KeeneticOS 4.1
What’s new?
Welcome to the release of KeeneticOS version 4.1! Our main focus for this update is to further improve support for the IPv6 protocol in various KeeneticOS services.
Among the most significant IPv6 updates are the introduction of local prefixes of the ULA
fc00::/7
address space for local segments, IPv6 interface identifier configuration via the CLI, blocking of IPv6 DNS traffic in transit with Internet filters, and support for theping6
command.The maximum number of independent wireless networks (SSIDs) is increased to
7
per band, enabling network administrators to meet the demands of modern connectivity environments.A new option to force disconnection of Wi-Fi clients with weak signal levels is available via the CLI command to help network administrators optimise network performance, improve user experience and promote efficient spectrum utilisation.
The new ZeroTier client is available for CLI setup and supports secure connectivity to your private networks and devices anywhere online.
Improved SNMP implementation allows configuration of multiple community setups and profiles with restricted access to OID branches via the CLI.
The maximum number of IP alias entries has been increased to
250
, providing greater flexibility when setting up Internet connections with multiple external IP addresses and multi-NAT rules.It is now possible to specify the underlying connection for peers in WireGuard VPN, enabling precise tunnel traffic management.
The XFRM interface implementation allows IPsec VPN site-to-site traffic to follow firewall rules and routing tables, for example, for use as an Internet connection.
KeeneticOS 4.1.7
18/06/2024
Fixed
Fixed Connection Policies work with IPv6 protocol under certain conditions. [NDM-3289]
Fixed the continued reconnections of OpenVPN with more than one active client or server. [NDM-3301]
An issue that caused the error message
failed to lookup service for segment "WifiMaster1"
on Extender devices to appear in the System log has been fixed. [NDM-3325]
KeeneticOS 4.1.6
20/05/2024
Improved
Implemented support for direct access mode to KeenDNS domain from browsers with
TLS 1.3 hybridized Kyber
enabled. [NDM-3284]
Implemented a workaround to prevent certain Realtek Wi-Fi drivers from crashing on Windows OS when passing non-PMF authentication on a PMF-enabled access point. [SYS-1131]
Fixed
Fixed spurious EoIP/IPsec connection attempts after device restart. [NDM-2518]
Fixed random disconnection of IKEv2 tunnels to the Keenetic IKEv2/IPsec VPN server. [NDM-3059]
The Application traffic analyser engine now operates more efficiently with the IPv6 protocol under high network load. [NDM-3235]
Fixed issue with absent route to remote Wireguard endpoint after device restart. [NDM-3223]
Fixed problem with converting Band Steering settings after updating to KeeneticOS
4.1.x
version. [NDM-3241]The problem that causes the error message
PingCheck::Resolve: "default": system failed [0xcffd003c], upstream is very slow to respond
in the System log has been fixed. [NDM-3244]The L2TP/IPsec VPN Server now only allows network access to the specified segment. [NDM-3247]
Fixed hostname resolution for Ping Check in TCP/TLS port check mode when using secure DNS for domain name resolution. [NDM-3273]
Fixed the OpenVPN client startup failure with
Options error: In [CMD-LINE]:1: Error opening configuration file
message in the System log. [NDM-3217]Fixed a problem where replies to recursive DNS queries were causing Internet access to fail. [NDM-3226]
KeeneticOS 4.1.3
02/04/2024
Improved
Improved operation of the Ping Check service when using secure DNS for domain name resolution. [NDM-3178]
Fixed
Fixed the DoT/DOH secure DNS service domain address resolution when a DNS-based content filter uses public resolvers. [NDM-3134]
Fixed an issue with the availability of the SSTP VPN Server when the Internet connection interface ignores the DNS servers provided by the ISP. [NDM-3179]
Fixed operation of ISP-provided DNS servers on a backup connection. [NDM-3186]
Fixed the DNS subsystem restart with
Dns::Recursor: system failed [0xcffd0157]
message related to DHCP client operation. [NDM-3188]Restored the OpenVPN client/server to connect when ignoring the
block-outside-dns
option. [NDM-3190]Remote Endpoint resolution for WireGuard peers now works correctly when the connection is restarted. [NDM-3189]
KeeneticOS 4.1.2
18/03/2024
New
The Web interface now supports the Finnish language. [SYS-1114]
The prefix delegation hint command for the DHCPv6 client has been implemented in the Command Line Interface (CLI). [NDM-3076]
interface {name} ipv6 dhcp client pd hint {prefix | ::/length}
— set requiredprefix
or its::/length
The new "Handoff" option to force Wi-Fi clients with weak signals to disconnect is now available via the Command Line Interface (CLI). [NDM-3081]
interface {name} rssi-threshold {rssi-threshold}
— set minimal{rssi-threshold}
level for wireless clients connected to specified Access Point{name}
The new WireGuard VPN
via
option allows the underlying connection to be implicitly specified for peers. [NDM-272]interface {name} wireguard peer {key} connect via {via}
— set the peer{key}
of the Wireguard{name}
connection to establish connection over the{via}
interface
The new Pairwise Master Key Security Association (PMK SA) cache lifetime control option is now available in the Command Line Interface (CLI). The default value has been changed from
720
seconds to1440
seconds. [NDM-3052]interface {name} pmksa-lifetime {pmksa-lifetime}
— set{pmksa-lifetime}
(in seconds) for specified interface{name}
The new IPv6 interface identifier options are now available, providing a custom setting in the Command Line Interface (CLI). [NDM-2672]
interface {name} ipv6 id ({suffix} | eui64 | random)
— assign an IPv6 interface identifier
The new XFRM interface implementation allows IPsec VPN site-to-site tunnel traffic to follow firewall rules and operate based on the routing table, including use as an Internet connection. [NDM-3009]
interface XFRM0
— create an XFRM interface;crypto map {name} tunnel-interface XFRM0
— assign the XFRM interface to a crypto map
The new
ntp source
option allows to specify the source IP address for outgoing NTP client traffic. [NDM-3006]ntp source {address}
— set NTP client source IP{address}
Enhanced SNMP implementation allows multiple community setups and profiles with restricted access to OID branches. [NDM-3008]
snmp view <view> include <oid-tree>
— include subtree to the view;snmp view <view> exclude <oid-tree>
— exclude subtree from the view;
The option to enforce Protected Management Frames (PMF) is now available for wireless interfaces with WPA2 protection. [NDM-2930]
interface {interface} pmf force
— force PMF on specified{interface}
Introduced synchronisation of
read-only
permission for user accounts for Mesh Wi-Fi system extenders. [NDM-2985]
The additional user accounts are now transfered to extenders in the Wi-Fi System. [NDM-2871]
Added sequential shutdown of bridged interfaces during a broadcast storm to protect remote access to the Keenetic device. [SYS-1003]
The new Proxy connection options, which introduce connectivity over the UDP protocol, are now available from the Command Line Interface (CLI). [NDM-2971]
interface {name} proxy udpgw-upstream {ip} {port}
— set UDPGW remote serverinterface {name} proxy socks5-udp
— enable UDP mode for SOCKS v5
The new ZeroTier client supports secure connection with your private networks and devices anywhere online. [NDM-2883]:
interface ZeroTier0
— create ZeroTier interfaceinterface {name} zerotier network-id {network-id}
— set ZeroTier network IDinterface {name} zerotier accept-addresses
— accept addresses from the serverinterface {name} zerotier accept-routes
— accept routes from the serverinterface {name} zerotier connect [via {via}]
— enable connection via specified interfaceshow interface {name} zerotier peers
— show peers
Improved
Increased the number of wireless Network name SSIDs up to
7
on each band. [SYS-995]Note
The BSSID MAC addresses on dual-band devices may have changed. It is recommended that you clear the BSSID binding settings on your Extenders, if you are using them.
Added MAC filtering for
ApCli
backhaul connection with boundBSSID
for correct operation of Mesh Wi-Fi System. [SYS-1118]
The error message
wind: failed to decrypt message
has been moved to debug messages. [SYS-1084]The number of the
ip alias
entries has been increased from8
to250
. [NDM-3063]The OpenSSL library has been updated to the latest version
3.1.5
, which fixes the following list of vulnerabilities: CVE-2023-5678, CVE-2024-0727. [SYS-1097]
The implementation of automatic source NAT now includes address translation for networks declared as aliases, ensuring the correct operation of the
tools ping
andtools traceroute
commands. [NDM-3061]
The OpenVPN service has been updated to version
2.6.7
. This update includes fixes for the following security vulnerabilities: CVE-2023-46850 and CVE-2023-46849. [NDM-3049]
The Keenetic Wi-Fi system now allows manual selection of the STP bridge priority value to work seamlessly on an existing network with managed switches. [NDM-2406]
mws stp priority {priority}
— set STP{priority}
IPv6 local prefixes of the ULA
fc00::/7
address space are now available for configuration on network interfaces. [NDM-3039]
The new
source-address
option allows the source IP address to be specified for theping
andping6
CLI commands. [NDM-3016]tools ping {host} [count {count}] [size {packetsize}] [sequence-id {sequence-id}] [source ({source-interface} | {source-address})] [tos {tos}] [ttl {ttl}]
tools ping6 {host} [count {count}] [size {packetsize}] [sequence-id {sequence-id}] [source ({source-interface} | {source-address})] [tos {tos}] [ttl {ttl}]
Implemented blocking of transit IPv6 DNS traffic when Internet filters are enabled. [NDM-2960]
The OpenSSL library is updated to the latest version
3.1.2
, which fixes the following list of vulnerabilities: CVE-2023-3817, CVE-2023-3446, CVE-2023-2975. [SYS-949]
Incoming and outgoing bandwidth control for IntelliQoS implemented in the Command Line Interface (CLI). [NDM-2757]
ntce upstream rate-limit {interface} input ({rate} | auto)
— set bandwidth limit for specific{interface}
for incoming directionntce upstream rate-limit {interface} output ({rate} | auto)
— set bandwidth limit for specific{interface}
for outgoing direction
The OpenSSL library is updated to the latest version,
3.1.1
, which fixes the following list of vulnerabilities: CVE-2023-2650, CVE-2023-0465. [SYS-883]
Fixed
Fixed Ping Check operation on connections with recursive domain name resolution. [NDM-3086]
Fixed the Wi-Fi Fast Transition (802.11r) operation in the case of different SSIDs on the same network segment. [NDM-2917]
The use of the traceroute diagnostic tool with a specified port for TCP/UDP has been corrected. CLI command example:
tools traceroute 1.1.1.1 port 1883
. [NDM-3138]
Fixed duplicate 802.11k (Radio Resource Management)
RRM: perform scan notified channel:
events in the System log when changing Wi-Fi channel on Mesh Wi-Fi System nodes. [SYS-1098]
IntelliQoS rate limiting (
ntce upstream rate-limit
) is now working as intended. [NDM-3104]Fixed the
ntce-pace2: unable to proceed with data, exit
error message with IntelliQoS service under certain conditions. [NDM-3115]Fixed issue with running multiple Proxy Connections at the same time. [NDM-3122]
Fixed
Dns::Proxy
service crash when mirroring TCP requests to IntelliQoS. [SYS-1099]Fixed the issue where Band Steering mode would reset to the None selection under certain conditions. [NDM-3126]
Fixed wireless client disconnect/connect event conditions that were causing incorrect notifications from the Keenetic mobile application. [NDM-3079]
SSTP VPN server address allocation now works correctly for IPv6 clients. [NDM-2821]
Fixed a reboot issue during ZeroTier connection setup. [SYS-1066]
Fixed the
DNS proxy
issue that caused the theDNS_PROBE_FINISHED_NXDOMAIN
error message in the web browser when Internet access was blocked by a schedule for another client. [SYS-1050]
Fixed incorrect application of the
crypto map {name} virtual-ip dhcp route [{address}/{mask}]
CLI command. [NDM-3053]
Schedule event handling has been improved to handle switching between Standard Time and Daylight Saving Time. [NDM-3036]
Fixed the
system failed [0xcffd0c26]
error message when creating/modifying a multipath Internet Connection Policy with aTunnelSixInFour
connection. [NDM-3051]Fixed the
ndnproxy: [....] unable to send request: invalid argument
error message in the System log. [NDM-3054]
The Proxy client compatibility issue that prevented it from working correctly with HTTPS servers has been fixed. [NDM-3020]
The
system failed [0xcffd0287]
error message when importing WireGuard VPN configurations has been fixed. [NDM-3045]
Fixed IPv6 in IPv4 Tunnels configuration in Web interface. [NWI-3076]
Fixed operation of static routes with the exclusive route option enabled. [NDM-3029]
The static DNS servers bound to the backup connection are no longer used for the active connection. [NDM-2990]
Fixed CLAT working in backup connection mode. [NDM-2885]
Traffic Monitor now correctly displays client traffic in VPN connections established over public networks. [SYS-1004]
Fixed Band Steering configuration errors on extenders. [NDM-2962]
Fixed Ping Check
system failed [0xcffd0304], network unreachable
error message that appears under certain conditions. [NDM-2906]
Fixed KeenDNS cloud connectivity over IPv6 protocol. [NDM-2894]
The problem that causes the error message
Ndns::Tunnel: out of memory [0xcffe00ba]
in the System log has been fixed. [NDM-2895]Fixed display of disabled Internet connection status in the Web interface. [NDM-2890]
Fixed operation of OpenVPN connections using a custom Connection policy. [NDM-2888]