Release Notes icom OS 8.3 (20.12.2024) New Feature: - IPsec: up to 20 additional IPsec SAs can be used for each IPsec tunnel to tunnel different subnets Functional Updates: - DynDNS: providers Duck DNS and dynv6 available - New UI: configuration page for MCIP (events) available Bug fixes: - HTTPS: certificate based client authentication is not disabled, if expired device individual certificate is used as HTTPS certificate - LTE450: if two data channels are active, routes are set correctly - LTE: if network registration is not successful within 12 hours, the modem is restartet - LTE: reduced extensive log messages if PIN is needed but not provided - Profile Activation: suppressed false error log message about unavailable Parameters on profile activation _______________________________________________________________________________________________ Announcement: Within the next months, INSYS icom will use a new CA certificate to issue the device individual certificates which are provisioned during production. All devices, which have a serial number 24136331 or higher and MAC address 00:05:B6:12:E1:23 and higher will already have and use a "new" certificate. For all devices which have a new certificate and are running with a firmware 8.0 or lower this will have two effects - as the old firmware doesn't know the new CA, it will display a warning message in the classic UI that "the configured HTTPS certificate is not issued by the configured CA certificate". This is just a warning and can normally be ignored, as the HTTPS connection still works. - if client authentication via certificates is active and the device individual certificate is used as server certificate, the client authentication via certificates is deactivated. If no fallback username/password is configured these devices won't be accessible via HTTPS any longer For all devices already shipped, this will not affect the applications, the behavior or the connection. Also an update to 8.1 will not affect already shipped devices. Both effects can be mitigated on icom OS 7.6 or higher by uploading the new certificate chain (root and intermediate CA) onto the device and select the intermediate CA as "CA certificate for HTTPS". In general INSYS icom always recommends using an own PKI for the HTTPS server certificates and client authentication via certificates. In this case, none of the above effects will arise. Release Notes icom OS 8.2 (21.11.2024) Functional Updates: - OpenVPN: terminate UDP tunnels with explicit-exit-notify - Firewall: Added protocol OSPF to be selected for Firewall, SNAT and DNAT rules - curl OSS package update: updated to version 8.11.0 (fixes CVE-2024-2398) - dnsmasq OSS package update: updated to version 2.90 (fixes CVE-2023-28450) - mosquitto OSS package update: updated to version 2.0.20 (fixes CVE-2023-28366 and CVE-2024-8376) - curl CA bundle OSS package update: updated to version 2024-09-24 - metalog OSS package update: updated to version 20230719 - axios OSS package update: updated to version 1.7.7 Bug fixes: - File Upload: Fixed detection of file type for uploads via REST API or new UI - SMS sending and reception: improved reliability of SMS sending and reception - Classic UI: prevent webserver crash if special characters are used for IP net descriptions - Status values: show correct uptime of IP net with multiple static IP addresses _______________________________________________________________________________________________ Release Notes icom OS 8.1 (25.10.2024) Functional Updates: - IP networks: colours of the ip networks (for device graphics) are now configurable - Container: Static information about the device (i.e. serial number, firmware version) is available in the container at /devices/device_info.json Bug fixes: - RSTP: works on trunk ports - MRX LTE: Connection is stable if MTU of LTE interface is lower than 1500 and packets through a VPN tunnel exceed the MTU - Container: network interfaces bridged to a container can be IPv6 only - Container: container still starts if bridged network is deleted from the config - Fiber/Ethernet: SFP slots and ethernet ports on MRcards ES are reliably initialised on start - PPPoE: ip networks in PPPoE mode work again, if ip network list is altered _______________________________________________________________________________________________ Release Notes icom OS 8.0 (08.10.2024) New feature: - Now up to 100 IP networks configurable: With icom OS 8.0 the previous limitation to 5 ip networks was resolved. Up to 100 IP networks can now be created. Also additional DHCP servers (IPv4 and IPv6) can be added. To ensure downward and upward compatibility, the firmware behaves as follows - on update to 8.0 (or higher) all active networks of the previous 5 ip networks will be transferred into the new list of ip network - on downdate to a firmware lower than 8.0, the ip networks with name "net1" to "net5" are transformed into the old networks - even though the syntax of the cli changes for the new ip networks, old ascii configurations will still be interpreted correctly - binary profiles will be converted into the new ip network list on import Caution: - Binary profiles created with firmware 8.0 or higher will lead to unspecified behavior, when imported into firmware lower than 8.0 - ascii configurations created with firmware 8.0 or higher will not result in the expected configuration, when imported into firmware lower than 8.0 Functional Updates: - OpenSSL OSS package update: updated to version 3.1.7 - OpenVPN OSS package update: updated to version 2.6.12 (fixes CVE-2023-46849 and CVE-2023-46850) - pam_radius OSS package update: updated to version 3.0.0 (fixes CVE-2024-3596) Bug fixes: - REST-API-Documentation: OpenAPI documentation was not valid according to the OpenAPI specification - classic UI: increased some timeouts (for firmware activation and reset) to prevent false error messages _______________________________________________________________________________________________ Release Notes icom OS 7.9 (25.07.2024) Functional Updates: - dropbear OSS package update: updated to version 2024.85 (fixes CVE-2023-48795) Bug fixes: - ECR-LW300 1.1: sending SMS through GSM supports special characters - MRcards: fixed sporadic communication issues between MRcards - Signed and encrypted update packages: empty private keys (like the placeholder key) do not cause decrypting of additionally encrypted update packages to fail - UI: after import of icom Router Management start configuration the profile activate can be clicked again - UI: Upload of more complex configurations (i.e. including Containers, Container-Data, multiple stored ASCIIs) on the welcome page are correctly applied - Classic UI: fixed some Javascript errors which resulted in not correctly hidden config options _______________________________________________________________________________________________ Release Notes icom OS 7.8 (26.6.2024) New Feature: - User Interface Languages: language support added for French, Italian, Spanish and Chinese. - Device metrics: multiple device metrics are now continuously calculated and available for analytics: - Counter of boot processes since production - Counter of boot processes since reset - Operating hours counter - Online counter since production - Online counter since reset - Online counter since last boot process - Timestamp of last successfull online connection The new metrics are displayed in the webinterface or can be read through CLI or REST API. - New Ping Event: a Ping check (icmp) is now available as event and action in the Event/Action toolbox. Multiple configuration parameters available: number of retries, timeouts and state change. - New DNS Event: a DNS check is now available as event and action in the Event/Action toolbox. Functional Updates: - New UI: configuration page for I/Os (input/output) available. - New UI: non functional optical changes: max width set to 1920px, navigation changed to 'single column navigation'. - LTE450: update of cellular engine firmware is possible for MRcard LTE450. - icom Router Management: server certficate can be verfied using OCSP-stapling. - Auto-Update: server certficate can be verfied using OCSP-stapling. - IPsec: certificate revocation policy is now configurable for OCSP or CRL (cert. revocation list). - EST protocol: If the server certificate check fails, the CA certificates are retrieved without a server check and a new trustchain is created. Bug fixes: - Modem State Machine: internal changes to the modem state machine fixes multiple support cases in relation with cellular connectivity. - Package loss: Packages with special sizes are sent reliably with certain SIM cards (e.g. mdex). Products affected: MRX3 LTE 1.1, MRX5 LTE 1.1, MRX2 LTES 1.0, MRcard PL 1.0. - Connection stability: cellular connection remains stable also for packets with certain fragmentation. Products affected: MRX3 LTE 1.2, MRX5 LTE 1.2, MRX2 LTES 1.1, MRcard PL 1.1. - Known Issue: on ECR-LW300 1.1 with icom OS 7.8 when sending SMS through GSM, special characters are not working. _______________________________________________________________________________________________ Announcement: In this release we replaced the SCEP protocol (Simple Certficate Enrollment Protocol) with a more modern version called EST (Enrollment over Secure Transport). Please get in contact with icom Support team, in case you are a user of SCEP. Release Notes icom OS 7.7 (30.04.2024) New Feature: - EST: The EST Protocol (Enrollment over Secure Transport) is now available use for secure Certificate Enrollment. Functional Updates: - SCEP removed: the Simple Certificate Enrollment Protocol was removed in this version and is no longer available in icom OS. We suggest all users to use the now available EST protocol instead, which only has advantages. - New UI: the configuration page for Serial-Ethernet-Gateway was added. - System status: a new system status value was introduced, containing the minimum required icom OS firmware version for each individual device. The version depends on the respective hardware variant and is available through CLI or REST and will soon be displayed in the status page. A firmware downdate below this version is not possible. Bug fixes: - Port mirroring: the debugging functionality port mirroring is now supported for all interfaces, not only for LAN interfaces on the same switch. (*this debugging option is not yet available in the new user interface, but will follow soon). - IPsec: usage of keys using elliptic curves EC(DSA) was fixed. - Real Time Clock: restoring the system time from the RTC (real time clock) is working again for all MRX and SCR/ECR routers. _______________________________________________________________________________________________ Release Notes icom OS 7.6 (28.03.2024) Functional Updates: - SCR/ECR: it is now possible to configure the preferred network technology (2G, 3G, 4G). - User Interface: Configuration page added for Router Advertiser. - User Interface: Configuration page added for DHCP-Relay. - Web-/REST-Interface: Now supporting server certificates that were issued by an Intermediate CA. - Web-/REST-Interface: Now accepting certificates for certificate based client authentication, that were issued by an Intermediate CA. - glibc OSS package update: updated to version 2.38. - nghttp2 OSS package update: updated to version 1.60. Bug fixes: - SNMP: fixed error in the MIB. - Webserver: webserver did not respond when the router was waking up from a suspend to RAM. - DHCPv6-Relay: service is only started once. Fixes the known issue from the last icom OS 7.5 release. - Router Advertiser: service is started at system startup. - Container: the time zones are correctly created for a created container. - Classic UI: certficates of the format DER and PKCS12 can be uploaded again. - User Interface: files of type stored ASCII are correctly saved after being uploaded on the Welcome Page. _______________________________________________________________________________________________ Release Notes icom OS 7.5 (01.03.2024) Functional Updates: - VPN: OpenVPN and IPsec configuration now supports the import of certificate chains containing intermediate certificates. - Router Advertiser: Recursive DNS servers (RDNSS) can be configured. - User Interface: added configuration pages for MAC-filter, RADIUS and dynamic routing. - Automatic Update: certificate chains containing intermediate certificates are now supported. - MIRO-L230 (US): passed AT&T "network ready" certification. Bug fixes: - LTE450: The static routes on a second SIM with second APN are applied. - User Interface: Firmware versions with 3 digits (e.g 7.2.1) are no longer displayed falsely as being a Beta version in the user interface. Publicly released firmware is never of status Beta, independet of the number of digits. - SFP: VLAN interfaces are now created before the DSA interface goes to status UP. - CLI: RSA keys with key length up to 16k are now accepted. Known issues: - DHCPv6-Relay: Usage of DHCPv6-Relay causes high memory consumption which can cause other services to be unusable. If the DHCPv6-Relay is used, an update to 7.5 is not recommended. We will provide a fix soon. _______________________________________________________________________________________________ Release Notes icom OS 7.4 (02.02.2024) Functional Updates: - OpenSSL OSS package: updated to version 3.1.4. - Valibot OSS package: updated to version 0.24.1. - Step-by-Step Wizard: Wording and graphical improvements to the wizard UI. Search as you type option for SIM APN configuration. Timezone can be adapted from browser. - Automatic Update: Router serial number and firmware version are sent along with the HTTP-header. - OpenVPN: device information (device type, firmware, serial number, hardware information) is transmitted to the OpenVPN server via push-peer-info - icom Connectivity Suite: a new bootstrap-server was activated. - MIRO, LTE450: it is now possible to configure the preferred network technology (2G, 3G, 4G). Bug fixes: - UI: Fixed display of router images on the login page. - UI: After firmware activation, the user is correctly redirected to the login page. - Classic UI: the quick start wizard works again with icom Connectivity Suite. - IPv6: Router executes IPv6 neighbor solicitation only on logical bridge interfaces (no two MAC addresses are visible on the network). _______________________________________________________________________________________________ Important Announcement: With this icom OS 7.3 release all algorithms in the OpenSSL legacy provider will be removed. This includes symmetric ciphers: - RC2, RC4, RC5 - BF (Blowfish) - DES, DESX; (but not DES-EDE and DES3/DES-EDE3) - IDEA - CAST5 Increased Security Level: The OpenSSL security level was increased, requiring a minimum of 80 bits of security for cryptographic material. This also means that SHA1 signed certificates are no longer allowed. (Note: bits of security is not equal to the key-length: a 2048-bit RSA key provides 112 bit of security.) The following are no longer permitted: - RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits# - Certificates with SHA1 or MD5 signatures - Using MD5 for MAC - SSL/TLS versions lower than TLS 1.2 Please check your infrastructure (especially VPN-Networks) and cryptographic material (keys, certificates) for the usage of above ciphers/algorithms and regarding the security level and upgrade to modern and secure ones! OpenSSL 3.1.1 supports modern ciphers and algorithms like SHA256, AES, ChaCha20, and Poly1305 use these instead. PKCS12: Also think of the signature or encryption of your PKCS12-container itself. There might be a legacy cipher in use as well. _______________________________________________________________________________________________ Release Notes icom OS 7.3 (19.12.2023) Functional Updates: - IT Security: legacy/outdated encryption algorithms have been removed and are no longer supported! This affects the following symmetric ciphers: RC2, RC4, RC5, BF (Blowfish), DES, DESX, IDEA, CAST5. - IT Security: The OpenSSL security level was increased, requiring a minimum of 80 bits of security for cryptographic material. This also means that SHA1 and MD5 signed certificates are no longer allowed. - Router Advertiser: Advertisements can be assigned depending on the status of an interface. - Router Advertiser: the 'other condiguration' option (O-flag) is now supported - DHCPv6-Relay: Ports are now adjustable to avoid port collisions on running DHCPv6 clients. - DHCPv6 Server: DHCPv6 options 'Vendor specific information' and 'NTP server address' added. - Status display: the ARP table is generated with the command 'ip neighbor show' (IPv6-enabled). - Step-by-Step Wizard: The connections can be checked with a ping test after the wizard. - rambda OSS package update: updated to version 8.6.0. - pinia new OSS package: added at version 2.1.7. - New OSS package: ndp-proxy package was added. Bug fixes: - Step-By-Step-Wizard: fixed sporadically missing configuration settings. - Debugging tool: Traceroute debugging tool is working again. - LTE450: Fixed routing of IPv6 traffic over LTE450 mobile radio. - LTE450: the loss of only one data channel in LTE450 connections is correctly detected by the router. - DHCPv6 relay: issues with DHCPv6 relay were fixed and is now forwarding requests to the specified DHCPv6 server. - UI: improved the MQTT connection stability for the displaying of status values. - UI: missing router renderings were added for the display in the welcome page. Release Notes icom OS 7.2 (20.11.2023) Important Announcement - OpenSSL Upgrade: INSYS will do a major upgrade of the OpenSSL library in the near future (not THIS current release). The upgrade from OpenSSL 1.1.1 to OpenSSL 3.1 can lead to connection loss in VPN networks. OpenSSL 3.1 introduces several changes and deprecations compared to OpenSSL 1.1.1, including the removal of several cipher algorithms that are considered weak or outdated. These cipher/hash algorithms are deprecated in OpenSSL 3.1 and will no longer be supported: SHA1, RC4, DES, 3DES, IDEA, Blowfish, Camellia cipher (except for Camellia-128-CBC and Camellia-256-CBC). Instead, OpenSSL 3.1 supports modern cipher algorithms like AES, ChaCha20, and Poly1305. Please check your infrastructure (especially VPN-Networks) for the usage of these ciphers and upgrade to modern and secure cipher algorithms! New Feature: - Device Notes: A new field for free text was introduced to add comments, device info or maintenance progress to a device. It can be found under Administration>Device information. Functional Updates: - UI: The configuration page Administration>Reset was redesigned for better understanding. - Startup Wizard: After finishing the Startup Wizard, a new designed statuspage is shown, that informs about the configuration progress and connection status to all services or VPN. This greatly improves the transparency of the wizard. - IPsec: IPsec tunnels can be configured without VTI-Interfaces optionally. - Debug access: the debug access through icom Router Management was disabled. - isomorphic-dompurify update: update to version 1.9.0 - axios update: update to version 1.5.1. - rambda update: update to version 8.5.0. - unplugin-vue-components: update to version 0.25.2. - vue update: update to version 2.7.15. - vue3-dnd update: update to version 2.0.4. - vuetify update: update to version 2.7.1. - dnd-core update: update to version 16.0.1. - valibot update: update to version 0.19.0. - @fxts/core update: update to version 0.23.0 - @vueuse/core update: update to version 10.5.0. Bug fixes: - Rapid Spanning Tree Protocol (RSTP): Stability issues with RSTP have been fixed in this version. RSTP should work reliably in Ethernet as well as SFP topologies. - Secure Decommissioning: The secure decommissioning function was fixed for the latest linux kernel version. - MIRO: Reliability of the internal watchdog was increased to restart the device in case of an error. - OpenVPN: Configuration of OpenVPN with cipher None is again possible. - UI: Added missing configuration options for some events. - Container: The container console can not write to /tmp until it is full. Maximum size was set to 4KB. Release Notes icom OS 7.1 (09.10.2023) Functional Updates: - IPv6 mobile radio: during connection establishment in cellular IPv6 connections, a new DHCP-address is requested. - IPv6 in local networks: in local networks an IPv6 token can be configured. - Autoupdate Server: the address of the current_major Autoupdate-server was added to the default settings. Bug fixes: - SCR/ECR bootloop: fixed bootloop for SCR/ECR routers with icom OS 4.6 or older when updating directly to icom OS 7.0. - SCR/ECR flash mode: the flash mode is displayed again for SCR/ECR rotuers. - MIRO: the current version of the rescue system is correctly identified by the MIRO routers and not displayed as "unknown". - User Interface: the time configured for the automatic logout is used instead of the default settings. - MRX LTE450 (MRcard PL450): APN configuration is working reliable. - DHCPv6-Client: Prefix Exclude oin eption in a Prefix-Delegation is working. Known Issues: - The stability of the RSTP especially a few seconds/minutes after changes to the network topology are made, is still not satisfying. We are working a solution and will soon publish a release. Release Notes icom OS 7.0 (31.08.2023) Important Announcement - OpenSSL Upgrade: This release introduces the upgrade from OpenSSL 1.1.1. to OpenSSL 3.1.1. The icom OS 7.0 release still provides downward compatibility with OpenSSL 1.1.1. With one of the following icom OS releases, the downward compatibility will be removed. Please check your infrastructure (especially VPN-Networks) for the usage of the following ciphers and upgrade to modern and secure cipher algorithms! These cipher/hash algorithms are deprecated in OpenSSL 3.1 and will no longer be supported: SHA1, RC4, DES, 3DES, IDEA, Blowfish, Camellia cipher (except for Camellia-128-CBC and Camellia-256-CBC). Instead, OpenSSL 3.1 supports modern cipher algorithms like AES, ChaCha20, and Poly1305. Functional Updates: - Linux Kernel: updated the Linux Kernel to version 5.10.77. - UI: DynDNS configuration page is now available in the new user interface. - Welcome Page: the upload form on the welcome page accepts multiple file types such as certificates, firmware or containers. For fast commissioning of a device, all needed files can be uploaded and activated here. - hostname: the default hostname/domainname in factory settings was changed from "icom.local" to now "insys.icom". Instead of using the devices IP address to access the webserver, one can use "https://insys.icom" instead. - Time Zones: now supporting all time zones from the linux tz database. - Init system: from now on the "busybox-init" is used instead of "finit". - UI: made some improvements to make WAN-chains easier to use and configure. - btrfs-progs: update to version 6.3. - busybox: updated to version 1.36.0. - c-ares: updated to version 1.19.1. - curl: updated to version 8.1.2. - curl CA bundle: updated to version 2023-01-10. - dhcpcd: updated to version 8.1.9. - dnsmasq: updated to version 2.89. - dropbear: updated to version 2022.83. - ebtables: updated to version 2.0.11. - eudev: updated to version 3.2.11 - f2fs-tools: updated to version 1.16.0. - frr: updated to version 8.5.1. - hostapd: updated to version 2.10. - lz4: updated to version 1.9.4. - iproute2: updated to version 6.2.0. - iptables: updated to version 1.8.9. - iputils: updated to version 20221126. - iw: updated to version 5.19. - jansson: updated to version 2.14. - klibc: updated to version 2.0.11. - glibc: updated to version version 2.36. - libcap: updated to version 2.68. - libcap-ng: updated to version 0.8.3. - libhttpserver: updated to version 0.19.0. - libjwt: updated to version 1.15.2. - libmodbus: updated to version 3.1.10. - libmnl: updated to version 1.0.5. - libnl: updated to version 3.7.0. - libpcap: updated to version 1.10.4. - libwebsockets: updated to version 4.3.2. - libyang: updated to version 2.1.55. - lighttpd: updated to version 1.4.69. - Linux-PAM: updated to version 1.5.3. - lua: updated to version 5.3.6. - metalog: updated to version 20220214. - mosquitto: updated to version 2.0.15. - mstpd: updated to version 0.1.0. - mtd-utils: updated to version 2.1.5. - net-snmp: updated to version 5.9.4.pre2. - nghttp2: updated to version 1.52.0 - openssl: updated to version 3.1.1. - openvpn: updated to version 2.6.3. - pam_radius: updated to version 2.0.0. - pcre: updated to version 8.45. - pcre2: updated to version 10.42. - protobuf-c: updated to version 1.4.1. - ppp: updated to version 2.5.0. - radvd: updated to version 2.19. - shadow: updated to version 4.13. - sqlite: updated to version 3.41.2. - squashfs: updated to version 4.6.1. - strongswan: updated to version 5.9.10. - tcpdump: updated to version 4.99.4. - timezone: updated to version 2023c. - util-linux: updated to version 2.38.1. - wpa_supplicant: updated to version 2.10. - xz: updated to version 5.4.3. - zlib: updated to version 1.2.13. Bug fixes: - MRcard PL 1.1 (LTE world): the router does no longer use 2G and 3G networks when it is configured to use 4G networks only. - RSTP: the stability of the RSTP daemon was improved. Issues with broadcast loops occurring in Ethernet and Fiber networks with RSTP active were fixed. Known Issues: the stability of the RSTP especially a few seconds/minutes after changes to the network topology are made, is still not satisfying. We are working on the feedback from our pilot testers and will release improvements with icom OS 7.1 in a few weeks. - Router advertiser: wrong limits for lifetime and interval were fixed. - UI: multiple small fixes to the step-by-step wizard. - UI: error messages after automatic logout were removed. - UI: certificate chains can now be uploaded within the step-by-step wizard. - UI: PSK (pre-shared-key) validation for WiFi was fixed. - MRcard LTE450: modem is logged out after changing the APN. - UI: fixed creation of invalid MAC addresses for installed containers. - REST API: simultaneous DELETE calls delete the correct instances. - Log view: fixed duplicate entries. Release Notes icom OS 6.12 (20.06.2023) Important Announcement - OpenSSL Upgrade: INSYS will do a major upgrade of the OpenSSL library in the near future (not THIS current release). The upgrade from OpenSSL 1.1.1 to OpenSSL 3.1 can lead to connection loss in VPN networks. OpenSSL 3.1 introduces several changes and deprecations compared to OpenSSL 1.1.1, including the removal of several cipher algorithms that are considered weak or outdated. These cipher/hash algorithms are deprecated in OpenSSL 3.1 and will no longer be supported: SHA1, RC4, DES, 3DES, IDEA, Blowfish, Camellia cipher (except for Camellia-128-CBC and Camellia-256-CBC). Instead, OpenSSL 3.1 supports modern cipher algorithms like AES, ChaCha20, and Poly1305. Please check your infrastructure (especially VPN-Networks) for the usage of these ciphers and upgrade to modern and secure cipher algorithms! Important Announcement - PPTP Removal: INSYS is planning to remove the PPTP protocol in the future. PPTP is insecure and outdated. We highly recommend to move away from PPTP and stop using it. If you have any questions regarding PPTP, our customer service is there to assist. Functional Updates: - MRX: Support for an additional Ethernet IC was added (MRcard CPU, MRcard ES). Details will be provided when effective. - ECR WiFi: Automatic SSID Scan was disabled and can be triggered manually from the CLI. Bug fixes: - MRcard LTE450: Dual-APN with IPv6 is now working with Vodafone SIM cards. - New UI: the pages Status, Log and Debugging can now be reached through IPv6 addresses and other ports than 443. - MIRO-L210: The support packet generator is working again. Known Issues: - RSTP: The Rapid Spanning Tree Protocol has a malfunction under various conditions. The results can be non reachable devices, packet loss and circulating broadcasts. Release Notes icom OS 6.11 (02.05.2023) Important Announcement - OpenSSL Upgrade: INSYS will do a major upgrade of the OpenSSL library in the near future (not THIS current release). The upgrade from OpenSSL 1.1.1 to OpenSSL 3.1 can lead to connection loss in VPN networks. OpenSSL 3.1 introduces several changes and deprecations compared to OpenSSL 1.1.1, including the removal of several cipher algorithms that are considered weak or outdated. These cipher/hash algorithms are deprecated in OpenSSL 3.1 and will no longer be supported: SHA1, RC4, DES, 3DES, IDEA, Blowfish, Camellia cipher (except for Camellia-128-CBC and Camellia-256-CBC). Instead, OpenSSL 3.1 supports modern cipher algorithms like AES, ChaCha20, and Poly1305. Please check your infrastructure (especially VPN-Networks) for the usage of these ciphers and upgrade to modern and secure cipher algorithms! Important Announcement - PPTP Removal: INSYS is planning to remove the PPTP protocol in the future. PPTP is insecure and outdated. We highly recommend to move away from PPTP and stop using it. If you have any questions regarding PPTP, our customer service is there to assist. Functional Updates: - Firewall rules: entries in the firewall list can be reordered by Drag&Drop. Bug fixes: - Provider selection: Mobile network provider selection was fixed. With icom OS 6.10 the provider selection broke and was statically set to automatic provider selection. The device did not react to the preferred or exclusive provider selection. - Cellular timing: adjusted some timeouts to prevent MIRO-L200 rebooting frequently under certain conditions. - HTTP Messages: fixed error when sending http messages highly frequent with CLI value parsing. - MRO/MRX cellular timing: adjusted some timeouts to fix dial in issues under certain conditions. - OpenVPN options: OpenVPN configuration options link-mtu und tun-mtu are shown in the standard settings view. Known Issues: - RSTP: The Rapid Spanning Tree Protocol has a malfunction under various conditions. The results can be non reachable devices, packet loss and circulating broadcasts. INSYS is working to present a solution by latest May 2023. - MRcard PL450: Dual-APN not working for Vodafone SIM-cards Release Notes icom OS 6.10 (03.04.2023) Important Notice - Please read before update: - Due to constrained supply chains for electronic components, a new microcontroller was designed in on some MRX MRcards. The firmware had to be adapted in order to support the new component. MRcards with the new component will only work with icom OS 6.1 or higher. If an MRcard is affected by this change, is listed on the offer, delivery note and bill. - The OpenVPN option "ns-cert-type" is deprecated: If you have enabled the configuration option "Check remote certificate type", please assure the new setting "remote-cert-tls" is compatible with your certificate PKI. Functional Updates: - LTE450 Dual-SIM: The second SIM card (Dual-SIM) is now supported for the MRX extension card "MRcard PL450". - OpenVPN: New configuration options available: "mssfix", "link-mtu" and "tun-mtu". - UI: ASCII files can be uploaded, renamed, deleted and activated. - libmicrohttpd update: Update to version 0.9.76 Bug fixes: - IT-Security: Closed tcp port 8888 that was open by default. See corresponding security advisory. - LTE450 Status: The state of inputs is correctly shown on the CLI. - Container: When the same number of containers is added as were deleted, all containers start without errors. - UI: Fixed some display errors. - UI: Certificates can be downloaded again. - UI: Fixed input validation for VPN-routes and DHCP-server settings in the wizard. - UI: When entering wrong username/password credentials the error message is displayed again. Known Issues: - RSTP: The Rapid Spanning Tree Protocol has a malfunction under various conditions. The results can be non reachable devices, packet loss and circulating broadcasts. INSYS is working to present a solution by latest May 2023. - MRcard PL450: Dual-APN not working for Vodafone SIM-cards Release Notes icom OS 6.9 (06.03.2023) Important Notice - Please read before update: - Due to constrained supply chains for electronic components, a new microcontroller was designed in on some MRX MRcards. The firmware had to be adapted in order to support the new component. MRcards with the new component will only work with icom OS 6.1 or higher. If an MRcard is affected by this change, is listed on the offer, delivery note and bill. - The OpenVPN option "ns-cert-type" is deprecated: If you have enabled the configuration option "Check remote certificate type", please assure the new setting "remote-cert-tls" is compatible with your certificate PKI. New Feature: - MRcard PL450: from this release on the new extension card MRcard PL450 for the MRX-Series is supported. The card is used to communication in LTE 450MHz networks that are being built especially for critical infrastructure. [More information on our website: https://www.insys-icom.com/en/lte450/] Functional Updates: - Events: a new event option HTTP request was added. It allows sending messages to HTTPs servers. (the HTTP request is unidirectional, requesting data from a server is not supported). - Log-Files: archive containing all available log-files and CLI-status can be downloaded. - MIRO: after a firmware update, all remaining unneeded firmware files are cleaned up to free up flash memory. - UI Dashboard: Default Gateway and used DNS-server are displayed in the status. - MIRO: when no cellular connection could be established, the MIRO is restarted less frequent (default: 10, 60, 120, 720, 1440 minutes). - OpenSSL update: update to version 1.1.1t. - isomorphic-dompurify update: update to version 0.26.0 - rambda: update to version 7.4.0 - unplugin-vue-components: update to version 0.22.12 - vue update: update to version 2.7.14 - vuetify update: update to version 2.6.14 - @fxts/core update: update to version 0.12.0 Bug fixes: - Container: fixed starting of containers under certain configuration changes - Dashboard: the IP Address of the LTE interface is correctly displayed in the dashboard widget. - Dashboard: fixed display errors in the WAN widget. - New UI: events can be configured again. - MIRO: SMS messages are limited to 140 characters and truncated if exceeding. - MIRO: accelerated device reboot when CLI over ssh is open. Known Issues: - RSTP: The Rapid Spanning Tree Protocol has a malfunction under various conditions. The results can be non reachable devices, packet loss and circulating broadcasts. INSYS is working to present a solution by latest May 2023. - MRcard PL450: Second SIM card not supported - MRcard PL450: Dual-APN not working for Vodafone SIM-cards - MRcard PL450: LTE takes up to 30 minutes to go online Release Notes icom OS 6.8 (07.02.2023) Important Notice - Please read before update: - Due to constrained supply chains for electronic components, a new microcontroller was designed in on some MRX MRcards. The firmware had to be adapted in order to support the new component. MRcards with the new component will only work with icom OS 6.1 or higher. If an MRcard is affected by this change, is listed on the offer, delivery note and bill. - The OpenVPN option "ns-cert-type" is deprecated: If you have enabled the configuration option "Check remote certificate type", please assure the new setting "remote-cert-tls" is compatible with your certificate PKI. Functional Updates: - UI: GRE interfaces are configurable - UI: Syslog client is configurable - UI: NTP server configuration added - UI: Analog inputs and outputs can be configured in the event and action handler - UI: New Dashboard widget added showing the status of digital and analog I/O - UI: The description of an event was added as new field to the event list - UI: The default language of the webinterface is chosen based on the current browser language - Auto-Update: Each individual update server can be restricted to only accept digitally signed update packets Bug fixes: - UI: Improved wording for some info messages - UI: Improved input sanitization for some text input fields - UI: Fixed wrong coloring of ethernet ports in the device image - UI: Status view of I/Os is not delayed anymore - WAN-Chain: Fixed error with WAN failover under some conditions - WAN-Groups: Fixed wrong assignment of interfaces to WAN-groups, when more than 10 WAN-groups are in use Known Issues: - RSTP: The Rapid Spanning Tree Protocol has a malfunction under various conditions. The results can be non reachable devices, packet loss and circulating broadcasts. INSYS is working to present a solution by latest May 2023. Release Notes icom OS 6.7 (23.12.2022) Important Notice - Please read before update: - When activating the update packet, icom OS could respond with a timeout and it looks like if the firmware was not applied. However the firmware is correctly activated and will be shown after a reboot. - Due to constrained supply chains for electronic components, a new microcontroller was designed in on some MRX MRcards. The firmware had to be adapted in order to support the new component. MRcards with the new component will only work with icom OS 6.1 or higher. If an MRcard is affected by this change, is listed on the offer, delivery note and bill. Functional Updates: - UI: SFP ports are configurable - UI: User - configuration option "Show passwords as hash in ASCII configurations and CLI". - UI: Log files, SNMP MIB and REST API documentation are downloadable - OEM branding: customer specific default configuration via whole profile or ASCII files possible (upon personal request - INSYS has to create a customized profile). Bug fixes: - Software watchdog: uncontrolled termination of running processes has been fixed - UI: Error message in case of missing authentication procedure is displayed again - UI: timeouts for saving and installing files (firmware, ASCII files, ...) have been increased - UI: LTE prefix delegations are shown and hidden correctly - UI: Wrong error messages for read or status users were removed - UI: Fixed incorrect display for user rights for read or status users Release Notes icom OS 6.6 (28.11.2022) Functional Updates: - UI Wizard: the wizard now supports all WAN technologiese. DSL, Fiber and WiFi added. - UI Welcome Page: Binary profiles and one or multiple ASCII configurations can be uploaded. - UI Welcome Page: added user authentication after a configuration profile is uploaded on the welcome page - Autoupdate Server: server URL can contain dynamic values through CLI-commands using $cli. Increased maximum number of characters to 1000 from 100. - SMS: maximum number of characters in the SMS body was increased to 5000 from 500. - REST API: OpenVPN client configuration files (.ovpn) can be directly imported - UI Wizard: in the startup wizard OpenVPN clients can be configured by importing client configuration files (.ovpn). Note: the file needs to include all needed certificates inline. Referencing imported certificates will follow soon. Bug fixes: - ICS Startup: missing firewall rules after reconfigure are added reliable - REST API: command "apply_without_activate" now also works for ASCII update packets Release Notes icom OS 6.5 (24.10.2022) Functional Updates: RESP API: added new endpoint '/status/device_features' UI: hostnames are allowed to contain underscores ('_') Bug fixes: PLS8 engine: the second LTE-interface is stopped correctly Release Notes icom OS 6.4 (23.09.2022) Important Notice - Please read before update: - When activating the update packet, icom OS could respond with a timeout and it looks like if the firmware was not applied. However the firmware is correctly activated and will be shown after a reboot. - Due to constrained supply chains for electronic components, a new microcontroller was designed in on some MRX MRcards. The firmware had to be adapted in order to support the new component. MRcards with the new component will only work with icom OS 6.1 or higher. If an MRcard is affected by this change, is listed on the offer, delivery note and bill. Functional Updates: - UI: WiFi configuration menu and dashboard status added - UI: DSL configuration menu and dashboard status added - UI: Added offset for prefix delegation on IP-networks - UI: Added prefix delegation for LTE interfaces - RADIUS: NAS-Identifier for RADIUS server is configurable - RADIUS: Alternative RADIUS server can be configured - UI Dashboard: Flash status of the device is displayed in the status dashboard. - Webserver: Replaced DH-group ffdhe2048 by ffdhe3072 - UI: Updated list of OpenSource packages used Bug fixes: - MIRO: Fixed first ethernet port not starting after a reboot - CLI: List of open source libraries is fully displayed - WiFi: Status of WiFi is correctly displayed in the dashboard Known Issues: - MIRO-L200: Autonegotiation disabled, Ethernet 100 full duplex is only working, when both participants are configured accordingly. - WAN chain: if a lifetime limitation for a WAN chain is configured, but no fallback WAN chain selected, the initial WAN chain is started instead Release Notes icom OS 6.3 (30.08.2022) Important Notice - Please read before update: - When activating the update packet, icom OS could respond with a timeout and it looks like if the firmware was not applied. However the firmware is correctly activated and will be shown after a reboot. - Due to constrained supply chains for electronic components, a new microcontroller was designed in on some MRX MRcards. The firmware had to be adapted in order to support the new component. MRcards with the new component will only work with icom OS 6.1 or higher. If an MRcard is affected by this change, is listed on the offer, delivery note and bill. - OpenVPN option "ns-cert-type" is deprecated: if you have the configuration option "check certificate type of remote terminal" active, please check if the new setting "remote-cert-tls" is compatible with your certificates PKI. Functional Updates: - UI: Wizard added for icom Data Suite quick installation. - UI: Configuration for DSL interfaces added. - UI: Not yet available configuration menus are marked as "in progress". - UI: Feedback button was added to the main menu. - Configuration: Moved the Next Hop Resolution Protocol (NHRP) to the routing submenu. - Events: Email subjects can contain dynamic values, in the form of CLI commands, as possible with e.g. MQTT - MIRO: Digital outputs can be pulsed with configurable duration and frequency. Bug fixes: - UI: Files can be uploaded that have a common filename as a previously deleted file. - Switching: Multiple ethernet interfaces on a single device can be connected to an icom OS router on multiple ports. Known Issues: - MIRO-L200: Autonegotiation disabled, Ethernet 100 full duplex is only working, when both participants are configured accordingly. - WAN chain: if a lifetime limitation for a WAN chain is configured, but no fallback WAN chain selected, the initial WAN chain is started instead. Release Notes icom OS 6.2 (01.08.2022) Important Notice - Please read before update: - When activating the update packet, icom OS could respond with a timeout and it looks like if the firmware was not applied. However the firmware is correctly activated and will be shown after a reboot. - Due to constrained supply chains for electronic components, a new microcontroller was designed in on some MRX MRcards. The firmware had to be adapted in order to support the new component. MRcards with the new component will only work with icom OS 6.1 or higher. - OpenVPN option "ns-cert-type" is deprecated: if you have the configuration option "check certificate type of remote terminal" active, please check if the new setting "remote-cert-tls" is compatible with your certificates PKI. Functional Updates: - UI: Wizard added for icom Data Suite quick installation. - UI: Log view now with autoscrolling. - UI: Increased contrast of text. Bugfixes: - ASCII-files: While parsing ASCII-files, commands failing are retried automatically to resolve dependencies. - Container: Containers restart correctly when the designator name changed. - UI: Ouput events are now configurable. Known Issues: - MIRO 2-ETH: Autonegotiation disabled, 100 full duplex only working when both participants are configured accordingly. - WAN chain: if a lifetime limitation for a WAN chain is configured, but no fallback WAN chain selected, the initial WAN chain is started instead. Release Notes icom OS 6.1 (01.07.2022) Important Notice - Please read before update: - When activating the update packet, icom OS could respond with a timeout and it looks like if the firmware was not applied. However the firmware is correctly activated and will be shown after a reboot. - Due to constrained supply chains for electronic components, a new microcontroller was designed in on some MRX MRcards. The firmware had to be adapted in order to support the new component. MRcards with the new component will only work with icom OS 6.1 or higher. - OpenVPN option "ns-cert-type" is deprecated: if you have the configuration option "check certificate type of remote terminal" active, please check if the new setting "remote-cert-tls" is compatible with your certificates PKI. New Features: - IT-Security: Introduced a routine that allows to securely decommission a router. The routine erases all data including secrets or sensitive data from the flash. Functional Updates: - IT-Security: Restricted available DHE Groups in OpenVPN to BSI TR-02102 recommended groups. - UI: Usage of signed update packets can be activated. - UI: Classical user interface can be deactivated. - UI: Hostname and device location are shown in browser address bar. - UI: Order of log entries can be reversed. - UI: Default containers can be created. - OpenVPN: Configuration option remote-cert-tls used instead of deprecated ns-cert-type - OpenVPN: Configuration option "Check certificate of remote terminal" also available for OpenVPN Servers. Bugfixes: - REST API: Fixed POST call for profile creation. Profiles are always created in the right folder. - Profil-Names: Profil names are not allowed to start with '.' anymore. - UI: Fixed size of device image in the step-by-step wizard and in the network configuration menu. Known Issues: - MIRO 2-ETH: Autonegotiation disabled, 100 full duplex only working when both participants are configured accordingly. - WAN chain: if a lifetime limitation for a WAN chain is configured, but no fallback WAN chain selected, the initial WAN chain is started instead. Release Notes icom OS 6.0 (01.06.2022) Important Notice - Please read before update: - When activating the update packet, icom OS could respond with a timeout and it looks like if the firmware was not applied. However the firmware is correctly activated and will be shown after a reboot. Functional Updates: - UI: added container management including licence mgmt. and status page widget - UI: added display of latest log files - UI: added DHCP relay configuration - UI: added local DNS server configuration - UI: added support for browsers older than 2018 release date, notice page is displayed - UI: ciphers of https-server restricted to TR-02102 compliant ciphers - GRE: IPv6 support added for local addresses and netmask - GRE: local IP-address can be dynamically adopted by existing interface - NHRP: NHRP can be used with GRE tunnels - OpenVPN: ciphers of OpenVPN control channel restricted to TR-02102 compliant ciphers - lighttpd update: updated to version1.4.64 - openssl update: update to version 1.1.1o - libmicrohttpd update: update to version 0.9.75 - libhttpserver update: update to latest version on branch master (commit acc3e6a3) - cURL update: update to version 7.83.1 - curl CA bundle update: update to version 2022-04-26 - timezone update: update to version 2022a - SQLite update: update to version 3.38.5 - frr added: added open source library frr at version 8.2.2 - pcre2 added: added open source library pcre2 at version 10.40 - libyang added: added open source library libyang at version 2.0.194 - json-c added: added open source library json-c version 0.16-20220414 Bugfixes: - Container download: downloading containers works again. - UI auth. error: error message "authentication error" on login page is only displayed on false login attempt. - Classic UI server error: internal server error fixed, when provider ID can't be matched a provider name. - Profile handling: profile activation is possible after 24 days without restart. - ASCII delete: deleting ASCII files in the permanend mode also works when a restart is performed in the volatile configuration mode. Known Issues: - MIRO 2-ETH: Autonegotiation disabled, 100 full duplex only working when both participants are configured accordingly. - WAN chain: if a lifetime limitation for a WAN chain is configured, but no fallback WAN chain selected, the initial WAN chain is started instead. Release Notes icom OS 5.8 (27.04.2022) Important Notice - Please read before update: - When activating the update packet, icom OS could respond with a timeout and it looks like if the firmware was not applied. However the firmware is correctly activated and will be shown after a reboot. Functional Updates: - UI: icom Router Management configuration was added as part of the step-by-step wizard. - UI: icom Router Management configuration is possible through profile import - UI: openVPN server routes are part of the step-by-step wizard - UI: import of password protected certificates added - UI: DHCPv6-server configuration added - Configuration profiles: transfer of profiles and ASCII files from volatile to permanent mode possible via classic web interface and REST API. Bugfixes: - Load: fixed CPU load fluctuation through status_apid - GRE: IPv4 routes are added correctly after GRE tunnle started - GRE: tunnles with optional GRE keys are working - UI: fixed display overlay of MIRO-L200 ports - UI: fixed spelling errors e.g. for WAN-widget and IKE-keys Known Issues: - MIRO 2-ETH: Autonegotiation disabled, 100 full duplex only working when both participants are configured accordingly. - WAN chain: if a lifetime limitation for a WAN chain is configured, but no fallback WAN chain selected, the initial WAN chain is started instead. - Profile activation: on devices running for more than 24 days without restart, profiles can not be activated until a restart is performed. Release Notes icom OS 5.7 (26.03.2022) Important Notice - Please read before update: - When activating the update packet, icom OS could respond with a timeout and it looks like if the firmware was not applied. However the firmware is correctly activated and will be shown after a reboot. New Features: - Volatile Profiles: a startup/running configuration pattern can be configured. Volatile profiles can be used if changes to profiles and ASCII configurations shall only be kept until the next restart. E.g. cryptographic keys are distributed to the device after startup, but shall not be stored permanently within a profile. - Prefix Delegation: up to five (5) prefixes can be delegated on IPv6 networks - UI: WAN-Redundancy/Fallback configurable through the startup wizard - UI: Time/Date configuration page added - UI: Support packets creation and download page added - UI: Hostnames configurable - UI: Update server for automatic updates configurable - UI: In the dropdown menu for cipher selection for OpenVPN and IPsec connections, a hint is shown if the respective cipher or hash is still commonly accepted as secure or if it shall not be used anymore. Functional Updates: - UI: Reoganization of the configuration menu - REST API: ASCII files can be applied through (upload/perform), without the need for "activate profile". - CLI: new function administration.profiles.copy= - OpenSSL update: updates openssl library to version 1.1.1.n Bugfixes: - MRO-L200 is no longer displayed as MRO-L210 - MIRO: incoming SMS are recognized and processed immediately w/o delay - Container: when containers are stopped all system resources are being released Known Issues: - MIRO 2-ETH: Autonegotiation disabled, 100 full duplex only working when both participants are configured accordingly. - WAN chain: if a lifetime limitation for a WAN chain is configured, but no fallback WAN chain selected, the initial WAN chain is started instead. - Profile activation: on devices running for more than 24 days without restart, profiles can not be activated until a restart is performed. Release Notes icom OS 5.6 (28.02.2022) Important Notice - Please read before update: - When activating the update packet, icom OS could respond with a timeout and it looks like if the firmware was not applied. However the firmware is correctly activated and will be shown after a reboot. New Features: - UI: SNMP configuration page added. - UI: Email coniguration page added. - UI: Debugging tools page added. - UI: Firmware settings page + firmware upload added. - UI: Reset page added. - UI: Webinterface and CLI configuration page added. Functional Updates: - SQlite update: Updated to version 3.37.2 Bugfixes: - Fixed issues with a large number of profile activiations that cloud lead to a profile corruption und some circumstance. Known Issues: - MIRO 2-ETH: Autonegotiation disabled, 100 full duplex only working when both participants are configured accordingly. Release Notes icom OS 5.5 (31.01.2022) Important Notice - Please CHECK before update: - The OpenVPN Client/Server will not support TLS 1.0 and TLS 1.1 anymore because it is outdated and should no longer be used. If any router fails to connect to your OpenVPN network/server, please check if the server is configured to use TLS1.0 or 1.1 and change it to either TLS1.2 or TLS1.3. - If you automated device configuration by using the REST API or by making some http/https CRUD requests from a script, it is possible that it will no longer work or no CSRF token is returned. There were changes to the REST API for the new UI. Adapt your script or routines accordingly. The REST API Swagger documentation is available in the router help or under https://docs.insys-icom.de/. New Features: - UI: user interface was introduced in it's first version and is now displayed as default. - UI: a landing page that is displayed on the first startup of a device was added. It offers different ways for device configuration. - UI: drag&drop upload of configuration profiles for fast track device commissioning was added. - UI Status-Dashboard: the status dashboard now displays live values from the device. - API: an MQTT API to stream live values was added. Functional Updates: - User Interface: the previous user interface is accessible through a link. - OpenVPN: removed support for TLSv1.0 and v1.1 from OpenVPN control channel. - OpenVPN: added new ciphers AES-128-GCM, AES-192-GCM, AES-256-GCM to the dropdown menu for selection. - OpenVPN: renamed all AES block ciphers - "AES 128 Bit" was renamed to "AES 128 Bit CBC" to be more precise. - MIRO: support for a second Ethernet port was added. - IPsec: VTIv6-interfaces are now supported. - IPv6: the offset for ipv6 prefix delegation is now configurable. - API: new api functionality - upload files including validation - API: new api functionality - dowload of certificates and ASCII configuration profiles - API: new api functionality - device reset and reset to default settings - API: new api functionality - delete and activate firmware - lighttpd update: Updated to version 1.4.63 - libmicrohttpd update: Updated to version 0.9.74 - iproute2 added: added iproute2 version 5.9.0 replaces busybox - PLS8 modem: usage of pdp-context 1/2 instead of 3/4 Bugfixes: - Fixed blinking LED: a power loss following a profile activation resulted in blinking LED after bootup. - Blinking Power LED: on reset to default settings the power LED is blinking. - MIRO - fixed link detection: the event "link of an Ethernet port has changed" is now available. - Router Mgtm certificate: when changing CA configuration for remote management, reconfigure failed. - MIRO: activated reverse path filter. Known Issues: - MIRO 2-ETH: Autonegotiation disabled, 100 full duplex only working when both participants are configured accordingly. Release Notes icom OS 5.4 (03.12.2021) Important Note: Due to the below mentioned changes to how CA certificates are trusted, please make sure that all CA certificates have the desire trust level after update. New Features: - MRcard PL World support: support of world variant of "MRcard PL" enabling the use of international cellular bands of the modem. Functional Updates: - CA Certificates: CA certificates are no longer trusted globally but can be select individually per application. This option is available for Remote Mgmt., update servers and Email. Configuration option to trust public CA's by default was removed. - Debugging access: A configurable debugging access through CLI was added. The access can be activated by the device admin and then used by authorized INSYS service technician for debugging purpose. - Firewall: Reverse path filters for IPv4 and IPv6 got activated adding additional security. - CA bundle Update: cURL-CA bundle updated to 2021-10-26. - Security hardening: Some internal changes were made that lift overall system security. Bugfixes: - PIC Status: Resolved issues with the PIC firmware being in undefined state after updates from icom OS versions smaller 5.0. MIRO missing features (under development): - Eth link change event - Missing log and SNMP information for OUTPUT firewall rule violation - Internal RTC (realtime clock) not synchronous after restart - PPPoE support - Support of IO pulses Release Notes icom OS 5.3 (22.10.2021) Important Information - icom Connectivity Suite (ICS) certificate expiration As of November 30st, the certificate used for the ICS initialization server will expire. Routers using the startup wizard will only be able to connect to the ICS when they are running the latest firmware - icom OS V5.3 or INSYS OS V2.12.21. Both releases already come with the new certificate preinstalled. New Features: - New UI - Startup Wizard: an easy to use step-by-step wizard for initial configuration was added. - Local DNS Server: a list of local DNS servers can be configured together with a corresponding domain. DNS requests that target an entry on the list, are forwarded and resolved by the corresponding DNS server. Functional Updates: - ICS certificate: New CA certificate for Connectivity Service Init-Server - New UI - timer configuration: configuring timers is now available on the new UI. - New UI - IPsec configuration: IPsec VPN connections can be configured on the new UI. - Container Storage: deleting container storages was added. - OpenVPN update: updated to version 2.5.3 - OpenSSL update: Updated to version 1.1.1.l - dnsmasq update: updated to version 2.86 Bugfixes: - SMS reception: stable reception of SMS was fixed for very long SMS. - Modem authentication: fixed username/password mismatch of SIM cards at LTE configuration. SIM cards that require username/password can be correctly configured again. - REST API: in the body of POST messages, "listuids" and "sublistuids" were removed and are not shown anymore. - REST API: access to lists in manually created profiles is working properly. Release Notes icom OS 5.2 (12.08.2021) New Features: - User Interface: initial release of the new user interface for all icom OS devices - Updating containers: new feature "container storage" allows updating individual resources within a container without having to upload the full container package Functional Updates: - REST API: the REST interface is now available via the same port as the webinterface - REST API: authorization uses bearer token after authentication via username/password or client certificates - REST API: changed the body of request and response messages - REST API: response to GET-reqests contains available parameters and respective types - https cipher suites: available tls ciphers of the webserver were restricted to the suggested set defined by the TR-02102 guideline of the BSI (German federal authority for cyber security) - MIRO kernel: the kernel for the MIRO router was updated to 3.18.140 - OpenSSL Update: Updated to version 1.1.1i - libmicrohttpd update: updated to version 0.9.73 - libhttpserver update: updated to version 0.18.2 - dropbear update: update to version 2020.81 - uthash update: update to version 2.3.0 Bugfixes: - Cli: fixed autocompletion for empty line and "." - Device node handling: Containers with /dev/* can be deleted again - Pulse detection: fixed pulse detection on inputs for larger number of pulses Release Notes icom OS 5.1 (17.06.2021) !!! Important Note !!! Once a major release to icom OS 5.0 is activated, it will not be possible to downgrade to older firmware versions. Please keep this in mind before doing the update! You can update to icom OS 4.6 before upgrading to the new major release. For more detailed explanation please visit: https://icom-os.releasenotes.io/ New Features: - MIRO support: the new MIRO router will be supported from this release on. The MIRO comes with 1xETH and LTE Cat. 1. Functional Updates: - Container: Configuration changes of a container, will only trigger a restart of the affected container. All other installed containers are not restarted. - IPsec: new option "UDP-encapsulation" encloses userdata always over UDP port 4500. - NTP: A secondary NTP server can be configured which is used when the synchronization with the primary server fails. - Log enhancement: The log adds an entry whenever a Binary or ASCII profile is downloaded from the webinterface or REST API. - WIFI: SSID-Scans can be triggered through manual actions returning a list of available networks. Bugfixes: - OpenVPN: OpenVPN proxy server fixed for tcp connections. - SMS dispatch: Failure of a single SMS dispatch through CLI does not lead to error messages for other independent SMS dispatches. Release Notes icom OS 5.0 (21.04.2021) Functional Updates: - Signed update packets: the firmware will only accept signed update packets from now on. - OpenSSL Update: Updated to version 1.1.1k Bugfixes: - SNMP-MIB: fixed flipped numbers and deleted duplicate OID - Web Interface: prevents that a user with the same user name can be created twice - Command Injection: closed command injection and privilege escalation possibility for users that are already logged in to the system (minor security relevance). MIRO currently missing features: - Eth link change event - Missing log and SNMP information for OUTPUT firewall rule violation - Internal RTC (realtime clock) not synchronous after restart - PPPoE support - IO pulse support Release Notes icom OS 4.6 (01.03.2021) Bugfixes: - OpenVPN compatibility: compatibility with OpenVPN versions of 2.3 or lower with Blowfish ciphers was restored. Release Notes icom OS 4.5 (24.02.2021) Important note: In order to prepare the advent of the MIRO router and improve the resilience of the operating system, a different file system technology was introduced. Henceforth the pSLC technology will be used in conjunction with NAND flash memory cells (SSD). This change reduces the freely available flash memory e.g. for container applications. Please have a look at the corresponding product change notification for further details: https://public.centerdevice.de/6655d532-d2ae-4ad3-a953-2452e05c78d1 Functional Updates: - OpenVPN IPv6: OpenVPN tunnel also possible over UDPv6 and TCPv6 - IPsec: New operation mode AES-GCM (Galois Counter Mode) for AES encryption - IPsec: New encryption method ChaCha20-Poly1305 - dnsmasq Update: Updated to version 2.83 due to several CVEs and "dnspooq" vulnerabilities - OpenVPN Update: Updated to version 2.5.0 due to multiple CVEs (see Security Advisories on INSYS icom website) - OpenSSL Update: Updated to version 1.1.1i - cURL Update: Updated to version 7.74.0 due to multiple CVEs (see Security Advisories on INSYS icom website) - Linux PAM Update: Updated to version 1.5.1 Bugfixes: - SMS dispatch: Message dispatch retrial after failure is active again - Web interface: Login delay after faulty login was fixed - SCR/ECR Modem: GPRS/AutoAttach is set if automatic provider selection is configured - Container hostname: The containers hostname equals the containers name again Release Notes icom OS 4.4 (17.12.2020) Functional Updates: - Web interface HTTPS default: Access to the web interface has been changed from HTTP to HTTPs as default protocol. HTTP has been disabled. HTTP is unencrypted and browsers are increasingly forcing HTTPS-only usage. - Web interface authentication: The former default login credentials (insys/icom) have been removed. The web interface is accessible without authentication in factory settings. During commissioning, an authentication method must be set up (username/password, certificates or RADIUS server). - Web interface cookies: the option "SameSite=Strict" will henceforth be set in session cookies for HTTP and HTTPS. - REST API: New operations are available for configuration profiles (create, delete, rename, enable, list). - Netfilter/Firewall: Netfilter rules can be configured with a port range to reduce manual creation of identical rules. - Web interface Container menu: A new main menu item "containers" allows quick access to installed containers and administration. - Container "/data/etc": The /data/etc path assigned to a container is no longer encrypted. This change is to be considered for the development of own containers. Bugfixes: - Email sending: sending to multiple recipients with gmx.de or web.de accounts has been fixed. - Status of SFP modules: Status display of link and speed for SFP modules (MRcard Fiber) shows the correct value. - DSL connection PPPoA: Failed connection setup with very long login credentials (username + password) fixed. - DynDNS: The provider "DuckDNS" is no longer functional and has been removed from the suggested list. Release Notes icom OS 4.3 (30.09.2020) New Features: - MRcard Fiber support: added WAN connectivity via fiber optics. New MRcard Fiber with 2x SFP-Port, 2x digital inputs. - Rapid Spanning Tree Protocol (RSTP): RSTP allows the configuration of ring topologies and prevents bridge loops that result in broadcast radiation. - REST API: the router can be configured and queried via REST API. Functional Updates: - Dedicated LUA log file: the command lua_log() can be used within a LUA script to write log entries into a dedicated LUA log file which is not used by other processes. - SIM configuration: Automatically assigned APNs are deleted when exchanging the SIM. - Status view mobile modem: The current LTE band ins use by the modem is displayed in the status. - Update CA bundle: cURL-CA bundle (07/22/20/20). Bugfixes: - WiFi status: the status view shows the correct MAC address of the WiFi access point. Release Notes icom OS 4.2 (July 08, 2020) Functional Updates: - VPN for China: the DNS name "ics-vpn.cn" is resolved through DNS over https - icom Data Suite Wizard: with icom Data Suite version 1.12 a testing period can be started without a production licence. The wizard does not ask for a production licence - Customized Webinterface: permanent branding with custom colors and icons was implemented. Branding is possible in projects only and requires a branding file Bug Fixes: - SMS: fixed error when sending an empty SMS - SMS: SMS text with double line breaks can be sent through the CLI - Container Export: user feedback added when container exports are aborted due to a timeout - Maximum Transmission Unit: input validation if MTU is within the range of 128-1500 Release Notes icom OS 4.1 (May 28, 2020) New Features: - SCEP protocol support: the SCEP (Simple Certificat Enrollement Protocol) enables central certificate management for field devices. SCEP requires a SCEP counterpart e.g. FORTINET Authenticator - MRcard IO support: Configuration of the newly available MRcard_IO with 4x digital input, 4x digital output, 3x analog input and 1x analog output enabled For analog on current or voltage, for digital on input or output Functional Updates: - New URL for standard update server: the address of the stored standard update server has been changed to "autoupdate.insys-tec.net - IPsec MTU configurable: the MTU (Maximum Transmit Unit) of a VTI (Virtual Tunnel Interface) for IPsec configurations is configurable - MTU visible in the status view: the set MTU of the interface is shown in the status view - Standard CA certificates are trusted: a set of public standard CA certificates (CA bundle from cURL) has been stored in the device and is therefore trusted. Services such as e-mail servers or update servers that use a public CA certificate are trusted. - Log entries can be sorted chronologically: the timestamp for log-entries is now written to milliseconds. Log entries thus have a unique chronological sequence - Display of maximum RAM for containers: in the container status, the maximum available RAM is displayed in addition to the used RAM - Updating the signal LED: the signal LED flashing frequency is only updated if the signal indicator of the modem has changed - http requests with user-agent field: for http(s) requests to a configured update server, the field "user-agent" is sent along with the request. Some web servers do not accept requests without the optional field user-agent Bug Fixes: - Connection termination in case of misconfiguration: no interruption of mobile connectivity due to a faulty SMS-reception-configuration - Modem restart at high data rate: the response timeout for AT commands has been increased so that the modem is not restarted unnecessarily at high data throughput - Deletion of all containers: the incorrect deletion of all installed containers when using the CLI command "destroy=" or deleting the configuration in httpd, on a container that does not (no longer) exist, has been fixed - Premature timeout for container export: the export of a container is not aborted before reaching the 30-minute timeout Maintenance: - Updated OpenSource package: btrfs-profs v5.2 - Updated OpenSource package: ppp v2.4.9 pre (2.4.8 including security patches) - Updated OpenSource package: util-linux 2.34 Release Notes icom OS 4.0 (23.10.2019) Functional Changes: Signed update packets: Validation of signed update packets. Firmware and update packets can be signed with a custom certificate and are validated by the firmware after upload. DynDNS: SPDYN added as additional DynDNS provider Message attachment: changed view of available files for attachments SNMP traps: name of the network interface available as additional information in case of netfilter violations OpenVPN: TLS crypt is configurable now CLI / ASCII: The number of entries to be added is now specified for downloaded ASCIIs. Is supported since version 2.6. IPsec: The netmask of the VTI interface can now be configured. Default setting is CIDR: /32 DHCP client: DHCP client requests use the host name of the router instead of the interface name from now on Startup wizard: The configuration for SCR/ECR routers resulting from the startup wizard was changed to improve the local availability upon execution Startup wizard: an information page about the changes made by the startup wizard was added System time: the production date of the router will be used for restoring a more accurate time Internal Functional Changes: OAM: the result of an update job will be stored persistent Bug Fixes: E-mail dispatch: reliability of the e-mail dispatch of attachments has been increased E-mail dispatch: failed DNS name resolution does not cause a loss of e-mail messages in the buffer WLAN (Wi-Fi) Access Point: WLAN (Wi-Fi) is also available as local interface if no WLAN (Wi-Fi) chain is active SCR/ECR: connection establishment has been made possible for selected providers by changing the preferred PDP context Cellular modem: the use of Israeli HOTM SIM cards is possible again Release Notes icom OS 3.7 (06.06.2019) !!! Important Note !!! Starting with version 3.7, the MD5 hash algorithm for OpenVPN certificates will not be used any more due to commonly known security vulnerabilities. If you use the MD5 hash procedure in your OpenVPN certificate infrastructure, an update may cause a PERMANENT CONNECTION LOSS of your devices. Please check therefore your PKI for the use of MD5 and change this to a modern algorithm such as SHA2. New Functions: WLAN Access Point: automatic channel selection IPsec: Encryption options extended by SHA-384 and SHA-512, as well as Diffie-Hellman groups 19-21 and 25-31 LTE/DSL: maximum wait time to establish connection in WAN chain configurable (previously fixed to 60 s) Events: Input state can also trigger an action upon system start DHCP client: reset of the IP address upon link loss of all assigned Ethernet ports System status: in case NTP synchronisation fails, time status falls back to "RTC" Sleep mode (SCR/ECR): following termination of sleep mode, time status will start with "RTC" Internal Changes: Update of security-critical system libraries Bug Fixes: WAN connection: an IP net will not be considered as online, if only empty IP address entries are existing Remote management: correct server response also for updates that take longer than 60 seconds Default reset: correct deletion also of larger container images Lua: sporadic messages "table 0x..." eliminated ECR-LW320 (Australian variant): correct start of the integrated cellular modem Release Notes icom OS 3.6 (27.03.2019) New Functions System details: new status value "time status" indicates the source for the last update of the system time Bug Fixes: Cellular connection: the cellular radio module will be restarted reliably in case of a faulty connection Serial Ethernet gateway: sporadic error fixed, which has prevented the use of the serial interface Use of private cellular APN: user name and password are used correctly for MRX LTE and MRO-L OAM: handling of faulty connection to OAM improved Lua: return values of debugging command are present again (e.g. PING) Release Notes icom OS 3.5 (01.03.2019) New Functions Remote management: Support of icom OAM Startup wizard: Internet connection via WLAN (Wi-Fi) option added Wizard “Additional Internet connection” extended by Internet connection via WLAN (Wi-Fi) WLAN (Wi-Fi) status: display of the available WLAN (Wi-Fi) access points (mode) New event: connection of WLAN (Wi-Fi) station to access point connected/disconcected Debugging: TCPdump via CLI can generate output in PCAP format VLAN: dispatch of VLAN tags can be configured individually for each network port Bug Fixes: SMS dispatch: quickly consecutive or simultaneously SMS will be dispatched SMS dispatch: SMS dispatch will be repeated up to 5 times in case of failure Web Interface: upload of large files (e.c: containers exceeding 100 MB) possible again Network: stability improvements when using Profinet communication Known Issue: ECR sleep mode: WLAN (Wi-Fi) AP does not accept client connections upon wake-up The use of sleep mode is not recommended in the latest version with active WLAN (Wi-Fi) access point. Release Notes icom OS 3.4 (20.12.2018) New Functions: IPsec: VPN tunnels to remote terminals possible IPsec: connections with IKEv1 and PSK in Aggressive Mode are available on server mode ECR: establishment of cellular connections using redundant SIM card ECR: WLAN (WiFi) in the modes Access Point and Station (client) Wizards: new wizard for easy installation of containers (or icom Data Suite) Default settings: active netfilter rule for connection to HTTPS auto update servers (up to now, the rule was pre-configured, but inactive) Bug Fixes: Automatic update: passwords using # are supported CLI and SNMP: correct display of status values as dynamic tables/lists (e.g. IP addresses) - lists will be reduced correctly, old values are deleted Known Issues: ECR sleep mode: no wake-up after set time from time to time with activated WLAN (Wi-Fi). The use of sleep mode is not recommended in the latest version with active WLAN (Wi-Fi). Release Notes icom OS 3.3 (09.11.2018) New Functions: IPsec: optional traffic limitation through the VPN tunnel to a protocol or a port DSL: support of DSL connections with PPPoA (requires DSL firmware from version "1.1.1_rel_vc", available via INSYS support) Status DSL: device manufacturer of the central office (Vendor ID) displayed in clear text Status DSL: indication of DSL Annex of the current connection (in addition to hardware Annex; requires DSL firmware from version "1.1.1_rel_vc", available via INSYS support) Update: detailed feedback when uploading or installing files (web interface and log entries) Remote Management: central administration of devices with icom OS prepared Bug Fixes: MRCard SI: LEDs indicate the status of the outputs correctly also following pulse sequences MRCard ES: error fixed that blocked ports 1-5 following link loss at port 4 Release Notes icom OS 3.2 (09.07.2018) New Functions: Web interface/CLI: new function for copying endless list entries (including sub-lists) SCR devices: sleep mode added, new event (sleep mode has been ended) and new action (start sleep mode) Reset indication: Power LED blinks with reset (reset: one-time off, reset to default settings: three-times off) DSL: new events added "sync reached" / "sync lost" DSL: new actions for turning DSL modems on/off added Passwords: user password configuration now also as hash value SHA512 (CLI + web interface + ASCII configurations) Passwords: optional output of user passwords via CLI + ASCII configurations as hash value SHA512 CLI/SNMP: used open source software packages incl. their licences can be displayed via CLI and SNMP agent Bug Fixes: WAN chains: PING connection check with interfaces in WAN chains with multiple interfaces work again Netfilter: connection tracking modules will be loaded automatically again (i.a. for port forwarding of PPTP and active FTP) MRX/MRO: Link status of Port 1.1 corrected Serial Ethernet gateway, connection status corrected SCR: Events upon restart corrected Known Issues: SCR: if sleep mode is enabled via IO, wake-up via IO does not work. Release Notes icom OS 3.1 (20.04.2018) New Functions: Web Interface: HTTPS-client-authentication with certificates including certificate revocation list Logging: dispatch of log messages to a remote log server (remote syslog) Serial Ethernet gateway: support of joint AT commands with user-defined answers Events/actions: a modem can be switched on and logged in (in addition to switch off and log out) WAN chains: optional simultaneous deactivation of all WAN chains Internal clock: separate manual time setting and NTP synchronisation including indication of running NTP synchronisation Bug Fixes: Spectre security vulnerability: remedies for known threats (Spectre v1 and v2) Quick start LAN to LAN: correct generation of the DHCP firewall rule (was missing before for LTE devices) CLI: frequency band configuration enabled DHCP client: correct function also for IP networks with configuration as local network Serial Ethernet gateway: improved behaviour on connection start (in particular with several serial connections) Modem status: outdated status information of the modems will not be shown any more Release Notes icom OS 3.0 (20.02.2018) New Functions: Messages: event-dependent information about firewall violation available (e.g. source/target IPs, ports, protocols, MAC) SNMP traps: event-dependent additional information will also be sent Web Interface: protection against cross site scripting (XSS) by replacing characters (e.g. <, >, #, ") with respective HTML escape codes Web Interface: protection against cross site request forgery (CSRF) Status: display of the first MAC address in system details Internal clock: new time zones for Australia and India (deviating from hourly steps: UTC + 5:30/8:45/9:30/10:30) CLI: command ascii_list added CLI: require() command added to LUA (allows to load other LUA files) SmartBox container: tmpfs with 100 MByte available, mount command cannot be executed any more, further changes in icom OS 3.0 change notification if required SmartBox container: new action container restart available as manual action and in event system SmartBox container: second network interface available SmartBox containers: default gateway configurable Internal functional change: update of all OSS packets and the tool chain used Bug Fixes: LTE devices: correct display of the online status even if provider does not send a DNS server CLI: timeout for AT command in CLI increased to 2 minutes CLI: command net3.ip_address[] is functional again CLI: correct status of a digital input also directly upon change (before, "1" or "0" has been output for a short time instead of "high" or "low") CLI: SMS dispatch via CLI with 2G without false error messages (before, error messages may have occurred upon successful dispatch) Release Notes icom OS 2.8 (10.10.2017) New Functions: Dynamic routing: Support of OSPF, BGP, RIP, RIPv2, RIPng VPN: Support of DMVPN GRE: Multi-point connections possible by specifying a GRE key IPv6: DHCPv6 server, DHCPv6 client with prefix delegation option (interfaces net, DSL, LTE, PPPoE) IPv6: Router advertiser added and SLAAC (interfaces net and DSL) DHCP relay: for IPv4 and IPv6 Netfilters: IP version selection for IP rules (IPv4, IPv6, both) LTE devices: simultaneous establishment of two PDP contexts (use of 2 APNs) CLI: availability of the following event-dependent information: for login at web interface and CLI: login name and remote host for incoming SMS: sender, text and cellular interface for Ethernet link change: Ethernet port and new status for all events: triggering event (number and name) Messages: Inserting of CLI request values in e-mail and SMS messages (incl. event-dependent information), syntax: $cli() DSL wizard: guided setup of an Internet access for MRX DSL / MRcard DSL Web interface: optimised representation of parameters with much selection options (much faster) DSL log: temperature value description added MRO-L210: AT&T mode support Bug Fixes: SSH login: event triggering also possible with unknown user name Timer: repeated triggering of daily and hourly timer possible E-mail: e-mail dispatch error fixed SMS dispatch: sporadic error fixed; dispatch directly upon SMS receipt was concerned MRX DSL / MRcard DSL: optimised startup upon firmware update, input and supply status available for CLI and SNMP CLI Lua mode: print for UDS socket (for container) fixed Release Notes icom OS 2.7 (03.08.2017) New Functions: Status indication: red "INFO" LED is blinking during reset or reset to default settings Designation in the web interface: product name change from "INSYS Connectivity Service" to "icom Connectivity Suite - VPN" Bug Fixes: Configuration SMS: correction of faulty SMS parameter of icom OS 2.6, concerns CLI, ASCII configuration files, access from container (the "BEGIN" and "END" sequences are missing in icom OS 2.6 and thus possible line breaks) E-mail dispatch: SMTP authentication with MD5 HMAC fixed Release Notes icom OS 2.6 (27.07.2017) New Functions: IP networks: PPPoE as new mode (in addition to LAN and WAN) IP networks: timeout for online state of networks without static IP address with DHCP client (automatically offline after 60 seconds without address assignment) Events/actions: new counter function (can be incremented or decremented by events) SMS: configurable SMS encoding either max. 140 characters standard or max. 70 non-GSM characters (dispatch and receipt) PPTP: PPTP server added Startup wizard: new wizard for Internet connection via DSL (if a DSL card is inserted in slot 2) FW update: firmware update for DSL modem added FW update: FW downgrade limited to avoid incompatibilities (depending on device type and hardware combinations) Auto update: client authentication for auto update Auto update: configurable function of auto update cache Device access: security improvement for access via web interface CLI: at_command added to debug tools CLI: multiple adding of endless list entries possible with specification of number (".add=100") CLI: deleting of all endless list entries speeded up Web Interface: menu page display speeded up (particularly relevant for endless lists) Container: display of IPv4 and IPv6 addresses of the containers in the System details menu Bug Fixes: DHCP server: limitation for fix MAC-IP assignments removed (only 5 per server have been possible so far) CLI: auto-complete of help.debug.tool works again CLI: firmware version in device status with two digits (identical to web interface) LTE devices: improved startup behaviour MRO-L2x0: status display of the serial Ethernet gateway fixed Release Notes icom OS 2.5 (03.05.2017) New Functions: VLAN: VLAN tags available VLAN: optional assignment of ports to different VLANs Network debugging: port mirroring available as new function Digital outputs: pulse sequence as new action, configurable pulse number and duration, optional different pulse sequences Timer: new option of the countdown timer suppresses restart with repeated trigger event (allows for example defined timer upon first event, restart only possible upon expiry) Server configuration (e.g. OpenVPN peer, RADIUS): extended to IPv6 addresses (up to now only domain names or IPv4 addresses) Cellular radio indication: detailed indication of the reception quality, incl. graphics DSL: DSL function support (when using the DSL plug-in card MRcard PD) SmartBox container: new applet cli-cmd (allows CLI access to router configuration from container) SmartBox container: new option for describing the container content using a link to a file SmartBox container: the mcip-tool is now Open Source (can be used as reference implementation if adaptation is necessary) Web interface general: more clarity using multiple selection checkboxes Bug Fixes: Connection monitoring: LTE modem restart improved (concerns MRO and MRX without additional MRcards) Ethernet ports: Autonegotiation corrected SMS dispatch: reliable SMS dispatch upon restart SMS dispatch: also allows phone numbers exceeding 15 characters ASCII configuration files: ASCII files that do not start with an assignment (list add) will now also be accepted under profiles WAN chain status display using INFO LED: correct extinction of the LED with expiry of the WAN chain CLI: auto-complete also works for SMS recipients (when configuring a message) CLI: auto-complete also after deleting "." behind "]" CLI: all values within a section will also be output if a command is transmitted along with the SSH call Netfilters: rules within a network are not necessary any more (e.g. FORWARD net2 to net2) Domain name configuration: improper entry of IPv4 addresses will now be detected and excluded when entering domain names Limitations: SMS dispatch: SMS with more than 70 characters will not be sent with icom OS 2.5. If more than 70 characters are necessary, please continue to use icom OS 2.4. Auto update: when using several auto update servers, an automated activation of the new firmware is not ensured, Workaround by temporary limitation to one server or manual activation of the firmware. Release Notes icom OS 2.4 (08.02.2017) New Functions: Serial Ethernet gateway: Setting of maximum connect time, configurable CONNECT message, DTR signal configurable (setting automatically with TCP connection) Configuration update: ASCII files in update packets can be executed when uploading via the web interface (necessary line: administration.profiles.activate) Configuration update: Upload of the ASCII configuration is also taking over list entries with changed order (e.g. "wan2" before "wan1") MCIP tool: new command "set-output" Administration: Text of "OK" buttons replaced by description of the actual activity (e.g. "Save settings") SmartBox: Container console log will be cycled/archived automatically Bug Fixes: MAC filter: Editing the broadcast MAC enabled Ethernet port status: optimised link indication Release Notes icom OS 2.3 (01.12.2016) New Functions: External ADSL modems: PPPoE support SmartBox containers: optional forwarding of incoming events from an SMS or from digital inputs as MCIP broadcast to all containers SmartBox containers: uploading licences and assigning them to a container MCIP tool: extended by receipt and dispatch of SMS and input events CLI: output of all values below a section in tree structure (only individual values or complete was possible so far) CLI: auto-complete now also added for some special functions Event incoming SMS: successful filtering of phone number or text regardless of subsequent characters (certain mobile phones add blanks automatically for example) Host name: default setting changed from "MRX" to "icom" Bug Fixes: Sporadic memory leaks fixed (occurred when using SNMP agent and certain events) Status display VPN: configured refresh interval is also used for OpenVPN and IPsec status Release Notes icom OS 2.2 (29.09.2016) New Functions: SNMP: SNMP agent for querying status information Netfilters: addition of MAC filters CLI: querying status information now possible CLI: optional access to router configuration from individual SmartBox containers without authentication Actions: manual triggering of actions possible without event in menu "Help/Debugging" and via CLI Plausibility check: Netfilter rule check extended by compliance with router functions and services SmartBox: new tool for sending and receiving MCIP telegrams in containers (automatic provision with new containers) Web Interface: Change of the path information in the browser (section names) Profile management: acknowledgement request when deleting a profile Bugfixes icom: Container: view and download of the log files of the container console enabled Release Notes icom OS 2.1 (01.07.2016) New Functions: WAN wizard: guided set-up of another Internet access, e.g. for redundancy operation Digital inputs: detection of input pulses via new event “detected pulses” (allows configurable signalling by external devices) Command Line Interface: displaying and reading out log files General user settings: configuration of the default values for language, number of log entries and update intervals of the website in menu item Administration -> Web interface Auto update: default settings for server address and protocol (HTTPS) changed Plausibility check: another access via web interface in menu item Help -> Wizards (in addition to the symbol in the header) Bug Fixes: - Release Notes icom OS 2.0 (03.05.2016) New Functions: Smartbox: new container function for apps and customer-specific implementations (Linux environment for own scripts and programs) DynDNS: provider selfhost.de added https access: limitation to defined ciphers for reasons of security, RC4 excluded Certificates/keys (a.o. for VPN, https): an irreversible download block can be configured if required Events/actions: dispatch and receipt of MCIP messages Reset to default settings: now possible to select which content is to be deleted - profiles, ASCII files, logs, smartbox content, auto update cache Auto update: cache will not be deleted automatically upon auto update via web interface Bugfixes icom: Clock setting: time zone direction corrected (had wrong sign compared to GMT)