[Reset, Wizard: Downgrade forced?]

13 hours ago, KYTECHNGAMING said:

I did not understand why an experienced person is so stuck in this situation in the installation with the wizard.

That is easy to explain: When you go through the wizard, you cannot deny it, it just happens. So it happened to me on the first time. I am sure that happens everyone who is not on the stable release but resets his device. Back then, I am not sure, I understood the downgrade is related to the wizard. First, I thought, the wizard is just re-installing some components as it always does. So I trapped into this a second time later. And then, I trapped into this a third time because it is so unusual and I forgot about it. So, my experience is actually the problem here: My expectation is still that this should not happen. So I placed a post-it on the device. Perhaps that helps next time.

There is a second issue: When the device starts up, you cannot deny the wizard, the first step is always within the wizard. At least the wording is giving that impression. Only, only, only on page two of the wizard (not earlier, not later) I am able to exit the wizard. I had to find that button. I missed that several times, too.

There is a third issue: 3.9 Alpha adds a new connection setup (DS-Lite with AFTR), which is needed here for one of my ISPs. So, I was curious to test the wizard how it is handled there. And then, at the end, I get downgraded to a version which does not give me access to that ISP. So, actually, I am wrong in my previous prost; I could test the wizard. Just get a bit of additional work afterwards.

If Keenetic wants to force an update, OK. But then please on the branch were I left. Even better: If I am on a non-stable (faster) branch, ask whether I want to continue on that branch, or whether I want to go for one of the slower branches.

[IPv6: Not Segment Home (like Guest): No?]

When I enable the guest segment and connect a (W)LAN client, I do not see any IPv6 (Router Advertisements). Therefore, my client does not create an IPv6 address. Therefore, no IPv6 connectivity. Is that expected? The IPv6 prefix of my Internet Service Provider is large enough for several segments.

[Reset, Wizard: Downgrade forced?]

On 6/1/2022 at 4:02 PM, Infy said:

the wizard forces the installation of a latest version from the stable channel

OK. That is bad because – with my workaround above – several things are not set as expected by Keenetic support. That again can be workedaround with the trick of Ahmed. Thanks for that! However, I want to test the wizard actually, with the latest release (because of the new DS-Lite support). I cannot do that. If possible, that choice should be reconsidered. Never saw a downgrade with other vendors because of resetting and using a wizard. Was very unexpected. So unexpected, I forgot and got downgraded several times by now. 🤪

[DDNS: No-IP: HTTP not HTTPs?]

For Dynamic DNS, I use No-IP. KeeneticOS 3.9 Alpha 4 sends the IP updates (and my password) in clear text because it uses HTTP. Is there a reason not to use HTTPs as offered by No-IP?

[PPPoE: IPv6: Where is the (Stateless) DHCPv6 server?]

Using the latest 3.9 alpha 4, PPPoE, IPv6 component installed and enabled …

IPv6 works great on my clients. However, in Apple macOS, I do not see a DNS server via IPv6, just IPv4. Therefore, I opened Wireshark and filtered for icmpv6.type == 134 || dhcpv6. The router advertisement (RA) has the flag Other set. Therefore, LAN clients ask the (stateless) DHCPv6 server for the DNSv6 server. And that server does not answer. Is the RA simply wrong and there should be not DHCPv6 server. Or is the DHCPv6 server simply not running?

Yes, I know, from the user experience, this is no issue because I can do IPv6 (DNS-AAAA) even via the existing DNSv4. However, my clients search for that DHCPv6 server all day long. And this is not the way it was designed. Either the Other flag is set incorrectly. Or a DHCPv6 server should answer.

[Keenetic as simple Wi-Fi Access Point (Bridge)]

OK. Then, I do not understand it.

Exactly, every 24 hours, another, a different IP is connected. I am not so much about that daily phoning home, I am more confused by that several ones after the first start. I see five TLS connections, some to the same, some to different IPs (of ‘ndss.keenetic.ndmsystems.com’). Any chance to look into those connections? I redirected the DNS, but you use HTTPs with Certificate Pinning. The used trust anchor ‘4096-KNT-root-ca.crt’ can be found in the file system, in ‘/usr/share/sign-ca-certificates‘. However, I am not able to simply replace the file content because it is on a read-only partition.

[Keenetic as simple Wi-Fi Access Point (Bridge)]

Yes, I know. By the way, is there an easy way to look into what is exchanged exactly? Looking at Wireshark and the timings, it looks like failing over because it tries several different IPs in a row (and I blocked none of them, the TLS handshake succeeds and it looks like exchanging data successfully). Might be a bug but cannot say for sure.

[Reset, Wizard: Downgrade forced?]

I am in the channel Dev and had 3.8 Alpha 8 installed. When I went for a Reset via the Web interface, the initial Wizard pops up again. When I go through the wizard, I was forced to install the latest update, on the channel Main: 3.7.4. Is this intended?

I use the following path right now which feels like a workaround: When the wizard pops up, I hit the button ‘Run Wizard’. Then, I get a page with the modes. There is a button ‘Exit Wizard’. When I go for that, I am not forced to downgrade. However, many settings (like the mode and the recommended systems components are not set then).

[Keenetic as simple Wi-Fi Access Point (Bridge)]

This is a small how-to silence a Keenetic in the mode Extender which can be used as a ‘Wi-Fi Bridge’, sometimes called ‘Wi-Fi Access Point’. This is useful, when you have no Keenetic in the mode Router around and you want a silent Access Point without NAT or Firewall, just doing Wi-Fi. Most of the steps are based on this help article. However, I had to do more:

1. reset your Keenetic (button, Web, or CLI)
2. when the Wizard in the Web interface offers the button ‘Exit Wizard’ go for that
3. go for the command-line interface (for example, via the Web interface) and enter:
4. interface Home lldp disable
5. no ntp server
6. ntp server 192.168.178.1
7. ntp sync-period 40320
8. no service internet-checker
9. components remove cloudcontrol
10. components remove sstp-server (on default, was not installed)
11. components remove webdav
12. components remove ndns
13. components remove ip6 (on default, was not installed)
14. system configuration save
15. components commit

Keenetic does not learn the NTP server from DHCP. Therefore, I changed it manually to the IP address of my local main router. Double-check your IP address and that yours offers an NTP service. Furthermore, KeeneticOS 3.8 does not support IPv6 in mode Extender, yet. If you want to keep the system component IPv6 for future, then today, you have to go for:

1. no ipv6 subnet Default
2. system configuration save

The bad news: Although I do not use any service of Keenetic anymore, I found no way to disable the ‘authentication and licensing service’ yet. So it is not totally silent and still phones home after start and once daily (connecting to all fail-over IPs learned from DNS, perhaps another software bug). The good news, the system components Package Manager (opkg) and Phone Station (nvox) can be used even in mode Extender. Consequently, I am able still to use my Keenetic for telephony like the Keenetic Linear and many more.

[Extender Mode: IPv6: Router Advertisement still broadcasted.]

@vst were you able to reproduce the issue via my steps?

I re-tried after applying your CLI command (which did the job, thanks, by the way): After that CLI command, when I go through my steps again, that subnet re-appears again. Consequently, I do not think, it is any kind of left-over. If you were able to reproduce the issue, do you create the bug report internally or shall I via E-mail support?

[Extender Mode: IPv6: Router Advertisement still broadcasted.]

I get that subnet via:

1. reset the system components to Minimal
2. reset all settings
3. exit wizard
4. change Mode to Extender
5. install the system component IPv6

all via the Web interface; 3.8 Beta 1. Re-tried just minutes ago.

[Extender Mode: IPv6: Router Advertisement still broadcasted.]

OK, attached in hidden mode. Are you not able to reproduce this issue with the steps above? Interesting. By the way, when I go for the file ‘/tmp/run/radvd.conf’, I see

interface br0 {
        AdvSendAdvert on;
        AdvOtherConfigFlag on;
        AdvManagedFlag off;
        AdvDefaultLifetime 0;
};

which matches my Router Advertisements, because the Flag Other is set indeed. However, I found no way to control that file, yet. After a restart, it is overwritten. And there seem to be no command on the CLI controlling this. The closest would be ‘no ipv6 subnet mode’. However, that did not work. Is there a trick to change/overwrite that?

Something like a ‘ipv6 subnet mode client’ would be the correct approach in future, I think. Especially, because currently, I do not see IPv6 connectivity in Extender mode at all. However, that is another topic.

[Extender Mode: IPv6: Router Advertisement still broadcasted.]

What mean the two votes ‘need more info’ exactly? First of all: More info from me or someone from Keenetic?

Steps to Reproduce:

1. Web interface → (Management) System → Change operating mode → Extender
2. Web interface → (Management) System → Component options → IPv6 → Install

Then, on a computer in my home network, I open Wireshark and filter for icmpv6.type == 134. After several minutes, I see IPv6 RA coming from the Keenetic. Nothing inside (no IPv6 Prefix and not DNS) but still medium default route. This is confusing because I would have expected no RA from a non-router.

[Can't see Wireguard config in Operating mode "Access point/Extender"]

GL.iNet faces the same issue …

[Extender Mode: IPv6: Router Advertisement still broadcasted.]

I am in the operating mode Extender. I have installed the component IPv6. While debugging something else in Wireshark, I noticed, that my Keenetic is still sending IPv6 Router Advertisements (RAs; ICMPv6 134). Nothing much included, except the default route at medium preference. Anyway, confusing because in that mode my Keenetic is (should be) no router anymore. Is that intended?

Sorry, have not checked 3.7.4 whether that is a 3.8 only thing.

[Linear: How to dial zero(s) at start of number?]

On 4/20/2022 at 9:52 PM, KYTECHNGAMING said:

Did u check here? https://help.keenetic.com/hc/en-us/articles/4425724302738

Yes, otherwise I would had no workaround at all. Normally, dialing should work without any Dial Rule. However, to dial a number with 0 at the beginning, I had to create the above dial rule (or alternatively had to use a ‘Line selection code’).

[5Ghz 80mhz Auto Scan without DFS]

OK. Interesting. And I thought before, I had seen many Wi-Fi configuration interfaces. Then those devices ‘scan’ 36 to 48, only. However, 802.11ac does 80 MHz, so blocking that whole range anyway. Therefore, what is the benefit of ‘scanning’ in that range?

1. Does it select the best control channel (36, 40, 44 or 48), the cleanest? Or
2. Does it go down for 40 MHz if too congested?

Sorry, do not get the benefit, yet. If I do no DFS, I can choose the channel statically anyway. Sounds like a legacy behavior for 802.11n interaction which did 40 MHz.

[How to report Security Vulnerability?]

OK. Works now. Submitted. 😀

[How to report Security Vulnerability?]

I tried that first: #10407. However, they did not know about the procedure at all. Therefore, I tried several possible E-mail addresses. And then tried here. Not sure how to proceed.

[How to report Security Vulnerability?]

Found two security issues. Not critical software bugs. But one scores high. Did not calculate the other. And they are not in the building blocks used by Keenetic but in the configuration. So, for me, nothing to report upstream to any open-source project. I have report to Keenetic directly. Fixing them, I do not think they are very complex, should be not more than one line of code. So, worth to be reported.

Many companies go for FIRST and make it easy for security researchers by providing a secure communication channel/contact/E-mail (via the provided public OpenPGP key). Does anyone know how Keenetic likes it? OpenPGP or S/MIME? Do I go for my local country support? Or a global E-mail address (tried security@ and psirt@ but failed)? Or do we go for private messages via this board (would be OK for me)? Or do we go via GitHub (no policy posted)?

[Reset: How to reset System Components?]

Great, in my case, ‘recommended’ was my factory default. I knew those commands from the command-line documentation. However, I thought ‘minimal’ is the absolute minimum. A misunderstanding. Furthermore, I thought ‘recommended’ is some crazy big super-set. However, at least in my case, ‘recommended’ was the state when I started with my Keenetic. And ‘minimal’ is just a bit less, four components:

1. Dynamic DNS (DDNS) Client,
2. Media Server (DLNA),
3. DNS-over-HTTPS proxy, and
4. DNS-over-TLS proxy.

Although the part about the languages a bit confusing: I am allowed to install not more than three languages but when I click on that ‘minimal’ or ‘recommended’ button in the Web interface (or go for our commands), I get all languages (back). Anyway, my Keenetic is now as near to factory again as possible. 😀

[Linear: How to dial zero(s) at start of number?]

I am in Germany, and we use a zero to dial out of the city and two zeros to dial out of country. I am using not a DECT base but a recent analogue phone (MFW). Zero is not special on that phone, double-checked. I lift the handle, get the dial tone, dial my number … but my Keenetic is dialing just ‘0’. I hear that. And see that in the call history. Triple-checked via Wireshark. In the dial-rule syntax – Синтаксис правил набора – I saw that special ‘T’. However, either I do not understand its meaning or that did not help.

Then, I went for the dial rule

(00>+)x.|(0>+49)x.|(>+496181)x.

Works. As a side-effect all my calls are international now, which is no problem with my telephony carrier. The ‘6181’ is for those living in Hanau and must be replaced for your city. However, I do not think that is the right approach. Is it?

[Reset: How to reset System Components?]

OK.

If anyone comes by and still has the default set of components—of a Keenetic Carrier (EU)—please, share your ‘components’ via show version.

[5Ghz 80mhz Auto Scan without DFS]

Out of curiosity: What is that device doing then

1. Does it look for the best control channel in the range 36-48? Or
2. Does it violate specs and considers a broader range? Or
3. Is this something special/normal for a Wi-Fi device in Turkey?

[Reset: How to reset System Components?]

After a reset via the Web interface (or a change of the operating mode from Router to Extender), the components are not reset. Is there any trick to reset the components as well, except going for a Recovery?