Keenetic as simple Wi-Fi Access Point (Bridge)

[rAcKShen]

This is a small how-to silence a Keenetic in the mode Extender which can be used as a ‘Wi-Fi Bridge’, sometimes called ‘Wi-Fi Access Point’. This is useful, when you have no Keenetic in the mode Router around and you want a silent Access Point without NAT or Firewall, just doing Wi-Fi. Most of the steps are based on this help article. However, I had to do more:

1. reset your Keenetic (button, Web, or CLI)
2. when the Wizard in the Web interface offers the button ‘Exit Wizard’ go for that
3. go for the command-line interface (for example, via the Web interface) and enter:
4. interface Home lldp disable
5. no ntp server
6. ntp server 192.168.178.1
7. ntp sync-period 40320
8. no service internet-checker
9. components remove cloudcontrol
10. components remove sstp-server (on default, was not installed)
11. components remove webdav
12. components remove ndns
13. components remove ip6 (on default, was not installed)
14. system configuration save
15. components commit

Keenetic does not learn the NTP server from DHCP. Therefore, I changed it manually to the IP address of my local main router. Double-check your IP address and that yours offers an NTP service. Furthermore, KeeneticOS 3.8 does not support IPv6 in mode Extender, yet. If you want to keep the system component IPv6 for future, then today, you have to go for:

1. no ipv6 subnet Default
2. system configuration save

The bad news: Although I do not use any service of Keenetic anymore, I found no way to disable the ‘authentication and licensing service’ yet. So it is not totally silent and still phones home after start and once daily (connecting to all fail-over IPs learned from DNS, perhaps another software bug). The good news, the system components Package Manager (opkg) and Phone Station (nvox) can be used even in mode Extender. Consequently, I am able still to use my Keenetic for telephony like the Keenetic Linear and many more.

[Le ecureuil]

Цитата

The bad news: Although I do not use any service of Keenetic anymore, I found no way to disable the ‘authentication and licensing service’ yet

The EULA states that it is required and cannot be disabled.

[rAcKShen]

Yes, I know. By the way, is there an easy way to look into what is exchanged exactly? Looking at Wireshark and the timings, it looks like failing over because it tries several different IPs in a row (and I blocked none of them, the TLS handshake succeeds and it looks like exchanging data successfully). Might be a bug but cannot say for sure.

[Le ecureuil]

It is a sort of redundancy and load balancing based on connection reply speed. Further communication performs with the server with the fastest reply.

[rAcKShen]

OK. Then, I do not understand it.

Exactly, every 24 hours, another, a different IP is connected. I am not so much about that daily phoning home, I am more confused by that several ones after the first start. I see five TLS connections, some to the same, some to different IPs (of ‘ndss.keenetic.ndmsystems.com’). Any chance to look into those connections? I redirected the DNS, but you use HTTPs with Certificate Pinning. The used trust anchor ‘4096-KNT-root-ca.crt’ can be found in the file system, in ‘/usr/share/sign-ca-certificates‘. However, I am not able to simply replace the file content because it is on a read-only partition.