Upgrade to v24

Breaking changes

HTTP Proxy

The transparent HTTP Proxy (squid) was removed. It intercepted ports 80, 8080, and 58080 and was useful as a caching proxy in the past. As there are nearly no unencrypted HTTP websites available anymore, the only reason for the proxy was a redirect to the login page. This task is now done natively with the firewall, redirecting offline traffic on port 80 to the local web server, which serves the login page.

DNS behaviour

Due to the new DNS service (see own section below), there are two breaking changes regarding DNS behaviour:

  • If two DNS servers are specified:
    • Up to (incl.) v21: the fastest DNS server was chosen.
    • Since v24: there’s a random distribution over both servers. If one server is down, the remaining server is used and the second is probed to check if it comes up again. Distributing the queries also helps in not hitting a rate limit some public DNS servers have.
  • If a domain did not exist (upstream DNS returned NXDOMAIN):
    • Up to (incl.) v21: the Surf-LAN IP was returned.
    • Since v24: NXDOMAIN is returned. If the old behaviour is still desired because apps depend on it, the old behaviour can be switched on again in the Surf-LAN DNS settings.

DNS Filter behaviour

  • Up to (incl.) v21 a filtered domain resulted in the Surf-LAN IP address
  • Since v24 we’re sending a success return code with the “null IP” 0.0.0.0 as this stops some clients from trying other DNS servers in comparison to responding with NXDOMAIN.

DHCP behaviour

Due to the new Kea DHCP server, there are some breaking changes regarding DHCP behaviour:

  • The new Kea DHCP no longer supports the setting always-broadcast. This setting forced the DHCP server to always send the DHCP response as broadcast which provided a way to work around buggy DHCP clients.
  • The current Kea DHCP implementation supports most DHCP options. For a list of available options please refer to our List of available DHCP Options
  • Additional DHCP ranges have been removed, as this feature was not often used and resulted in high complexity. But, as v24 supports one IP range per VLAN this can be a solution for some use cases where additional ranges have been used in the past. Removing ranges is still supported as this feature was widely used.

Batch Access API

Due to the transparent HTTP Proxy (squid) having been removed, some changes to Batch Access API calls had to be made.
For Connection Tracking calls, the download parameter no longer has the “proxy” value. The “conntrack” remains the same and is the only way to download connection tracking data.

SMTP Proxy

The SMTP proxy was removed as the need for such a proxy was gone a long time ago. Additionally, intercepting encrypted SMTP connections doesn’t work and nowadays there should only be encrypted connections. Dropping SMTP connections only on TCP port 25 hasn’t been a reliable way for quite some time now to avoid mail traffic. The application control should be used for such tasks.

Version schema

The IACBOX version follows now the semantic versioning principles of .. followed by an optional build number. So the initial v24 release will have the number 24.0.0, the first patch level update 24.0.1, and the first minor release with new/updated features 24.1.0.

LinkedIn

LinkedIn deprecated the Sign In with LinkedIn authenticated method in favor of Sign In with LinkedIn using OpenID Connect. If users of the LinkedIn Social Login haven’t done so already, they need to update their authentication method in the LinkedIn developer console. No changes are required in IACBOX itself.

New Features

Partial backup restore

Because backups are also used to bring settings from one system to another system, a partial restore has been added. This allows you to restore a backup without user data (GDPR-relevant PII data) and just restore the system configuration. Optionally, the network settings can be ignored as well.

The uplink can now be routed without NAT which makes it possible to see the source IP address of the client in the upstream. Because of high demand, this was back ported to v21 already. But in combination with the new IP-Range-per-VLAN feature, this finally makes it possible to distinguish different user groups in the upstream.

WebAdmin

Dashboard

The main Dashboard allows a free layout now. All available widgets can be placed anywhere on the dashboard. All the monitoring widgets have been reworked with a new charting library for smoother and faster rendering.

Two factor login (2FA)

WebAdmin accounts can now optionally be secured with a two factor (2FA) login. Right now only TOTP (a 6-digit code valid for 30 seconds) is supported, but additional methods will follow.

Overhauled features

DHCP Server

The default Linux DHCP server dhcpd by ISC is End-of-life and we had to migrate to its successor Kea. While working on this huge task, we managed to introduce a long-awaited feature - separate IP rages per VLAN. In combination with deactivated NAT on the uplink this finally makes different user-groups visible in the upstream by selecting/filtering certain IP subnets.

DNS Service

The old DNS services consisting of 3 components (DNS resolving, DNS filter, custom DNS responses) were replaced by one customized DNS service that does all of that in one place. The DNS caching was extended and will lead to better performance. This new service is also preparing upcoming support for encrypted DNS protocols like DoH (DNS over HTTP2) and DoT (DNS over TLS).

DNS Filter

The DNS filter and its categories were completely reworked. Many outdated and underused categories have been removed to simplify the filter settings. The DNS filter lists will be updated on a weekly schedule now. Also the EDNS option 17 for “Filtered entry” is set now - see the corresponding RFC 8914

Updated features

Linux base system

Our own Frozentux Linux OS was updated to run the current LTS (long-term support) Linux kernel 6.6. Besides this, many tools have been upgraded to the latest supported versions - important examples are OpenSSL 3.1 and PHP 8.2, go 1.23 and Postgres 15.

Core daemons

Some core components have been fully rewritten to support better code quality, testability, and performance (better concurrency behaviour).

Licensing

  • The dependency on the MAC address was removed in exchange for a more strict online license check.
  • If the same license runs multiple times this will lead to warnings in WebAdmin and on my.iacbox. After some time all affected systems will shutdown to avoid license abuse.

Terminal

  • The terminal login prompt shows the licensing information which makes it easier to find out the registration number for support cases.

iacbox.cloud integration

v24 will bring a basic iacbox.cloud integration:

  • Remote access to any WebAdmin of all connected systems (like Central Services which will be replaced by iacbox.cloud)
  • Cloud backup (fully automated GDPR-compliant backup without any additional configuration)
  • Dashboard showing all connected systems with basic status information and users online

During the next months, there will be more and more features in the categories coming:

  • Centralized management (Batch Jobs)
  • Monitoring and alerting

Changed Defaults

TLS security level

The new minimum defaults are set to:

  • WebAdmin web-server are set to TLS 1.2 secure only
  • Login Page web-server are set to TLS 1.2 all ciphers
    • If you’re experiencing TLS issues with very old clients (like ebook readers), set this to TLS 1.0
  • The TLS settings are changed automatically when upgrading as TLS 1.0 is really outdated now.

Default DNS server

To ease setting up a new system, there are two EU DNS servers set that are GDPR compliant by default. But our advise remains the same, to use your ISPs DNS servers for production use.

Deprecations

These features will be removed with the next major version (still present in v24.0)

Login-API

The Login-API was introduced 10 years ago in Version 5.0 and slowly reaches its end-of-life. It first targeted the use-case of external login pages but became a flexible solution for customizations on the IACBOX itself as “local Login-API”.

Since the new login page was introduced with v21, we can do these customizations now without the Login-API. Many customers migrated already successfully to the default login page and benefit from the updated login methods and all new features that are constantly added to the login page.

Please note, that some changes to the main.conf were made, so make sure that yours is up-to-date. The changes only affect External-Login-API users.

Still a Login-API user?

Don’t worry and get in touch with us (support@iacbox.com) - we can help you migrate your old Login-API code to login page themes (for custom styling) and login page extensions (for custom logic).

Central Services

Central Services is now deprecated and will be replaced by iacbox.cloud end of 2025 as it offers the remote management feature and much much more.

Default Password

The default password for fresh setups will be removed soon. It will be replaced by a randomly generated password shown on the login screen, so only administrators with “physical” access to the system or access to the VM management console can really see it.