KeeneticOS 4.0
What’s new?
Welcome to the release of KeeneticOS version 4.0! We are excited to share with you the many new features, fixes and improvements that this release brings. Our main focus for this update is to significantly improve support for the IPv6 protocol in various KeeneticOS services.
Firstly, we have implemented the new IPv6 prefix delegation option, which allows for efficient subnetting. We have also incorporated key IPv6 standards such as 464clat (RFC6877) and RFC6204 (WAA-8) into our system.
One of the notable enhancements in this release is the Application Traffic Analyser's support for IPv6 protocol traffic classification. We have also introduced host traffic accounting specifically for the IPv6 protocol, ensuring accurate calculations of incoming and outgoing data for your home devices.
The connection policy has been updated to include the IPv6 protocol, further extending the capabilities of KeeneticOS. The web interface now provides core support for IPv6 connections, enabling seamless management.
For users of the Wireguard VPN component, we are pleased to announce that it now internally supports the IPv6 protocol for VPN connections. In addition, the SNMP server and WebDAV server have also been updated to support IPv6.
We understand the importance of DNS configuration and with this release, we have introduced the ability to bind DNSv6 addresses through the command line interface (CLI), giving you more control over your network settings.
In terms of USB port management, we have added the new USB port power management and on-demand mode. This feature allows you to power down your 3G/4G modem or any connected USB device when it's not needed, saving both mobile traffic and money.
We have also expanded the list of supported 4G/3G USB modems to include popular models such as Huawei ME906E, Fibocom L830-EB, Askey WWHC050, Telit LN960 and more.
To enhance your Dynamic DNS (DDNS) capabilities, we have included the new deSEC (desec.io) service as part of the system component.
Finally, we are excited to introduce the Multiple Subnets option for site-to-site IPsec VPN connections in Phase 2. This feature will allow network connectivity between multiple subnets via a VPN tunnel, increasing the versatility of your Keenetic device.
KeeneticOS 4.0.7
27/11/2023
New
New USB modems are now supported, including:
Huawei e3331s-2 3G USB modem. [NDM-2810]
Vodafone K5150 (
ProdID=1c26
) 4G Cat 4 USB modem. [NDM-2994]
Fixed
Fixed a high CPU load issue caused by the
DNS proxy
process going into an infinite loop due to frequent TCP requests on the network. [SYS-1034]
The issue with the OpenVPN server showing a Not Connected state after the router reboot has been fixed. [NDM-2874]
Fixed application of Internet safety profiles to clients with assigned routing policies. [NDM-2928]
Multiple connections to the IKEv2/IPsec VPN server now operate correctly using the same login credentials. [NDM-2986]
Disabled global scope in IPv6 ULA prefix announcement to prevent clients from using local addresses as the default connection and unavailability by KeenDNS name. [NDM-2993]
The Wireless ISP (WISP) connections to both bands now operate correctly. [SYS-989]
Fixed wireless client rejection with
STA had re-associated from 00:00:00:00:00:00
message in the System log. [SYS-1029]The
strongSwan
service configuration can now be applied correctly under special conditions. [SYS-1033]Fixed an issue that prevented the IPsec VPN tunnel connection after restarting the router. [NDM-3019]
Fixed an issue that caused the system language to be installed incorrectly when updating using the Initial Setup Wizard. [NDW3-1041]
KeeneticOS 4.0.5
17/10/2023
New
Added new TCP+UDP/3389 - Remote Desktop Protocol (RDP) Port Forwarding rule preset in the Web Interface. [NWI-2890]
Fixed
Fixed reinstallation of default route when changing WireGuard tunnel priority in Connection policy. [NDM-2933]
The error message
Could not bind on given addresses: Address in use
in the System log no longer appears when using DNS-over-TLS (DoT) server settings. [SYS-1007]Adjusted the maximum number of sessions for the
swnat
service to match theconntrack
settings in configuration. [SYS-980]Fixed wireless connection of HP LaserJet printers using WPS technology. [SYS-988]
Fixed the
hash-ends-dial
function to retain the disabled state after router reboot for the Keenetic Phone Station system component. [VOX-298]Fixed broken Command Line Interface (CLI) command
no rekey-interval
for wireless interfaces. [SYS-990]Sorting the Traffic priority column on the Clients list page now works as intended. [NWI-2889]
Fixed the display of the Band Steering setting in the Web Interface. [NWI-2993]
The Force UDP and IKEv2 checkboxes in the EoIP/IPsec settings in the Web Interface now work correctly. [NWI-2981]
Fixed time zone synchronisation on Extenders in a Mesh Wi-Fi System. [NDM-2918]
Fixed wireless backhaul operation on extenders with scheduled Wi-Fi radio shutdowns. [NDM-2912]
Fixed client bandwidth limitation configured via RADIUS server options for the Captive portal system component. [NDM-2947]
The issue that caused the system to reboot with the
FT_KDP_EventInform
error message has been fixed. [SYS-994]The Huawei E3276 modem polling no longer causes a
125001
error in the System log. [NDM-2967]Fixed missing traffic statistics for a network with the number of registered devices approaching 200. [SYS-1014]
KeeneticOS 4.0.4
24/08/2023
Improved
The OpenSSL library is updated to the latest version
3.0.10
, which fixes the following list of vulnerabilities: CVE-2023-3817, CVE-2023-3446, CVE-2023-2975. [SYS-949]
Fixed
Fixed use of static
78.47.125.180
DNS record use for the KeenDNS direct mode. [NDM-2905]Fixed PPPoE session disconnect when renewing DHCP address on a parent interface. [NDM-2904]
Restored saving of the Multiple sign-in checkbox for IKEv1/IPsec and IKEv2/IPsec VPN servers. [NDM-2853]
The cause of the
wind: failed to make ioctl call: network is down
message in the System log has been fixed. [NDM-2887]Fixed operation of OpenVPN connections using a custom Connection policy. [NDM-2888]
Fixed source IPv4 address selection when
ip alias
addresses are configured. [SYS-945]Fixed an issue with duplicate detection where the Extender would appear in the list of unregistered devices if its IP address was changed. [NDM-2892]
Fixed
ifstatechanged.d
arguments; added newiflayerchanged.d
hook for OPKG system component. [NDM-2897]Enabling traffic shaping for registered clients no longer causes problems with web browsing. [SYS-953]
Fixed timeouts when accessing websites using a custom Connection policy with multipath enabled. [NDM-2792]
Fixed unnecessary restart of the
dhcp6d
daemon after saving segment settings. [NDM-2916]
KeeneticOS 4.0.2
03/08/2023
New
Implemented a new option to de-announce IPv6 prefixes for backup connections. [NDM-2805]
Implemented a new option to send SIP keep-alive messages to all SIP servers listed in the DNS SRV record. [VOX-278]
nvox sip {id} keep-alive-extended
— enablekeep-alive-extended
option for specified{id}
SIP line
The WebDAV Server application now supports IPv6 protocol access. [NDM-737]
Implemented a new
ip
format option for the DCHP server in the command line interface (CLI): [NDM-2755]ip dhcp pool {name} option {2..254} ip {address[,address]*}
— set IP addressip
for certain DCHPoption
number
The Fibocom L830-EB 4G LTE Cat 6 UsbLte-type modem module is now supported. [NDM-2742]
The new option to bind DNSv6 addresses is now available via the command line interface (CLI), as follows:
ipv6 name-server {address} [{domain} [on {interface}]]
— bind DNSv6{address}
on specified{interface}
;for example:
ipv6 name-server 123::456 "" on UsbLte0
The Web Interface's new custom HTTPS server port allows you to free up a standard
TCP/443
port and forward it to any device on your local network. [NDM-2670]ip http ssl port {port}
— assign a different{port}
for HTTPS server of the Web Interface
The setting for the new On-demand type of Internet connection is available from the Command Line Interface (CLI). The On-demand type of connection is automatically disconnected if a higher priority Internet connection is running. [NDM-2643]
interface {name} standby enable
— switch connection type to On-demand for specified interface{name}
The new 464clat (RFC6877) option has been implemented for the IPv6 transition mechanism. [NDM-2121]
The SNMP server system component now supports IPv6 protocol operation. [NDM-2653]
The new Huawei ME906E 4G LTE Cat 3 modem module is now supported. [NDM-2582]
The Application traffic analyser now supports traffic classification for the ICMP protocol. [SYS-760]
New USB port power management is now available via CLI commands. You can power on/off USB ports or assign a schedule profile. [NDM-2550]
Use the following CLI commands:
system usb {port} power shutdown
— power off specified USB{port}
system usb {port} power schedule {schedule}
— assign schedule to specified USB{port}
The new deSEC (desec.io) service is available for the Dynamic DNS (DDNS) client system component. [NDM-2540]
A new CLI command allows the deactivation of an internal
storm-control
feature for a specific interface:interface {name} storm-control disable
— disable storm-control on{name}
interface
The new IPv6 Prefix Delegation option has been implemented for subnetting. [NDM-1976]
Use the following CLI commands to set:
ipv6 subnet {name} prefix length {length}
— set subnet prefix lengthipv6 subnet {name} prefix delegate {delegate}
— set delegated prefix length (must be shorter than prefix length)
A typical configuration Prefix Delegation for a Home segment looks like follows:
ipv6 subnet Default bind Home mode dhcp prefix length 63 prefix delegate 64 number 0
The new multiple subnets option is available for Site-to-site IPsec VPN connections in Phase 2, providing network connectivity between several subnets over a VPN tunnel. [NDM-313]
Use the following CLI commands to set:
object-group ip {name}
— create a new object groupinclude (ip | tcp | udp | tcpudp | icmp) {address} [{port} [{end-port}]]
exclude (ip | tcp | udp | tcpudp | icmp) {address} [{port} [{end-port}]]
crypto map {name} traffic-selectors {local} {remote}
— assign local/remote object groups as Phase 2 selectors
The new Add local subnet and Add remote subnet options are available for Site-to-site IPsec VPN connections on the Internet > Other connections page.
Implemented frequency band selection option for Huawei modems with
NDIS
-type. [NDM-2151]Implemented host traffic accounting for IPv6 protocol, providing correct calculation for the incoming/outgoing data of your home devices. [SYS-648]
The Application traffic analyser now supports traffic classification for the IPv6 protocol. [SYS-652]
The Traffic shaper system component now supports operation with the IPv6 protocol, providing correct traffic limitation for data flows of IPv4/IPv6 together. [SYS-658]
New USB modem modules are now supported, including:
Askey WWHC050 4G QMI-type modem module. [NDM-2434]
Telit LN960 4G Cat 9 QMI-type modem module. [NDM-2502]
The Web Interface receives core support for IPv6 connections. [NDM-2448]
The OpenVPN client and server system component now supports the IPv6 protocol for VPN connection. [NDM-2451]
The Wireguard VPN component now internally supports the IPv6 protocol for VPN connection. [NDM-2452]
Implemented support for 802.1Q tagged VLAN traffic over
AccessPoint
andWifiStation
(Wireless ISP) interfaces. [SYS-682]The new HTTP/HTTPS URI mode of the Ping Check allows you to specify the host address to check using a URI (Uniform Resource Identifier). [NDM-2490]
Use the following CLI commands to set:
ping-check profile {name} mode (icmp | connect | tls | uri)
— enable URI checking for Ping Check profile{name}
ping-check profile {name} uri {uri}
— set URI
Connection policy now operates with the IPv6 protocol. [NDM-2515]
Improved
Faster and more reliable operating system updates for Mesh Wi-Fi nodes. The structure of the Mesh Wi-Fi System and the connections between nodes now determine the order in which nodes are updated. [NDM-2816]
Updated the
netatalk
service used in the AFP file sharing system component to version3.1.15
. [SYS-929]The Web interface now supports the Danish language. [SYS-907]
Added ICMPv6 support to
ipv6 static
rules, allowing pingv6 to local devices with IPv6 addresses. [NDM-2760]ipv6 static (... | icmpv6) [interface] {mac}
— enableicmpv6
protocol for specified{mac}
Implemented propagation of Network Time Protocol settings to extenders in the Wi-Fi System. [NDM-2508]
The SIP Registration timeout has been increased to
86400
seconds. [VOX-268]Support for the Samsung GT-B3730 USB modem has been discontinued. [NDM-2746]
The initial Ping Check state has been changed to a negative state to avoid using a non-working connection to access the Internet. Reduced initial Ping Check time. [NDM-1837]
KeeneticOS can now display and operate on LTE bands above 43 with external USB modems of the
UsbQmi
andUsbLte
types. [NDM-1686]
The Firewall service now flushes corresponding sessions when firewall rules are enabled or disabled. [NDM-2690]
The maximum MTU size has been increased to
1514
bytes, providing PPPoE MTU =1500
bytes over VLAN. [SYS-812]
The
ip alias
configuration no longer affects the NAT translation for the primary PPPoE connection. [SYS-806]
Added a
robots.txt
file to the Web Interface server to prevent indexing by search engines. [NDM-2673]
Added an action to unmount USB drives when the USB port is powered off. [NDM-2589]
The CLI command for sending init AT commands has a new syntax for the
UsbModem
,UsbLte
, andUsbQmi
interfaces: [NDM-2564]interface {name} tty init {command}
— new syntax for all modem types, for example:interface UsbQmi0 tty init ati
interface UsbModem0 modem init {command}
— old syntax, now obsolete;interface UsbLte0 lte init {command}
— old syntax, now obsolete.
The AFP file sharing system component is updated to version
3.1.14
. [NDM-2600]The web UI of the Download station application is updated to version
1.6.1
. [SYS-757]
The
ipv6 firewall
CLI command has been deprecated and removed. [NDM-1731]The network interface status tracking mechanism in KeeneticOS has been redesigned to provide better IPv6 protocol support and faster Web Interface response. [NDM-2415]
Improved compatibility of SMB file and printer sharing system component with Total commander application. [NDM-2574]
The new WAN IPv6 address assignment option has been implemented in accordance with the RFC6204 (WAA-8) standard. [NDM-2549]
Increased KeenDNS service web application records from
160
to256
. [NDM-2519]
Fixed
Wireless connection with WPA3-PSK (
SAE-H2E
method) security no longer triggers a system reboot. [SYS-932]
Network segmentation has been fixed to prevent Guest segment devices from accessing the settings of Extender nodes. [NDM-2744]
Fixed support for Microsoft Point-to-Point Encryption (MPPE) on L2TP/IPsec connections. [NDM-2859]
The name of the segment and other description fields are now protected against the XSS vulnerability in the Web interface. [NWI-2715]
Enabling the DNS transit requests feature correctly disables DNS packet interception. [NDM-2769]
Fixed HTTP server configuration errors after changing the interface security level under certain conditions. [NDM-2832]
Fixed
GigabitEthernet1 is off-board
error when deleting Wired connection via port 0 in the Web interface. [NDM-2651]
Corrected traffic counting when multiple WAN connections are active. [SYS-880]
Fixed Wi-Fi connection issue when switching channel width from 80 to 20 MHz. [SYS-893]
It is now possible to add new extenders to the Wi-Fi system without an Internet connection. [NDM-2594]
Fixed some minor visual issues with the Web interface layouts. [NWI-2675, NWI-2676]
Fixed positioning of Web UI elements on the System Dashboard page when zooming in Safari iOS 16. [NWI-2626]
The Scan the air feature now accurately displays the list of available mobile operators, even if the operator name contains the special character '
)
'. [NDM-2788]Fixed the GRE/IPsec connection issue when using IKEv2 and Cisco iOS/Nx-Os endpoints. [NDM-2789]
Sorting in the Channels column on the Wi-Fi Monitor page now works correctly. [NWI-2603]
Corrected the layout of the dialogue box of the Fail-safe function. [NWI-2635]
Fixed incorrect local and remote IKEv2 proposal IDs when using GRE/IPsec tunnels. [NDM-2750]
Fixed an issue that caused the router to restart when writing a file using the SMB protocol. [NDM-1738]
The misclassification of traffic from registered devices as traffic from unregistered devices in the traffic accounting has been corrected. [SYS-846]
Disabled the use of name servers (DNS servers) on offline backup connections. [NDM-795]
The static route for the WireGuard® VPN remote peer is no longer removed after changes are made to the underlying connection of the WireGuard VPN tunnel. [NDM-2522]
Asymmetric speed limiting now works correctly for registered devices when IntelliQoS is enabled. [SYS-836]
The multipath policies now work correctly and do not use connections with negative Ping Check testing results. [NDM-2706]
Prevented IPsec configuration failure using a cryptographic key
crypto ike key
with an unsupported length greater than 72 characters. [NDM-2562]
The DNS servers toggle now operates as intended for
UsbLte
interfaces. [NWI-1542]
The default route is now correctly assigned for HTTP/HTTPS/SOCKS5 proxy interfaces. [NDM-2366]
The default route via the IPoE interface is now automatically restored after the PPP (PPPoE, L2TP, PPTP) interface is deleted. [NDM-2575]
Fixed
connected
state for interfaces with a statically configured IP address. [NDM-2551]
The 4G
NDIS
-type USB modems from Huawei are now correctly configured with the APN setting. [NDM-2524]The use of WireGuard® tunnels as the default route with the IPv6 protocol is now fixed. [NDM-2535]
The
interface ipv6 force-default
CLI command has been brought back into support for backward compatibility. [NDM-2545]