Lew

- Four new web site categories have been added: Self harm (in Mature Content) Generative AI (in Research and Information) DNS Over HTTPs (in Technical and Other) Low THC Cannabis Products (in Research and Information - Usage and activity graphs can now view up to a week's worth of data, as well as real time. The Live tab shows the last 10 minutes. The donut graph updates in real time to show observed and blocked content. The Week tab shows the previous week in a bar chart, as well as the last 24 hours in a line chart and donut graph. Drill down on activity by selecting a day from the bar chart and an hour from the line chart. - Preferred Internet, which you can apply at any level of the device hierarchy. When multiple Internet connections are available, the associated device(s) will "prefer" the specified Internet connection, even if it's not primary. If that Internet connection is unavailable, then the next most preferred Internet connection will be selected. When you have multiple Internet connections, some devices such as media players and Smart TVs may need to use a particular carrier, in which case, this new feature makes that possible. - Authorized networks allows devices to cross from one LAN segment to another. By default, this is prohibited; Island keeps LANs completely isolated from each other. But sometimes it's useful to allow certain trusted devices to be able to cross over and access another segment. - Effective VPNs is an addition to the previously released "effective filters", where the chain of inheritance can be seen. In this case, it allows you to understand why a particular device or user is granted access to a VPN. - Tours now allows selecting a default/home Island that will be chosen whenever the app starts. If no home Island is selected, then a menu of all available Islands will be shown. The previous behavior of connecting to the last Island that was used is no longer available. - Country blocking has been added. Country filters can be created where you add a new filter and applied to any level of the device hierarchy. - Incognito can be applied to any level of the device hierarchy, and suppresses logging of activity. It can be selected for "Show Blocks", in which case blocked sites will be logged but not "accessed" sites, or it can be set to "Hide All", in which case no history logging for the associated device(s) will occur. Additional firmware changes: - cli: "ip route default" now allows abbreviating the word "default". - cli: "ip address ?" help changed to show only "/bits" notation, i.e., that specifying a netmask is no longer allowed. - cli: fixed preservation of /32 and /128 static routes. - removed blocking of RFC 1918 and RFC 4193 addresses because this prevents browsing to the modem in some cases. - history: fixed filtering on port numbers to work properly. - fixed new devices to use "New devices" filter. - auto-configurator has improved Internet presence detection. - added country code support. - kernel network stack is now completely isolated on its own internal virtual network. - new packet processor rescue algorithm, as a consequence of isolated kernel stack. If the packet engine fails to run, the prior version is executed, and if it also fails, an automatic rollback occurs. - DHCP leases with a 60-second lease time are now accepted if option 125 is present or the subnet mask is smaller than /24. This is due to Verizon 5G routers in passthrough mode now offering a 60-second lease. Such short leases were previously rejected due to TP-Link mesh Wi-Fi products becoming rogue DHCP servers when unable to acquire an IP address, and offering 60-second leases. - additional performance improvements and latency reduction. - additional URL categories: Self-Harm, DNS Over HTTPS, Low-THC Cannabis Products, and Generative AI. - country determination and blocking. - DNS DoH falls back to recursive if there is a connectivity failure. This also resolves certificate verification when the clock is severely inaccurate (e.g., on start-up with a depleted battery). - remove our own IP addresses when an interface is deleted. (This prevents ever-increasing IPv6 link-local addresses from being created on dynamic interfaces like VPNs). - fixed SmartSwap to work properly if it takes more than five seconds to obtain an IP address from the existing DHCP server. - cli: automatically generated interface IP addresses now show as "auto". - cli: now skips reverse DNS lookup when accepting a connection, to improve performance. - the maximum number of DHCP reservations has been increased from 64 to 1024. - cli: "show history" added 'cat', 'catAllow', and 'catDeny' filters as well as binary testing of categories. - cli: when timezone is changed, system logger is restarted with the new timezone. - cli: setting a DHCP reservation for an existing MAC removes the existing reservation before setting the new one. - if a firmware update requires a reboot, the app server is now notified after the reboot instead of before. Additional app changes: - Added preferred Internet to devices, users, groups - Added authorized networks to devices, users, groups - Added effective VPNs to devices, users, groups - Changed serial number to be selectable for copy in About - Fixed display update of pause/unpause in device, user, and group view - Fixed New devices occasionally incorrectly reporting that protection is disabled - Added highlight of selected sort type on the device list - Added default Island (Island home) to Tours - Added display of current Island to Tours with indicator - Changed Tours search indicator to always be visible - Changed app to attempt to connect to Island home if selected, Tours otherwise - Fixed web app to start when there is no Internet - Added "select all" to the device lists - Added ability to view, disable and remove devices to receive notifications (Tap 'Devices to notify' in the notifications settings menu) - Fixed crash when opening Island Express settings - Added sort when multiple Islands discovered (IPv4 address, serial number) - Fixed startup login to display invalid login message and allow reentry - Added Category and Country Filters - Added Incognito selector to device/user/group - Hostnames are now split onto a separate tab in Category Filters, with blocks and allows in separate sections - Filter select now shows the combination of categories, hostnames and countries based on selection and inheritance - Donut charts now hide content if an incognito filter is applied - Fixed Activity chart from rebuilding on any change for an unidentified device - Fixed hostnames from not being copied from an existing filter - Added display of inherited (effective) schedule events - Added persistent option for inherited schedules - Added remove filter option to menu on filter edit page - Added color inheritance indicators to the device lists - Fixed missing interface gateways on interfaces - Fixed startup fail following Island initialization - Fixed port forward to Island with "Local" error - Added new and replacement installation instructions - Added relative dates (Today/Yesterday) for day/hour selection on activity chart - Added a section header on donut view that displays what day/hour selection was made on the activity chart

Yes, that's exactly what you should do. Let us know if you have any trouble with it.

Yep, we agree that would be a great feature and we've been looking into it for a while. Thanks for the feedback!

That's a good idea, Les. The information is already there (VPNs are interfaces, after all), so we just need to provide a way to show it.

Sure, that's no problem. We'll increase it to 1024 in the next release. It's really just a configuration limit; the DHCP server itself has no limit. Thanks for the feedback!

It's essentially integrated and mostly non-configurable. This includes the "Island Protection" filter, which, by default, is applied to all devices and provides dynamic protection against various types of malware, phishing, etc.

The 1.3.2 release contains a short-term solution for the following problem: If an Island is left powered off for more than approximately 45 days, the internal battery, which maintains the time clock, will be depleted, and the next time it's powered up, the time clock will be incorrect (typically many years in the past). This prevents the DNS-over-HTTPS resolver from functioning because the server certificate is not considered valid based on the local time clock. Because DNS resolution cannot occur, the NTP protocol is unable to find a time server in order to update the clock, so the situation is unable to resolve itself. The overall perception will be a lack of Internet connectivity. This firmware release resolves this problem by ignoring the "not before" time in the server's certificate. While this is not optimal, it provides temporary relief until the next release, when a more permanent fix will be provided. In the mean time, if Island gets into this condition, you can correct it by using the app to change the DNS method to "recursive". The time clock should update within a few seconds, and you can change it back to DNS-over-HTTPS if desired.

Sure, I think we'll be publishing a white paper about that. btw it looks like the original reply didn't happen because you got flagged as a possible troll. If you don't mind, please e-mail me at ptsupport@perftech.com and we'll get that resolved. Sorry about that, we just want to make sure resources are directed properly.

I apologize, I wrote a long reply to this last month, but apparently it didn't get it posted. The net of it, though, is that a router like Island doesn't benefit from those types of queue management techniques because it passes packets so quickly that there's never an internal queue, and there is no buffer bloat. We can discuss further if you like, but I wanted to apologize directly for the prior lack of response.

Hi, Ed. You can do that, although of course, like everything in Island, it's by device, not by IP address. You can schedule an Internet "pause" so that it lasts whatever amount of time you want and can even be recurring.

That usually works ok. Are the switches using static IPs or DHCP? Did you change the numbering scheme when switching over? You could try rebooting the switches in that case. Of course, they're supposed to adapt automatically, but not all devices are implemented properly.

You can delete it. We can still check the logs later.

I think "red" normally means that you have no Internet at all, and "yellow" means it's merely degraded. So the fact that you got anything at all must mean the Internet wasn't totally out. But Island looks at several different factors to determine the quality of the Internet connection, including whether the ISP's gateway is responding as well as whether a common public service (CloudFlare) responds to pings, for both IPv4 and IPv6. We plan on enhancing that display so you can tap on the exclamation and see exactly why it's being presented.

Hi, Steve. Yes, Island does automatic VLAN detection and configuration, and there is no routing between networks by default. However, in automatic mode, VLAN detection is disabled on an Internet-facing interface, so this could've happened only if the interface wasn't connected to the Internet at the time the VLAN was detected. We could look through the logs to be sure. It is curious, though, that it happened at all. Other than that, it seems like you could safely delete the VLAN interface.

I don't think there's anything secret or PII about serial numbers, but if you want to keep it private, then you can open a support ticket and we can continue the discussion that way.

Sure. Can you please provide your Island serial number so we can verify which code release chain you're on? Thanks!

- block routing of RFC 1918 and RFC 4193 destination addresses to the Internet. - notify DDNS immediately when a multi-WAN Internet connection is removed. - removed fixed allocation of VPNs, so they follow the maximum number of interfaces (currently 1024). - corrected VPN code not to corrupt packets and to retry outbound connections under certain rare conditions.

There's always something new! We're working on the next round of features as we speak. And people seem to like it, so that's all good. Thanks for asking!

App version 1.11.1: - Added ability to delay the start or extend the end of a scheduled event - Added scheduled event notifications for the start and end of a scheduled event - Added pop-up for schedule notifications - Added notation of backup Internet interfaces on the Network page - Added notice of suspended event to scheduled event list for devices, users, groups - Added DeviceInfoCard, which displays all device details, settings and aliases in a single Card. - Added default gateways to internet facing interfaces - Updated interfaces on network view. Shows IPv4/IPv6 and default gateways. Text is now selectable and interfaces/VLANs are laid out in a row on bigger screens - Updated controls for adding DHCP reservations, port forwards, UPnP, VLANs, Events, and VPNs - Fixed sort of Island hop names - Fixed sort of scheduled events - Fixed hostname sorting to sort by Domain order. - Fixed display of IPs on DHCP reservation list - Fixed device MACs not showing on UPnP list - Fixed a sizing issue when the calendar was extended and help enabled - Fixed an issue where events weren't properly displaying their state of suspend/resume - Fixed an issue when adding an event would navigate out of the calendar - Event state (suspend/resume) now represented as a Toggle Switch - Removed additional icons shown in geek mode on dashboards to simplify view - Icon picker now highlights current choice and has confirmation - Relocated button to copy Island public key from VPN page to VPN peer create/edit Firmware version 1.3: - When an interface IP address is changed, any DHCP reservations or port-forwards that were in the previous block are changed automatically to the new prefix. - When the app sets an interface IP address, the state is changed to static, so it becomes sticky and is no longer treated as a dynamic address. - All future firmware updates are encrypted and signed. - CLI "update" with no other parameters will install the latest automatic update for the system. - If a static IP address is set or removed, and the DHCP client is running, then the DHCP client gets bounced so as to return to INIT state. - CLI sorts interface names with consideration for numeric portions (e.g., vlan100 now comes after vlan2). - CLI now normalizes interface names, e.g., "vlan00001" becomes "vlan1". - ssh login by users other than admin or user is disallowed. - Added DuckDuckGo safesearch support. - If an interface changes its primary/backup state, existing sessions that shouldn't use that interface are rerouted immediately. - Miscellaneous certificates and databases are now updated on boot-up and every night at midnight. - When an IPv6 router announcement expires, the associated prefixes are now removed. - Improved removing dynamic IPv6 addresses and routes when an interface goes down. - If an IPv6 prefix is deleted and an interface is using it, the address is no longer reset to /128. - Disallow setting static IPv6 default route when the interface has a dynamic address. - Ensure that DHCPv6 client is enabled in all expected cases. - An Internet-facing interface no longer enables DHCP server. This could've happened if we had IPv6 connectivity but not IPv4. - Corrected private IP test to use 172.16.0.0/12 rather than the previous incorrect 172.12.0.0/12. - Improved remote access when there are multiple Internet connections. - Wireguard dynamic protocol removes automatically-added routes when the VPN goes down. - VLAN interfaces now add their multicast addresses to their parent hardware. - Accept DHCP reply packets when we already have a different IP address and a default route on another interface (e.g., a default-route VPN). - If we lose our IPv6 default gateway, then we bounce both DHCPv6 client and Router Solicitation to destroy the address and gateway and restart.

We're actually doing one tonight! We'll post the notes shortly.

It's possible, but in order to do that sort of thing on a router or network device, we'd have to be able to decrypt the encrypted streams, which requires installing (and maintaining) special certificates on the individual devices. Thus far, we've chosen not to go that route because it doesn't fit our target markets all that well. But it's certainly something to keep in mind for the future.

Interesting idea. What did you have in mind, exactly?

There will be, but we haven't finished it yet. Generally speaking, it's very Cisco-like and you can use "?" anywhere on a command line to find out more, so that will hopefully get you started. Or just let us know if there's anything in particular you're looking for.

No, it should be working properly, so we'd like to troubleshoot. I apologize for not seeing this message earlier. Perhaps we can get together tomorrow?

That's supposed to be the purpose of "geek mode" in the UI. If you want simple, turn off geek mode, and if you want more detail, then turn it on. What area(s) are you thinking will cause confusion?