KeeneticOS 4.0
What’s new?
Welcome to the release of KeeneticOS version 4.0! We are excited to share with you the many new features, fixes and improvements that this release brings. Our main focus for this update is to significantly improve support for the IPv6 protocol in various KeeneticOS services.
Firstly, we have implemented the new IPv6 prefix delegation option, which allows for efficient subnetting. We have also incorporated key IPv6 standards such as 464clat (RFC6877) and RFC6204 (WAA-8) into our system.
One of the notable enhancements in this release is the Application Traffic Analyser's support for IPv6 protocol traffic classification. We have also introduced host traffic accounting specifically for the IPv6 protocol, ensuring accurate calculations of incoming and outgoing data for your home devices.
The connection policy has been updated to include the IPv6 protocol, further extending the capabilities of KeeneticOS. The web interface now provides core support for IPv6 connections, enabling seamless management.
For users of the Wireguard VPN component, we are pleased to announce that it now internally supports the IPv6 protocol for VPN connections. In addition, the SNMP server and WebDAV server have also been updated to support IPv6.
We understand the importance of DNS configuration and with this release, we have introduced the ability to bind DNSv6 addresses through the command line interface (CLI), giving you more control over your network settings.
To enhance your Dynamic DNS (DDNS) capabilities, we have included the new deSEC (desec.io) service as part of the system component.
Finally, we are excited to introduce the Multiple Subnets option for site-to-site IPsec VPN connections in Phase 2. This feature will allow network connectivity between multiple subnets via a VPN tunnel, increasing the versatility of your Keenetic device.
KeeneticOS 4.0.7
27/11/2023
Виправлено
Fixed a high CPU load issue caused by the
DNS proxy
process going into an infinite loop due to frequent TCP requests on the network. [SYS-1034]
Проблема з Сервером OpenVPN що показував стан Не з'єднано після перезавантаження маршрутизатора виправлено. [NDM-2874]
Виправлене застосування профілів Інтернет-безпеки для клієнтів із призначеними політиками маршрутизації. [NDM-2928]
Кілька підключень до VPN-серверу IKEv2/IPsec, що використовують ті самі облікові дані для входу, тепер працюють правильно. [NDM-2986]
Вимкнено глобальну область в анонсуванні префіксу IPv6 ULA, щоб запобігти використанню клієнтами локальних адрес як стандартного з’єднання та недоступності імені KeenDNS. [NDM-2993]
Було виправлено проблему, що спричиняла перезавантаження системи в
CmdSetTxPowerCtrl
. [SYS-1026]Виправлено відхилення бездротового клієнта з повідомленням
STA had re-associated from 00:00:00:00:00:00
в Системному журналі. [SYS-1029]Конфігурацію сервісу
strongSwan
тепер можна правильно застосовувати за особливих умов. [SYS-1033]Виправлено проблему, яка перешкоджала встановленню підключення IPsec VPN після перезапуску роутера. [NDM-3019]
Fixed an issue that caused the system language to be installed incorrectly when updating using the Initial Setup Wizard. [NDW3-1041]
KeeneticOS 4.0.5
17/10/2023
Нове
Added new TCP+UDP/3389 - Remote Desktop Protocol (RDP) Port Forwarding rule preset in the Web Interface. [NWI-2890]
Виправлено
Виправлено перевстановлення маршруту за замовчуванням при зміні пріоритету тунелю WireGuard на сторінці Пріорітети підключення. [NDM-2933]
Повідомлення про помилку
Could not bind on given addresses: Address in use
в Системний журнал більше не відображається під час використання налаштувань сервера DNS-over-TLS (DoT). [SYS-1007]Скориговано максимальну кількість сеансів для сервісу
swnat
відповідно до налаштуванняconntrack
в конфігурації. [SYS-980]Виправлено бездротове підключення принтерів HP LaserJet з використанням технології WPS. [SYS-988]
Виправлена команда інтерфейсу командного рядка (CLI)
no rekey-interval
для бездротових інтерфейсів. [SYS-990]Sorting the Traffic priority column on the Clients list page now works as intended. [NWI-2889]
Fixed the display of the Band Steering setting in the Web Interface. [NWI-2993]
The Force UDP and IKEv2 checkboxes in the EoIP/IPsec settings in the Web Interface now work correctly. [NWI-2981]
Виправлено увімкнення синхронізації часових поясів Ретрансляторів на сторінці Wi-Fi система. [NDM-2918]
Виправлено роботу бездротового бекхолу на ретрансляторах із запланованими відключеннями Wi-Fi. [NDM-2912]
Виправлено обмеження пропускної здатності клієнта, налаштоване через параметри RADIUS сервера для компоненту системи Captive portal. [NDM-2947]
Виправлено проблему, яка спричиняла перезавантаження системи з повідомленням про помилку
FT_KDP_EventInform
. [SYS-994]Виправлено відсутність статистики трафіку для мережі з кількістю зареєстрованих пристроїв, що наближається до 200. [SYS-1014]
KeeneticOS 4.0.4
24/08/2023
Покращено
The OpenSSL library is updated to the latest version
3.0.10
, which fixes the following list of vulnerabilities: CVE-2023-3817, CVE-2023-3446, CVE-2023-2975. [SYS-949]
Виправлено
Виправлено використання статичного DNS запису
78.47.125.180
, що використовується для прямого режиму KeenDNS. [NDM-2905]Виправлено переривання сеансу PPPoE під час оновлення адреси DHCP на батьківському інтерфейсі. [NDM-2904]
Restored saving of the Multiple sign-in checkbox for IKEv1/IPsec and IKEv2/IPsec VPN servers. [NDM-2853]
The cause of the
wind: failed to make ioctl call: network is down
message in the System log has been fixed. [NDM-2887]Виправлені помилки в роботі OpenVPN підключення за допомогою Політика підключення користувача. [NDM-2888]
Виправлено вибір адреси IPv4 під час конфігурування
ip alias
адрес. [SYS-945]Виправлено проблему дублікатів записів, коли Ретранслятор з’являється у списку незареєстрованих пристроїв, якщо його IP-адреса змінилася. [NDM-2892]
Увімкнення шейпера трафіку для зареєстрованих клієнтів більше не викликає проблем із переглядом веб-сторінок. [SYS-953]
Виправлені тайм-аути під час доступу до веб-сайтів з використанням кастомізованої Політики підключення з увімкненим multipath доступом. [NDM-2792]
Виправлено непотрібний перезапуск демону
dhcp6d
після збереження параметрів сегмента. [NDM-2916]
KeeneticOS 4.0.2
03/08/2023
Нове
Implemented a new option to de-announce IPv6 prefixes for backup connections. [NDM-2805]
Implemented a new
ip
format option for the DCHP server in the command line interface (CLI): [NDM-2755]ip dhcp pool {name} option {2..254} ip {address[,address]*}
— set IP addressip
for certain DCHPoption
number
The new option to bind DNSv6 addresses is now available via the command line interface (CLI), as follows:
ipv6 name-server {address} [{domain} [on {interface}]]
— bind DNSv6{address}
on specified{interface}
;for example:
ipv6 name-server 123::456 "" on UsbLte0
The Web Interface's new custom HTTPS server port allows you to free up a standard
TCP/443
port and forward it to any device on your local network. [NDM-2670]ip http ssl port {port}
— assign a different{port}
for HTTPS server of the Web Interface
The setting for the new On-demand type of Internet connection is available from the Command Line Interface (CLI). The On-demand type of connection is automatically disconnected if a higher priority Internet connection is running. [NDM-2643]
interface {name} standby enable
— switch connection type to On-demand for specified interface{name}
The Country and Time Zone Confirmation popup will appear when you enter the Web Interface. This confirmation is needed to improve communication with the Keenetic Cloud, time synchronization servers, proper Wi-Fi network announcement, and legal consent. [NWI-1437]
The legal address of Keenetic GmbH has changed with effect from 12 January 2023. This makes it necessary for us to update the Device Privacy Notice. The change of legal address is the only change in the updated document, but you will still see the pop-up asking you to confirm the whole revised document when you log in to the device's Web Interface.
The new 464clat (RFC6877) option has been implemented for the IPv6 transition mechanism. [NDM-2121]
The SNMP server system component now supports IPv6 protocol operation. [NDM-2653]
The Application traffic analyser now supports traffic classification for the ICMP protocol. [SYS-760]
The new deSEC (desec.io) service is available for the Dynamic DNS (DDNS) client system component. [NDM-2540]
A new CLI command allows the deactivation of an internal
storm-control
feature for a specific interface:interface {name} storm-control disable
— disable storm-control on{name}
interface
The new IPv6 Prefix Delegation option has been implemented for subnetting. [NDM-1976]
Use the following CLI commands to set:
ipv6 subnet {name} prefix length {length}
— set subnet prefix lengthipv6 subnet {name} prefix delegate {delegate}
— set delegated prefix length (must be shorter than prefix length)
A typical configuration Prefix Delegation for a Home segment looks like follows:
ipv6 subnet Default bind Home mode dhcp prefix length 63 prefix delegate 64 number 0
The new multiple subnets option is available for Site-to-site IPsec VPN connections in Phase 2, providing network connectivity between several subnets over a VPN tunnel. [NDM-313]
Use the following CLI commands to set:
object-group ip {name}
— create a new object groupinclude (ip | tcp | udp | tcpudp | icmp) {address} [{port} [{end-port}]]
exclude (ip | tcp | udp | tcpudp | icmp) {address} [{port} [{end-port}]]
crypto map {name} traffic-selectors {local} {remote}
— assign local/remote object groups as Phase 2 selectors
The new Add local subnet and Add remote subnet options are available for Site-to-site IPsec VPN connections on the Internet > Other connections page.
Implemented host traffic accounting for IPv6 protocol, providing correct calculation for the incoming/outgoing data of your home devices. [SYS-648]
The Application traffic analyser now supports traffic classification for the IPv6 protocol. [SYS-652]
The Traffic shaper system component now supports operation with the IPv6 protocol, providing correct traffic limitation for data flows of IPv4/IPv6 together. [SYS-658]
The Web Interface receives core support for IPv6 connections. [NDM-2448]
The OpenVPN client and server system component now supports the IPv6 protocol for VPN connection. [NDM-2451]
The Wireguard VPN component now internally supports the IPv6 protocol for VPN connection. [NDM-2452]
Implemented support for 802.1Q tagged VLAN traffic over
AccessPoint
andWifiStation
(Wireless ISP) interfaces. [SYS-682]The new HTTP/HTTPS URI mode of the Ping Check allows you to specify the host address to check using a URI (Uniform Resource Identifier). [NDM-2490]
Use the following CLI commands to set:
ping-check profile {name} mode (icmp | connect | tls | uri)
— enable URI checking for Ping Check profile{name}
ping-check profile {name} uri {uri}
— set URI
Connection policy now operates with the IPv6 protocol. [NDM-2515]
Покращено
Faster and more reliable operating system updates for Mesh Wi-Fi nodes. The structure of the Mesh Wi-Fi System and the connections between nodes now determine the order in which nodes are updated. [NDM-2816]
The Web interface now supports the Danish language. [SYS-907]
Added ICMPv6 support to
ipv6 static
rules, allowing pingv6 to local devices with IPv6 addresses. [NDM-2760]ipv6 static (... | icmpv6) [interface] {mac}
— enableicmpv6
protocol for specified{mac}
Implemented propagation of Network Time Protocol settings to extenders in the Wi-Fi System. [NDM-2508]
The initial Ping Check state has been changed to a negative state to avoid using a non-working connection to access the Internet. Reduced initial Ping Check time. [NDM-1837]
The Firewall service now flushes corresponding sessions when firewall rules are enabled or disabled. [NDM-2690]
The maximum MTU size has been increased to
1514
bytes, providing PPPoE MTU =1500
bytes over VLAN. [SYS-812]
The
ip alias
configuration no longer affects the NAT translation for the primary PPPoE connection. [SYS-806]
Added a
robots.txt
file to the Web Interface server to prevent indexing by search engines. [NDM-2673]
The
ipv6 firewall
CLI command has been deprecated and removed. [NDM-1731]The network interface status tracking mechanism in KeeneticOS has been redesigned to provide better IPv6 protocol support and faster Web Interface response. [NDM-2415]
The new WAN IPv6 address assignment option has been implemented in accordance with the RFC6204 (WAA-8) standard. [NDM-2549]
Increased KeenDNS service web application records from
160
to256
. [NDM-2519]
Виправлено
Wireless connection with WPA3-PSK (
SAE-H2E
method) security no longer triggers a system reboot. [SYS-932]
Network segmentation has been fixed to prevent Guest segment devices from accessing the settings of Extender nodes. [NDM-2744]
Fixed support for Microsoft Point-to-Point Encryption (MPPE) on L2TP/IPsec connections. [NDM-2859]
Automatic Wi-Fi channel selection no longer causes Wi-Fi to stop transmitting. [SYS-536]
The name of the segment and other description fields are now protected against the XSS vulnerability in the Web interface. [NWI-2715]
Enabling the DNS transit requests feature correctly disables DNS packet interception. [NDM-2769]
Fixed HTTP server configuration errors after changing the interface security level under certain conditions. [NDM-2832]
Fixed
GigabitEthernet1 is off-board
error when deleting Wired connection via port 0 in the Web interface. [NDM-2651]
Corrected traffic counting when multiple WAN connections are active. [SYS-880]
Fixed Wi-Fi connection issue when switching channel width from 80 to 20 MHz. [SYS-893]
It is now possible to add new extenders to the Wi-Fi system without an Internet connection. [NDM-2594]
Fixed some minor visual issues with the Web interface layouts. [NWI-2675, NWI-2676]
Fixed positioning of Web UI elements on the System Dashboard page when zooming in Safari iOS 16. [NWI-2626]
Fixed the GRE/IPsec connection issue when using IKEv2 and Cisco iOS/Nx-Os endpoints. [NDM-2789]
Fixed the cause of wireless clients rejoining a Wi-Fi network with Fast transition (802.11r) disabled under certain conditions. [SYS-845]
Sorting in the Channels column on the Wi-Fi Monitor page now works correctly. [NWI-2603]
Corrected the layout of the dialogue box of the Fail-safe function. [NWI-2635]
Fixed incorrect local and remote IKEv2 proposal IDs when using GRE/IPsec tunnels. [NDM-2750]
The misclassification of traffic from registered devices as traffic from unregistered devices in the traffic accounting has been corrected. [SYS-846]
Disabled the use of name servers (DNS servers) on offline backup connections. [NDM-795]
The static route for the WireGuard® VPN remote peer is no longer removed after changes are made to the underlying connection of the WireGuard VPN tunnel. [NDM-2522]
Asymmetric speed limiting now works correctly for registered devices when IntelliQoS is enabled. [SYS-836]
The multipath policies now work correctly and do not use connections with negative Ping Check testing results. [NDM-2706]
Prevented IPsec configuration failure using a cryptographic key
crypto ike key
with an unsupported length greater than 72 characters. [NDM-2562]
The default route is now correctly assigned for HTTP/HTTPS/SOCKS5 proxy interfaces. [NDM-2366]
The default route via the IPoE interface is now automatically restored after the PPP (PPPoE, L2TP, PPTP) interface is deleted. [NDM-2575]
Fixed
connected
state for interfaces with a statically configured IP address. [NDM-2551]
The use of WireGuard® tunnels as the default route with the IPv6 protocol is now fixed. [NDM-2535]
The
interface ipv6 force-default
CLI command has been brought back into support for backward compatibility. [NDM-2545]