISP (WISP) client providing wireless connection to the Internet. [NDMS-498, NDMS-226]
Added the new CLI commands — for safe disconnect and for detailed information display about connected USB drives. [NDMS-510]
- system eject {name} — unmount partitions and eject a USB media device cleanly;
- show media [name] — show information about attached USB media devices.
The SSH server system component of KeeneticOS now supports new modern and robust security algorithms: ChaCha20 symmetric cipher encryption and Poly1305 message authentication code across ed25519 public-key cryptography. [NDMS-516, NDMS-517]
Fixed one-way RTP (Real-time Transport Protocol) voice communication for VoIP calls via WireGuard VPN tunnel. Now both subscribers can hear each other well. [NDMS-503]
Addressed the shared network discovery issue with the Popcorn PCH-C300 and Dune media players. [NDMS-456]
Fixed the uptime calculation in the show ip hotspot CLI command. The uptime value is now refreshing properly for all Registered devices. [NDMS-520] [Reported by bigpu]
There are no changes for Keenetic Carrier(KN-1711).

Repaired the task queue corruption related to the Linux kernel CONFIG_COMPACTION option. The change avoids system restart under the heavy system load of applications that use external storage, e.g. Media Server and Download Station. [NDMS-423] [Reported by Nikolaiyka]
WireGuard® VPN tunnel sometimes could not reconnect, after system restart and in some other circumstances. [NDMS-497] [Reported by bigpu]
Fixed the System name field's validation to prevent the use of the space symbol. [NDW-620] [Reported by Vvlysov]
Fixed the KeenDNS domain name proxy option to preserve the HTTP Host header. [NDMS-490]

Added the WebDAV (Web Distributed Authoring and Versioning) file server. To access, use https://{hostname}/webdav link. The CLI commands for setting up the WebDAV server are listed below: [NDMS-275] [Requested by MDP]
Note
WebDAV stands for Web Distributed Authoring and Versioning, which is an extension to HTTP that lets clients edit remote content on the web. In essence, WebDAV enables a web server to act as a file server, allowing authors to collaborate on web content. WebDAV enriches the standard set of HTTP headers and methods to let you create, move and edit files, as well as delete or copy files and folders.
- ip http webdav enable — enable the service;
- ip http webdav security-level (public | private) — enable or disable access from the Internet;
- ip http webdav permissive — ignore filesystem ACL;
- ip http webdav root {directory} — set the root directory;
- user {name} tag webdav — enable WebDAV access for the user;
- show ip http webdav — show the current status of the WebDAV server.
Added the SFTP (SSH File Transfer Protocol) file server. The following CLI commands are available for setting up the SFTP server: [NDMS-244] [Requested by krass]
Note
The SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management functionalities over a secure connection.
- ip ssh sftp enable — enable the service;
- ip ssh sftp permissive — ignore filesystem ACL;
- ip ssh sftp root {directory} — set root directory;
- user {name} tag sftp — enable SFTP access for the user;
- show ssh sftp — show the current status.
Added support for the following modems with QMI (Qualcomm MSM Interface) type control interface:
Tip
To connect an LTE module to your Keenetic device, you can purchase a third-party USB adapter with a SIM card slot for the Mini PCI-E LTE module or M.2 LTE module.
- Qualcomm-based modems with Cat 1 LTE module — MDM9207 (pid 9025);
- SIMCom modem modules: Cat 3 LTE — 7100E, Cat 4 LTE — 7230E, Cat 1 LTE — 7600E;
- Sierra Cat 3 LTE modem module — MC7710; [NDMS-462]
- Quectel Cat 4 LTE modem module — EC25-E;
- ZTE USB modem: Cat 3 LTE — MF821D.
Wireless Backhaul connection shutdown for the Wi‑Fi system controller is now available. It helps to maximize the performance of the Wi‑Fi system if all nodes are connected via wired Ethernet connection. The CLI command is below. [NDMS-314] [Requested by Loredan]
- mws backhaul shutdown
Added DNS Rebinding protection feature for the dns-proxy service of KeeneticOS. [NDMS-437] [Requested by SecretSanta]
- [no] dns-proxy rebind-protect (strict | auto)
  - auto — block IP addresses of the security-level private segments (default);
  - strict — block IP addresses from the list: IANA IPv4 Special-Purpose Address Registry.
Implemented NOTIMPL response to IQUERY for the dns-proxy service of KeeneticOS, which means Not Implemented error for DNS requests from network devices. The IQUERY method of performing inverse DNS lookups is made obsolete. [NDMS-465]
Added DLNA accessibility for PPP-based VPN servers like PPTP or L2TP/IPsec. It enables the access to DLNA server content via external VPN connection. [NDMS-284]
- user {name} tag vpn-dlna — enable DLNA over PPP tag for a certain user account.
PEAP/MS-CHAPv2 authentication now works properly for 802.1x connections. [NDMS-402] [Reported by Алексей Подвойский]
Accelerated WEB Interface response time when thousands of dynamic routes are uploaded to KeeneticOS routing table via OPKG (Open Package) system packages. [Reported by Alexander Kudrevatykh]
Updated the mini_snmpd system service with fixes for the CVE-2020-6058, CVE-2020-6059, CVE-2020-6060 vulnerabilities.

Keenetic Carrier (KN-1711-01EN/DE) Help Center

KeeneticOS 3.4

KeeneticOS 3.4.12

New

Improved

Fixed

KeeneticOS 3.4.6

New

Improved

Fixed

KeeneticOS 3.4.3

New

Improved

Fixed

KeeneticOS 3.4.1

New

Note

Note

Tip

Improved

Note

Note

Tip

Fixed

Note

Note

Tip

Search results