Upgrade to v24

Breaking changes

HTTP Proxy

The transparent HTTP Proxy (squid) got removed. It intercepted port 80, 8080 and 58080 and was useful as caching proxy in the past. As there are nearly no unencrypted HTTP websites available anymore the only reason for the proxy was the redirect to the login page. This task is now done nativly with the firewall, redirecting offline traffic on port 80 to the local web-server which serves the login page.

DNS behaviour

Due to the new DNS service (see own section below) there are two breaking changes regarding DNS behaviour:

  • If two DNS servers are specified
    • Up to (incl.) v21: the fastest DNS server was choosen
    • Since v24: there’s a random distribution over both servers. If one server is down, the remaining server is used and the second is probed to check if it comes up again. Distributing the queries also helps in not hitting a rate limit some public DNS servers have.
  • If a domain did not exist (upstream DNS returned NXDOMAIN)
    • Up to (incl.) v21: the Surf-LAN IP was returned
    • Since v24: NXDOMAIN is returned. If the old behaviour is still desired because apps depend on it, the old behaviour can be switched on again in the Surf-LAN DNS settings

DNS Filter behaviour

  • Up to (incl.) v21 a filtered domain resulted in the Surf-LAN IP address
  • Since v24 we’re sending a “null IP” 0.0.0.0 as this stops some clients from trying other DNS servers in comparison to responding with NXDOMAIN

DHCP behaviour

Due to the new kea DHCP server there are some breaking changes regarding DHCP behaviour:

  • The new kea DHCP no longer supports the setting always-broadcast. This was used to force the DHCP server to always send the DHCP response as broadcast which provided a way to work around buggy DHCP clients.
  • The current kea DHCP implementation supports most DHCP options. For a list of available options please refer to our List of available DHCP Options
  • Additional DHCP ranges have been removed, as this feature was not often used and resulted in high complexity. But as v24 supports one IP range per VLAN this can be a solution for some use-cases where additional ranges have been used in the past. Removing ranges is still supported as this feature was widely used.

Batch Access API

Due to the transparent HTTP Proxy (squid) having been removed, some changes to Batch Access API calls had to be made.
For Connection Tracking calls, the download parameter no longer has the “proxy” value. The “conntrack” remains the same and is the only way to download connection tracking data.

SMTP Proxy

The SMTP proxy got removed as the need for such a proxy was gone a long time ago. Also intercepting encrypted SMTP connections does not work and nowadays there should only be encrypted connections anymore. Dropping SMTP connections only on TCP port 25 was no reliable way for quite some time now to avoid mail traffic. The application control should be used for such tasks.

Version schema

The IACBOX version follows now the semantic versioning principles of .. followed by an optional build number. So the initial v24 release will have the number 24.0.0, the first patch level update 24.0.1 and the first minor release with new/updated features 24.1.0.

New Features

Partial backup restore

Because backups are also used to bring settings from one system to another/new system a partial restore has been added. This allows you to restore a backup without user data (GDPR relevant PII data) and just restore the system configuration. Optionally the network settings can be ignored too if different.

The uplink can now be routed without NAT what makes it possible to see the source IP address of the client in the upstream. Because of high demand this was back ported to v21 already. But in combination with the new IP-Range-per-VLAN feature this finally makes it possible to distinguish different user groups in the upstream.

WebAdmin

Dashboard

The main Dashboard allows a free layout now. All available widgets can be placed anywhere on the dashboard. All the monitoring widgets have been reworked with a new charting library for smoother and faster rendering.

Two factor login (2FA)

WebAdmin accounts can now optionally secured with a two factor (2FA) login. Right now only TOTP (a 6 digit code valid for 30secs) is supported, but additional methods will follow.

Renewed features

DHCP Server

The default Linux DHCP server dhcpd by ISC is End-of-life and we had to migrate to it’s successor kea. While working on this huge task, we managed to introduce a long awaited feature - separate IP rages per VLAN.

DNS Service

The old DNS services consisting of 3 components (DNS resolving, DNS filter, custom DNS responses) was replaced by one customized DNS service that does all of that in one place. The DNS caching was extended and will lead to a better performance for the second and following requests for the same domain. This new service is also preparing upcoming support for encrypted DNS protocols like DoH (DNS over HTTP2) and DoT (DNS over TLS).

DNS Filter

The DNS filter and it’s categories was completely reworked. Many outdated and underused categories have been removed to simplify the filter settings. The DNS filter lists will be updated on a weekly schedule now.

Updated features

Linux base system

Our own Frozentux Linux OS was updated to run the current LTS (long term support) linux kernel 6.6. Beside this many tools have been upgraded to the latest supported versions - important examples are openssl 3.1 and PHP 8.2, Postgres 15.

Core daemons

Some core components have been fully rewritten to support better code quality, testability and performance (better concurrency behaviour).

Licensing

  • The dependency on the MAC address was removed in exchange with a more strict and online license check.
  • If the same license runs multiple times this will lead to warnings in WebAdmin and on my.iacbox and after some time to a shutdown.

Terminal

  • The terminal login prompt shows the licensing information which makes it easier to find out the registration number for support cases.

iacbox.cloud integration

v24 will bring a basic iacbox.cloud integration:

  • Remote access to any WebAdmin of all connected systems (like Central Services which will be replaced by iacbox.cloud)
  • Cloud backup (fully automated GDPR compliant backup without any additional configuration)
  • Dashboard showing all connected systems with basic status information and users online

During the next months there are coming more and more features in the categories:

  • Centralized management (Batch Jobs)
  • Monitoring and alerting

Changed Defaults

TLS security level

For new v24 setups the minimum defaults for

  • WebAdmin web-server are set to TLS 1.2 secure only
  • Login Page web-server are set to TLS 1.2 all ciphers
    • If you’re experiencing issues with very old clients (like ebook readers), set this to TLS 1.0

Deprecations

This features will get removed with the next major version (still present in v24.0)

Login-API

The Login-API was introduced 10 years ago in Version 5.0 and slowly reaches its end-of-life. It first targeted the use-case of external login pages but became as “local Login-API” a flexible solution for customizations on the IACBOX itself.

Since the new login page introduced with v21 we can do this customizations now without the Login-API. Many customers migrated already successfully to the default login page and benefit from the updated login methods and all new features that are constantly added to the login page.

Still a Login-API user?

Don’t worry and get in touch with us (support@iacbox.com) - we can help you migrate your old Login-API code to login page themes (for custom styling) and login page extensions (for custom logic).

Central Services

Central Services is now deprecated and will be replaced by iacbox.cloud end of 2025 as it offers the remote management feature and much much more.