KeeneticOS 4.2
KeeneticOS release notes for Keenetic Speedster (KN-3010) in the Preview Channel
KeeneticOS releases in this channel provide the chance to be among the first to try the latest updates, performance improvements and new features, all with minimal risk. It is updated roughly every two weeks, with major updates about every two months. Releases here are typically more than a month in advance of release to the general audience in the Main Channel.
Keenetic Speedster (KN-3010) is currently in the Standard Updates support period and receives regular software updates, including security enhancements, new features, operating system updates, and bug fixes.
What’s new?
Welcome to KeeneticOS version 4.2! As usual, we have several performance improvements and bug fixes, but our main focus for this update is to introduce the new Web Interface and further improve support for the IPv6 protocol in various KeeneticOS services.
The new Web Interface has a refreshed look, with light and dark themes to choose from, and carefully selected usability enhancements. We've moved to an updated framework that supports modern security enhancements.
It is now possible to update KeeneticOS on all devices in the Wi-Fi system with a single click. In addition, the Autoupdate function automatically manages the updates of the connected extenders according to the schedule of the main router.
Clients connecting to the Home segment of the network are now automatically registered by default, improving security and ease of management.
The new Segment Default Policy option improves Internet access management for network clients. By default, a registered client will follow the connection policy associated with the network segment it is connecting to. For example, you can set up a separate Wi-Fi network at home with the same name as your office network and route its traffic to a VPN connection to your office. Then, when working from home, simply switch to the office Wi-Fi network to teleport immediately.
The new OpenConnect VPN server and client are now available. Connect networks or access your network remotely using free applications available for Android or iOS.
We value your support and participation in our community. Your valuable feedback helps us to continually improve Keenetic. If you have any questions, want to discuss the beta, report issues, or contact our development team, please visit our forum. Thank you for choosing Keenetic!
KeeneticOS 4.2.1
04/10/2024
New
The Wi-Fi System Controller is now able to manage the KeeneticOS update channel on the Wi-Fi System Extenders. [NDM-3419]
mws member {member} update channel {channel}
— set KeeneticOS{channel}
on an extender{member}
Fixed
Fixed issue with saving of Wireguard®
connect via
setting. [NDM-3467]Fixed an issue where open Wi-Fi network settings were corrupted after restarting the device. [NDM-3485]
The following fixes have been applied to the next-generation Web interface.
Fixed the status of the Use Syslog checkbox on the Diagnostics page. [NWI-3689]
Removed overscrolling in the Transition log tab on the Mesh Wi-Fi System page. [NWI-3694]
Fixed Allow WPS option to be stored in the Wi-Fi System Extender settings. [NWI-3697]
Fixed autocomplete in the command line interface of the Web CLI page. [NWI-3715]
Fixed flashing of the segment description. [NWI-3716]
Fixed the display of the disabled Wi-Fi interface warning on the Wi-Fi Monitor page. [NWI-3717]
Fixed the display of the Wi-Fi Channel width in Wi-Fi settings. [NWI-3730]
Fixed layout issues on wide screens. [NWI-3731]
Fixed an issue where the Mesh Wi-Fi System would not work correctly with extenders using KeeneticOS version
3.7
. [NDM-3491]Fixed an issue with the
community
filtering for SNMPv1 protocol. [SYS-1203]
KeeneticOS 4.2 Beta 4
18/09/2024
New
The new public DNS resolver presets from ControlD are now accessible on the Internet Safety page. [NDM-3452]
A standalone
Policy Table
mode has been implemented, which disables the automatic addition of static routes to the selected connection policy. [NDM-3445]ip policy {name} standalone
— enablestandalone
mode for connection policy{name}
.
WireGuard client connections now select a random listen port each time the tunnel reconnects. [NDM-3469]
Fixed
Fixed a memory leak in the VirtualIP IPSec VPN server application. [NDM-3460]
Fixed DNS leakage for custom Connection policies. [NDM-3468]
Fixed the employment of the SA AEAD mode cypher suite in Phase 2 for Site-to-Site IPsec VPN settings after device reboot. [NDM-3470]
The following fixes have been applied to the next-generation Web interface.
Fixed visual issues in the Transition Log tab on the Wi-Fi system page. [NWI-3658]
Locked toggles for Access Points on Extenders in the Mesh Wi-Fi system. [NWI-3634]
Fixed the colour contrast of system notifications. [NWI-3667]
Fixed horizontal scrolling of tables on mobile screens. [NWI-3683]
Fixed the link in the Current user has no password notification to open in the same tab. [NWI-3719]
Fixed the column titles of the UPnP Port Forwarding Table. [NWI-3688]
Fixed the drop-down lists overlapping with buttons. [NWI-3721]
Added custom port selection to the Proxy server address for Proxy connections. [NWI-3713]
KeeneticOS 4.2 Beta 3
04/09/2024
New
Added a CLI command to unbind the DDNS service requests from the specified interface. [NDM-3420]
interface {name} dyndns nobind
— disable DynDNS bind on interface{name}
.
Implemented a CLI command to enable the sending of the
client ID
for the WireGuard connection peer. [NDM-3427]interface {name} wireguard peer {peer} client-id send {value}
— setclient-id
as a decimal{value}
of the required hexadecimal ID for Wireguard{peer}
.
Added a CLI command to configure the
authgroup
value for the OpenConnect connection to ensure third-party compatibility. [NDM-3430]interface {name} openconnect authgroup {authgroup}
— set the{authgroup}
value to use with OpenConnect interface{name}
connection.
When accessing the Internet over the tunnel, clients of IKEv1/IPsec and IKEv2/IPsec VPN Server applications now follow the connection policy selected for the bound network segment. [NDM-3431]
Fixed
Restored the correct work of access to my.keenetic.net restriction from local network segments configured to prohibit services hosted on the Keenetic device. [NDM-3346]
Fixed the display of the Mesh Wi-Fi System clients shifting between bands in the Transition Log. [NDM-3412]
Fixed the application of the routes automatically received by the OpenVPN connection. [NDM-3415]
Fixed the socket leak in
nf_queue
. [NDM-3428]Fixed the underlying connection selection for the OpenConnect connections. [NDM-3434]
The following fixes have been applied to the next-generation Web interface.
Fixed the items displayed in the Destination IP column of the Active Connections tab in Diagnostics menu. [NWI-3633]
Fixed the IP address data display on the My networks and Wi-Fi card on the System Dashboard page for Extender devices. [NWI-3636]
Fixed the display of the Wireless ACL page for Extender devices. [NWI-3640]
Removed the unnecessary saving of the System Dashboard cards layout when the user logs in. [NWI-3635]
Fixed the Proxy server address validation for the Proxy Connections on the Other Connections page to permit the
127.0.0.1
host to serve as a proxy server. [NWI-3642]Fixed tabs display to fit the screen at lower resolutions better. [NWI-3393]
Fixed the menu scroll bar positioning on mobile screens. [NWI-3654]
Disabled the automatic capitalization property for user input fields. [NWI-3655]
An IP address display was added for OpenConnect VPN connections in a connected state. [NWI-3656]
Fixed the DNS servers link on the System Dashboard's Internet card. [NWI-3660]
Fixed the WireGuard connection configuration import to ignore the invalid
PersistentKeepalive
property. [NWI-3659]Fixed the Packet size setting for the Network Connection Test tools on the Diagnostics page. [NWI-3661]
Fixed the width of notification banners. [NWI-3662]
Fixed the System Component Options links from the Applications card on the System Dashboard. [NWI-3664]
Fixed the copy-to-clipboard control for the Public key in WireGuard connection settings. [NWI-3666]
Fixed the false positive No new routes found error when importing network routes from the file. [NWI-3670]
KeeneticOS 4.2 Beta 2
08/08/2024
Improved
Mesh Wi-Fi system controller now propagates segments without Wi-Fi access points to extenders. [NDM-3210]
Disabled DTLS (Datagram Transport Layer Security) support for the OpenConnect VPN server in KeenDNS cloud mode to improve compatibility with the VPN Client Pro application. [NDM-3394]
Enabled caching of the saved configuration to improve the Web interface response time and reduce CPU load. [NWI-3643]
Fixed
Fixed an issue where IPv6 static DNS configuration entries were cleared after the device started. [NDM-3390]
Resolved the issue causing unstable connectivity between local and remote networks in a multi-subnet configuration of a site-to-site IPsec VPN tunnel, secured in Phase 1 by IKEv1. [NDM-3381]
Fixed the display of the Transition Log for Mesh Wi-Fi system clients on mobile devices. [NWI-3579]
KeeneticOS 4.2 Beta 1
24/07/2024
New
We are introducing the next-generation Web interface as the standard UI for configuring and managing your Keenetic device. [NDM-3378]
You can now assign Network ports on Extender devices to any configured network segment using the Command Line Interface (CLI). Alternatively, you may wish to disable the Network ports for security reasons. [NDM-3162]
mws member {member} port {port} [no] access {interface}
— assign{port}
on a{member}
node to access an{interface}
segment;mws member {member} port {port} [no] disable
— disable{port}
on a{member}
node.
Enhanced software packet processing engine to enable acceleration for traffic with a manually set TTL value. [SYS-1157]
The new IntelliQoS option allows 802.1p priority code point (PCP) mapping for egress packets in the command line interface (CLI). [NDM-3318]
interface {name} vlan qos egress map {priority} {pcp}
{priority}
— NTCE priority queue number. Use0
to assign the same PCP value to any outgoing packet on the interface;{pcp}
— set the new value of the 802.1p priority code point.
The implementation of a ZeroTier connection now includes accepting managed routes and DNS servers published on the ZeroTier network controller. [NDM-3319]
The
camouflage
mode option has been added to both SSTP VPN and OpenConnect VPN servers and clients, providing greater security against remote service scanning. [NDM-3257]oc-server camouflage
— enablecamouflage
option for the OpenConnect VPN serversstp-server camouflage
— enablecamouflage
option for the SSTP VPN server
The new OpenConnect VPN client system component is now available, allowing you to establish a secure connection to a remote server via the command line interface (CLI). [NDM-3207]
A new CLI
grep
extension is now available to filter the output of theshow
command. [NDM-3075]grep [-A <n>] [-B <n>] [-C <n>] regex
— trim theshow
command output using theregex
regular expression.-A
— number of XML nodes to show after match.-B
— number of XML nodes to show before match.-C
— displayed XML cluster depth.
For example:
(config)>
show interface | grep address
Interface, name = "Home" address: 192.168.2.1 ipv6: Interface, name = "Guest" address: 10.1.30.1 ipv6: (config)>show system | grep cpuload
cpuload: 5
A new segment default policy for hosts has been implemented and is now enabled by default. Registered devices with this connection policy assigned will follow the default connection policy of the network segment they are connecting to. [NDM-2237]
ip hotspot host {MAC} conform
— set host with specified{MAC}
to follow the current segment's connection policy.
The new application filtering option is now available in the Application traffic analyser service via command line interface (CLI). This option allows to create a filtering profile, add required applications, assign a host or segment to the filtering profile and enable the operation schedule. [NDM-3069]
ntce filter profile {name} application {application}
— add an application to the profile.ntce filter profile {name} group {group}
— add an application group to the profile.ntce filter profile {name} type {type}
— set the profile type, which can bepermit
ordeny
.ntce filter profile {name} description {description}
— set the profile description.ntce filter profile {name} schedule {schedule}
— set the profile schedule.ntce filter assign host {host} {profile}
— assign a profile to a registered host (MAC address).ntce filter assign interface {interface} {profile}
— assign a profile to an interface.
The new option to automatically register hosts in the Home segment is now available (enabled by default). You can disable this behaviour using the command line interface (CLI). [NDM-3101]
ip hotspot auto-register disable
— disable automatic host registration for the Home segment.
The new OpenConnect VPN server system component is now available, providing a remote SSL VPN connection to your Keenetic. [NDM-3141]
oc-server interface {interface}
— bind OpenConnect server to an interface.oc-server pool-range {begin} {size}
— set OpenConnect address pool.oc-server static-ip {name} {address}
— set static IP address for a user.oc-server mtu {mtu}
— set OpenConnect server MTU.oc-server multi-login
— enable multiple connections with the same user account.ip nat oc
— enable NAT for OpenConnect clients.service oc-server
— enable OpenConnect service.
Improved
Implemented dynamic table size adjustment with
nf_conntrack_max
value forsoftware ppe
(Packet Processing Engine) when the user changes maximum NAT sessions via command line interface (CLI). [NDM-3344]
The SNTP service compatibility enhancement adds support for
Reference Identifier
andReference Timestamp
values in SNTP responses based on RFC4330. [NDM-3368]
The OpenSSL library has been moved to a different branch with the latest version
3.0.13
. [SYS-1152]Improved robustness of the DNS over TLS and DNS over HTTPS server cache. [NDM-3320]
The clients of the VPN Server (PPTP, SSTP and OpenConnect) now access the Internet following the Connection Policy of the local network to which the server is bound. [NDM-3295]
The implementation of IKEv1/IKEv2 IPsec VPN servers now allows to avoid IP address conflicts with other interfaces. [NDM-3250]
Improved host detection using
EchoReq
in theICMPv6
protocol to ensure correct operation of port forwarding rules for the IPv6 protocol. [NDM-3265]The Phase 2 of the site-to-site IPsec tunnel now supports the SHA512 HMAC algorithm. [NDM-3269]
crypto ipsec transform-set {name} hmac esp-sha512-hmac
— enableesp-sha512-hmac
algorithm for transform-set{name}
Added MAC address and registration time information to the name of devices registered automatically. This will help you easily identify and keep track of the devices on your network. [NDM-3253]
Implemented an
aggressive
mode option for the IKEv1 client in the command line interface (CLI) for compatibility with VPN (IPsec) servers running on Fritz!Box routers. [NDM-3227]interface {name} ipsec aggressive
— set theaggressive
Phase 1 mode for VPN connection{name}
A new read/send timeout option allows the session lifetime for Web applications of the KeenDNS proxy service to be set via the command line interface (CLI). [NDM-3157]
ip http proxy {name} timeout {timeout}
— set{timeout}
for KeenDNS{name}
proxy.
The WireGuard advanced security configuration (ASC) parameters are now available in the command line interface (CLI). [NDM-3202]
interface {name} wireguard asc {jc} {jmin} {jmax} {s1} {s2} {h1} {h2} {h3} {h4}
— set additional ASC parameters for WireGuard{name}
tunnel.
Disabling Port Forwarding (
ip static
) rules now forces matching active sessions to be dropped. [NDM-3067]Implemented new options to preserve Referer and Origin headers for Web applications of the KeenDNS proxy service in the command line interface (CLI). [NDM-3089]
ip http proxy {name} preserve-referer
— preserve Referer header for{name}
of the web proxy rule.ip http proxy {name} preserve-origin
— preserve Origin header for{name}
of the web proxy rule.
A NetFlow monitor system component can now collect IPv6 traffic information and monitor network flows. [NDM-3109]
The
MOBIKE
extension (RFC 4555) has been enabled for both the IKEv2/IPsec VPN Server and the IKEv2 client. [NDM-3164]
Fixed
Fixed incorrect application of a DNS query filtering rule for IPv6 link-local addresses that occurred under certain conditions. [NDM-3379]
Fixed an issue where the channel number would incorrectly display as zero when connected via Wireless ISP (WISP). [SYS-1171]
Fixed the PPTP VPN connection stalling on the backup connection after the primary connection is restored. [NDM-3376]
A problem that caused the
OpenVPN: Connection reset, restarting
error message to appear in the System log has been fixed. [NDM-3355]
Fixed IPv6 ULA (Unique local address) prefix announcements with incorrect
A
bit. [NDM-3350]The L2TP/IPsec VPN client now uses a random source port to avoid connection problems when multiple VPN L2TP/IPsec connections are established behind NAT on an upstream router. [NDM-3349]
Fixed selection of the best node for wireless backhaul connection in the Mesh Wi-Fi System. [SYS-1161]
Fixed IPv6 traffic accounting with the hardware packet processing engine disabled. [NDM-3234]
Fixed remote access over an IKEv2/IPsec VPN connection to a local network host for which a SNAT mapping rule is configured. [NDM-3310]
Fixed the DynDNS domain name validation; now it's possible to use only one domain. [NDM-3309]
Enabled the SNMP reports by OID
ifAdminStatus
to monitor the operational state of device ports via third-party software. [NDM-3296]
Fixed the forwarding of the source IP address in the
X-Real-IP
header when accessing web applications via KeenDNS. [NDM-2214]Fixed access to the KeenDNS Web Applications configured with prohibited remote access (
security-level private
) from the home network. [NDM-3264]
Incomplete application of static IPv6 routes when re-establishing an associated VPN connection after a reboot fixed. [NDM-3248]
UPnP service rules are now correctly applied to clients accessing the Internet using the Connection policy with active multipath mode. [NDM-3251]
Fixed DNS query interception in the additional network segments. [NDM-3228]
Fixed priority of user-defined
ip static
rules over automatic UPnP port forwarding rules to a host. [NDM-3078]Fixed home network access for L2TP/IPsec VPN server clients when
ip static
rules are configured on WAN IP aliases. [NDM-3110]Fixed binding to the WAN address and inbound access to the service port for the ZeroTier client connection. [NDM-3216]
Fixed iOS L2TP/IPsec client disconnecting under heavy load. [NDM-3180]
The CloudFlare content filter has been corrected to work properly on networks that do not support IPv6. [NDM-3163]
Fixed port forwarding issues after Hotspot (
ip hostspot
) code refactoring. [NDM-3127, NDM-3171]