KeeneticOS 4.0
What’s new?
Welcome to the release of KeeneticOS version 4.0! We are excited to share with you the many new features, fixes and improvements that this release brings. Our main focus for this update is to significantly improve support for the IPv6 protocol in various KeeneticOS services.
Firstly, we have implemented the new IPv6 prefix delegation option, which allows for efficient subnetting. We have also incorporated key IPv6 standards such as 464clat (RFC6877) and RFC6204 (WAA-8) into our system.
One of the notable enhancements in this release is the Application Traffic Analyser's support for IPv6 protocol traffic classification. We have also introduced host traffic accounting specifically for the IPv6 protocol, ensuring accurate calculations of incoming and outgoing data for your home devices.
The connection policy has been updated to include the IPv6 protocol, further extending the capabilities of KeeneticOS. The web interface now provides core support for IPv6 connections, enabling seamless management.
For users of the Wireguard VPN component, we are pleased to announce that it now internally supports the IPv6 protocol for VPN connections. In addition, the SNMP server and WebDAV server have also been updated to support IPv6.
We understand the importance of DNS configuration and with this release, we have introduced the ability to bind DNSv6 addresses through the command line interface (CLI), giving you more control over your network settings.
To enhance your Dynamic DNS (DDNS) capabilities, we have included the new deSEC (desec.io) service as part of the system component.
Finally, we are excited to introduce the Multiple Subnets option for site-to-site IPsec VPN connections in Phase 2. This feature will allow network connectivity between multiple subnets via a VPN tunnel, increasing the versatility of your Keenetic device.
KeeneticOS 4.0.7
27/11/2023
Fixed
Fixed a high CPU load issue caused by the
DNS proxy
process going into an infinite loop due to frequent TCP requests on the network. [SYS-1034]
The issue with the OpenVPN server showing a Not Connected state after the router reboot has been fixed. [NDM-2874]
Fixed application of Internet safety profiles to clients with assigned routing policies. [NDM-2928]
Multiple connections to the IKEv2/IPsec VPN server now operate correctly using the same login credentials. [NDM-2986]
Disabled global scope in IPv6 ULA prefix announcement to prevent clients from using local addresses as the default connection and unavailability by KeenDNS name. [NDM-2993]
The issue that caused the system to reboot in the
CmdSetTxPowerCtrl
has been fixed. [SYS-1026]Fixed wireless client rejection with
STA had re-associated from 00:00:00:00:00:00
message in the System log. [SYS-1029]The
strongSwan
service configuration can now be applied correctly under special conditions. [SYS-1033]Fixed an issue that prevented the IPsec VPN tunnel connection after restarting the router. [NDM-3019]
Fixed an issue that caused the system language to be installed incorrectly when updating using the Initial Setup Wizard. [NDW3-1041]
KeeneticOS 4.0.5
17/10/2023
New
Added new TCP+UDP/3389 - Remote Desktop Protocol (RDP) Port Forwarding rule preset in the Web Interface. [NWI-2890]
Fixed
Fixed reinstallation of default route when changing WireGuard tunnel priority in Connection policy. [NDM-2933]
The error message
Could not bind on given addresses: Address in use
in the System log no longer appears when using DNS-over-TLS (DoT) server settings. [SYS-1007]Adjusted the maximum number of sessions for the
swnat
service to match theconntrack
settings in configuration. [SYS-980]Fixed wireless connection of HP LaserJet printers using WPS technology. [SYS-988]
Fixed broken Command Line Interface (CLI) command
no rekey-interval
for wireless interfaces. [SYS-990]Sorting the Traffic priority column on the Clients list page now works as intended. [NWI-2889]
Fixed the display of the Band Steering setting in the Web Interface. [NWI-2993]
The Force UDP and IKEv2 checkboxes in the EoIP/IPsec settings in the Web Interface now work correctly. [NWI-2981]
Fixed time zone synchronisation on Extenders in a Mesh Wi-Fi System. [NDM-2918]
Fixed wireless backhaul operation on extenders with scheduled Wi-Fi radio shutdowns. [NDM-2912]
Fixed client bandwidth limitation configured via RADIUS server options for the Captive portal system component. [NDM-2947]
The issue that caused the system to reboot with the
FT_KDP_EventInform
error message has been fixed. [SYS-994]Fixed missing traffic statistics for a network with the number of registered devices approaching 200. [SYS-1014]
KeeneticOS 4.0.4
24/08/2023
Improved
The OpenSSL library is updated to the latest version
3.0.10
, which fixes the following list of vulnerabilities: CVE-2023-3817, CVE-2023-3446, CVE-2023-2975. [SYS-949]
Fixed
Fixed use of static
78.47.125.180
DNS record use for the KeenDNS direct mode. [NDM-2905]Fixed PPPoE session disconnect when renewing DHCP address on a parent interface. [NDM-2904]
Restored saving of the Multiple sign-in checkbox for IKEv1/IPsec and IKEv2/IPsec VPN servers. [NDM-2853]
Fixed IPv6 connection incompatibility with the A1 operator in Belarus. [SYS-930]
The cause of the
wind: failed to make ioctl call: network is down
message in the System log has been fixed. [NDM-2887]Fixed operation of OpenVPN connections using a custom Connection policy. [NDM-2888]
Fixed source IPv4 address selection when
ip alias
addresses are configured. [SYS-945]Fixed an issue with duplicate detection where the Extender would appear in the list of unregistered devices if its IP address was changed. [NDM-2892]
Enabling traffic shaping for registered clients no longer causes problems with web browsing. [SYS-953]
Fixed timeouts when accessing websites using a custom Connection policy with multipath enabled. [NDM-2792]
Fixed unnecessary restart of the
dhcp6d
daemon after saving segment settings. [NDM-2916]
KeeneticOS 4.0.2
03/08/2023
New
Implemented a new option to de-announce IPv6 prefixes for backup connections. [NDM-2805]
Implemented a new
ip
format option for the DCHP server in the command line interface (CLI): [NDM-2755]ip dhcp pool {name} option {2..254} ip {address[,address]*}
— set IP addressip
for certain DCHPoption
number
The new option to bind DNSv6 addresses is now available via the command line interface (CLI), as follows:
ipv6 name-server {address} [{domain} [on {interface}]]
— bind DNSv6{address}
on specified{interface}
;for example:
ipv6 name-server 123::456 "" on UsbLte0
The Web Interface's new custom HTTPS server port allows you to free up a standard
TCP/443
port and forward it to any device on your local network. [NDM-2670]ip http ssl port {port}
— assign a different{port}
for HTTPS server of the Web Interface
The setting for the new On-demand type of Internet connection is available from the Command Line Interface (CLI). The On-demand type of connection is automatically disconnected if a higher priority Internet connection is running. [NDM-2643]
interface {name} standby enable
— switch connection type to On-demand for specified interface{name}
The Country and Time Zone Confirmation popup will appear when you enter the Web Interface. This confirmation is needed to improve communication with the Keenetic Cloud, time synchronization servers, proper Wi-Fi network announcement, and legal consent. [NWI-1437]
In accordance with the requirements of the Federal Law of the Russian Federation No. 152, the Device Privacy Notice will be displayed for your review when you confirm that your country of operation is the Russian Federation.
The new 464clat (RFC6877) option has been implemented for the IPv6 transition mechanism. [NDM-2121]
The EAEU regional code replaces the former RU code. [NDM-2396]
The SNMP server system component now supports IPv6 protocol operation. [NDM-2653]
The Application traffic analyser now supports traffic classification for the ICMP protocol. [SYS-760]
The new deSEC (desec.io) service is available for the Dynamic DNS (DDNS) client system component. [NDM-2540]
A new CLI command allows the deactivation of an internal
storm-control
feature for a specific interface:interface {name} storm-control disable
— disable storm-control on{name}
interface
The new IPv6 Prefix Delegation option has been implemented for subnetting. [NDM-1976]
Use the following CLI commands to set:
ipv6 subnet {name} prefix length {length}
— set subnet prefix lengthipv6 subnet {name} prefix delegate {delegate}
— set delegated prefix length (must be shorter than prefix length)
A typical configuration Prefix Delegation for a Home segment looks like follows:
ipv6 subnet Default bind Home mode dhcp prefix length 63 prefix delegate 64 number 0
The new multiple subnets option is available for Site-to-site IPsec VPN connections in Phase 2, providing network connectivity between several subnets over a VPN tunnel. [NDM-313]
Use the following CLI commands to set:
object-group ip {name}
— create a new object groupinclude (ip | tcp | udp | tcpudp | icmp) {address} [{port} [{end-port}]]
exclude (ip | tcp | udp | tcpudp | icmp) {address} [{port} [{end-port}]]
crypto map {name} traffic-selectors {local} {remote}
— assign local/remote object groups as Phase 2 selectors
The new Add local subnet and Add remote subnet options are available for Site-to-site IPsec VPN connections on the Internet > Other connections page.
Implemented host traffic accounting for IPv6 protocol, providing correct calculation for the incoming/outgoing data of your home devices. [SYS-648]
The Application traffic analyser now supports traffic classification for the IPv6 protocol. [SYS-652]
The Traffic shaper system component now supports operation with the IPv6 protocol, providing correct traffic limitation for data flows of IPv4/IPv6 together. [SYS-658]
The Web Interface receives core support for IPv6 connections. [NDM-2448]
The OpenVPN client and server system component now supports the IPv6 protocol for VPN connection. [NDM-2451]
The Wireguard VPN component now internally supports the IPv6 protocol for VPN connection. [NDM-2452]
Implemented support for 802.1Q tagged VLAN traffic over
AccessPoint
andWifiStation
(Wireless ISP) interfaces. [SYS-682]The new HTTP/HTTPS URI mode of the Ping Check allows you to specify the host address to check using a URI (Uniform Resource Identifier). [NDM-2490]
Use the following CLI commands to set:
ping-check profile {name} mode (icmp | connect | tls | uri)
— enable URI checking for Ping Check profile{name}
ping-check profile {name} uri {uri}
— set URI
Connection policy now operates with the IPv6 protocol. [NDM-2515]
Improved
Faster and more reliable operating system updates for Mesh Wi-Fi nodes. The structure of the Mesh Wi-Fi System and the connections between nodes now determine the order in which nodes are updated. [NDM-2816]
The Web interface now supports the Danish language. [SYS-907]
The Yandex.DNS presets in the Internet Safety menu now support secure resolutions using DNS-over-HTTPS (DoH) protocol. [SYS-901]
Added ICMPv6 support to
ipv6 static
rules, allowing pingv6 to local devices with IPv6 addresses. [NDM-2760]ipv6 static (... | icmpv6) [interface] {mac}
— enableicmpv6
protocol for specified{mac}
Implemented propagation of Network Time Protocol settings to extenders in the Wi-Fi System. [NDM-2508]
The initial Ping Check state has been changed to a negative state to avoid using a non-working connection to access the Internet. Reduced initial Ping Check time. [NDM-1837]
The Firewall service now flushes corresponding sessions when firewall rules are enabled or disabled. [NDM-2690]
The maximum MTU size has been increased to
1514
bytes, providing PPPoE MTU =1500
bytes over VLAN. [SYS-812]
The
ip alias
configuration no longer affects the NAT translation for the primary PPPoE connection. [SYS-806]
Added a
robots.txt
file to the Web Interface server to prevent indexing by search engines. [NDM-2673]
Disabling the Hardware network accelerator no longer disables traffic acceleration between Wi-Fi and wired Ethernet connections on the local network. [NDM-2660]
The
ipv6 firewall
CLI command has been deprecated and removed. [NDM-1731]The network interface status tracking mechanism in KeeneticOS has been redesigned to provide better IPv6 protocol support and faster Web Interface response. [NDM-2415]
The new WAN IPv6 address assignment option has been implemented in accordance with the RFC6204 (WAA-8) standard. [NDM-2549]
Increased KeenDNS service web application records from
160
to256
. [NDM-2519]
Fixed
Wireless connection with WPA3-PSK (
SAE-H2E
method) security no longer triggers a system reboot. [SYS-932]
Network segmentation has been fixed to prevent Guest segment devices from accessing the settings of Extender nodes. [NDM-2744]
Fixed support for Microsoft Point-to-Point Encryption (MPPE) on L2TP/IPsec connections. [NDM-2859]
The name of the segment and other description fields are now protected against the XSS vulnerability in the Web interface. [NWI-2715]
Enabling the DNS transit requests feature correctly disables DNS packet interception. [NDM-2769]
Fixed HTTP server configuration errors after changing the interface security level under certain conditions. [NDM-2832]
Corrected traffic counting when multiple WAN connections are active. [SYS-880]
Fixed Wi-Fi connection issue when switching channel width from 80 to 20 MHz. [SYS-893]
It is now possible to add new extenders to the Wi-Fi system without an Internet connection. [NDM-2594]
Fixed some minor visual issues with the Web interface layouts. [NWI-2675, NWI-2676]
Fixed positioning of Web UI elements on the System Dashboard page when zooming in Safari iOS 16. [NWI-2626]
Fixed the GRE/IPsec connection issue when using IKEv2 and Cisco iOS/Nx-Os endpoints. [NDM-2789]
Sorting in the Channels column on the Wi-Fi Monitor page now works correctly. [NWI-2603]
Corrected the layout of the dialogue box of the Fail-safe function. [NWI-2635]
Fixed incorrect local and remote IKEv2 proposal IDs when using GRE/IPsec tunnels. [NDM-2750]
Wi-Fi client traffic accounting now works correctly when the hardware network accelerator is enabled. [SYS-854]
The misclassification of traffic from registered devices as traffic from unregistered devices in the traffic accounting has been corrected. [SYS-846]
Disabled the use of name servers (DNS servers) on offline backup connections. [NDM-795]
The static route for the WireGuard® VPN remote peer is no longer removed after changes are made to the underlying connection of the WireGuard VPN tunnel. [NDM-2522]
Asymmetric speed limiting now works correctly for registered devices when IntelliQoS is enabled. [SYS-836]
The multipath policies now work correctly and do not use connections with negative Ping Check testing results. [NDM-2706]
Prevented IPsec configuration failure using a cryptographic key
crypto ike key
with an unsupported length greater than 72 characters. [NDM-2562]
Internet traffic volumes for PPPoE connections are correctly counted when the Hardware network accelerator is enabled. [NDM-2580]
The default route is now correctly assigned for HTTP/HTTPS/SOCKS5 proxy interfaces. [NDM-2366]
The default route via the IPoE interface is now automatically restored after the PPP (PPPoE, L2TP, PPTP) interface is deleted. [NDM-2575]
Fixed
connected
state for interfaces with a statically configured IP address. [NDM-2551]
The use of WireGuard® tunnels as the default route with the IPv6 protocol is now fixed. [NDM-2535]
The
interface ipv6 force-default
CLI command has been brought back into support for backward compatibility. [NDM-2545]