NAT rules with port ranges: NAT rules (SNAT, DNAT, or port forwarding) with different port ranges for destination and NAT ports are accepted and correctly created (Known Issue since 8.4)

Forwarding filter rules: If multiple input and output interfaces are specified, all combinations are created as individual rules (Known issue since 8.5)

EST: Retrieved CA certificates can be used for other TLS services (i.e. autoupdate, e-mail) directly after enrolment

Autoupdate: Special characters in $cli() - placeholder answers are correctly escaped in HTTP endpoint

MIRO-L110 and MIRO-L210: Clock is correctly initialized via cellular network

LTE: IPv6 Support for Mobile Connections

On MIRO, SCR, and ECR devices, mobile connections now support IPv6 and Dual-Stack (IPv4/IPv6) connections, depending on the SIM card.

Note: Devices configured as IPv6-Only with the new firmware will not be able to connect via IPv4 after a downgrade unless a factory reset is performed.

LTE: Scan for available cellular providers

The device can now scan for all available mobile providers and technologies. The scan can be triggered manually via the UI or automatically based on events. A follow-up action can be executed after completion.

Results are displayed in the UI. On MRX LTE450 and MIRO L-230, frequency bands and signal values are also shown.

Note: The scan may take several minutes. If the device is connected via mobile network, it will be offline during the scan. 

Known Issue: In the UI, the correct RSRP/RSRQ values are displayed for 4G cells, but they are incorrectly labeled as RSCP/RSRQ.

Messages: In addition to existing placeholders, the device now supports $rest(/status/XYZ), which is replaced with the corresponding JSON output from the device's REST API when the message is sent

Example:
$rest(/status/sysdetail/system)
returns

{
 "status": {
 "unique": {
 "location": "My location",
 "date": "2025-03-12 10:28:57",
 "uptime": "2 h 23 min ",
 "load": "0.04 0.06 0.07",
 "ram": "373796 kByte free",
 "hash": "BC590282",
 "mac": "00:05:B6:03:1B:EC",
 "remote_management": "active, offline",
 ...
 }
 }
}

Dashboard: new widgets and content of dialogs added

• DSL dialog
• Container dialog
• Input/output dialog
• WLAN widget and dialog
• Network widget is expanable
• Design, layout and other minor improvements

icom Router Management: Router tries to connect to iRM every time the wan chain is online to speed up iRM connect time

IPv6: IPv6-Addresses for LTE connections are displayed in status

SNMP: Company name of enterprise MIB changed to "INSYS icom GmbH" (enterprise OID 34081 remains unchanged)

Linux kernel: Linux kernel patched (fixes CVE-2024-50302)

axios OSS package update: updated to version 1.8.2

Firewall: Rules with identical start and end port are not ignored (bug introduced in 8.4)

SCR/ECR: Fixed LTE connection if PPP uses same local and remote IP address

SCR/ECR: Fixed LTE connection in case the provider does not set the PDP context

LTE: Handling of some error messages from modem improved (results in quicker connection reestablishment, depending on error)

WAN-Status: Status values are correctly reset when WAN chain goes offline

UI: Usability issues with navigation in collapsed mode are resolved

UI: IPv6-Adresses can be configured for routing and firewall rules

MIRO-L230: Flash status is available as status value

LTE Status: LTE status values are longer preserved in case new values can currently not be retrieved

CLI: Result of SMS sending is returned properly

Debugging: Manual AT commands are correctly answered regardless of upper or lower case

UI: new Dashboard with all status information and direct links to the configuration

Logging: all log messages now contain a severity

Syslog: message format can be selected and now support RFC 5424 and RFC 3164

Syslog: severity level can be selected to adjust the amount of sent syslog messages

Status: routing table in CLI and REST shows IPv6 routes (not only IPv4)

Debugging: timeout for AT commands increased to support longer running AT commands

IPsec: modified tunnel establishment to support broken setups with some specific cisco setups

Firewall: whitespaces in configuration options no longer causes rules to not load

Firewall: missing 'protocol' field falls back to 'all'

Firewall: skip rules with invalid port range

SFP/Fiber: fixed issue for certain scenarios which include VLAN Trunks on SFP/Fiber

LTE: fixed issue to register to network with some specific SIM cards

IPsec: up to 20 additional IPsec SAs can be used for each IPsec tunnel to tunnel different subnets

DynDNS: providers Duck DNS and dynv6 available

New UI: configuration page for MCIP (events) available

HTTPS: certificate based client authentication is not disabled, if expired device individual certificate is used as HTTPS certificate

LTE450: if two data channels are active, routes are set correctly

LTE: if network registration is not successful within 12 hours, the modem is restartet

LTE: reduced extensive log messages if PIN is needed but not provided

Profile Activation: suppressed false error log message about unavailable Parameters on profile activation

OpenVPN: terminate UDP tunnels with explicit-exit-notify

Firewall: Added protocol OSPF to be selected for Firewall, SNAT and DNAT rules

curl OSS package update: updated to version 8.11.0 (fixes CVE-2024-2398)

dnsmasq OSS package update: updated to version 2.90 (fixes CVE-2023-28450)

mosquitto OSS package update: updated to version 2.0.20 (fixes CVE-2023-28366 and CVE-2024-8376)

curl CA bundle OSS package update: updated to version 2024-09-24

metalog OSS package update: updated to version 20230719

axios OSS package update: updated to version 1.7.7

File Upload: Fixed detection of file type for uploads via REST API or new UI

SMS sending and reception: improved reliability of SMS sending and reception

Classic UI: prevent webserver crash if special characters are used for IP net descriptions

Status values: show correct uptime of IP net with multiple static IP addresses

IP networks: colours of the ip networks (for device graphics) are now configurable

Container: Static information about the device (i.e. serial number, firmware version) is available in the container at /devices/device_info.json

RSTP: works on trunk ports

MRX LTE: Connection is stable if MTU of LTE interface is lower than 1500 and packets through a VPN tunnel exceed the MTU

Container: network interfaces bridged to a container can be IPv6 only

Container: container still starts if bridged network is deleted from the config

Fiber/Ethernet: SFP slots and ethernet ports on MRcards ES are reliably initialised on start

PPPoE: ip networks in PPPoE mode work again, if ip network list is altered

Now up to 100 IP networks configurable:

With icom OS 8.0 the previous limitation to 5 ip networks was resolved. Up to 100 IP networks can now be created. Also additional DHCP servers (IPv4 and IPv6) can be added.

To ensure downward and upward compatibility, the firmware behaves as follows

• on update to 8.0 (or higher) all active networks of the previous 5 ip networks will be transferred into the new list of ip network
• on downdate to a firmware lower than 8.0, the ip networks with name "net1" to "net5" are transformed into the old networks
• even though the syntax of the cli changes for the new ip networks, old ascii configurations will still be interpreted correctly
• binary profiles will be converted into the new ip network list on import

Caution:

• Binary profiles created with firmware 8.0 or higher will lead to unspecified behavior, when imported into firmware lower than 8.0
• ascii configurations created with firmware 8.0 or higher will not result in the expected configuration, when imported into firmware lower than 8.0

OpenSSL OSS package update: updated to version 3.1.7

OpenVPN OSS package update: updated to version 2.6.12 (fixes CVE-2023-46849 and CVE-2023-46850)

pam_radius OSS package update: updated to version 3.0.0 (fixes CVE-2024-3596)

REST-API-Documentation: OpenAPI documentation was not valid according to the OpenAPI specification

classic UI: increased some timeouts (for firmware activation and reset) to prevent false error messages

dropbear OSS package update: updated to version 2024.85 (fixes CVE-2023-48795)

ECR-LW300 1.1: sending SMS through GSM supports special characters

MRcards: fixed sporadic communication issues between MRcards

Signed and encrypted update packages: empty private keys (like the placeholder key) do not cause decrypting of additionally encrypted update packages to fail

UI: after import of icom Router Management start configuration the profile activate can be clicked again

UI: Upload of more complex configurations (i.e. including Containers, Container-Data, multiple stored ASCIIs) on the welcome page are correctly applied

Classic UI: fixed some Javascript errors which resulted in not correctly hidden config options

User Interface Language: language support added for French, Italian, Spanish and Chinese.

Device metrics: multiple device metrics are now continuously calculated and available for analytics:

- Counter of boot processes since production
- Counter of boot processes since reset
- Operating hours counter
- Online counter since production
- Online counter since reset
- Online counter since last boot process
- Timestamp of last successfull online connection

The new metrics are displayed in the webinterface or can be read through CLI or REST API.

New Ping Event: a Ping check (icmp) is now available as event and action in the Event/Action toolbox. Multiple configuration parameters available: number of retries, timeouts and state change.

New DNS Event: a DNS check is now available as event and action in the Event/Action toolbox.

New UI: configuration page for I/Os (input/output) available.

New UI: non functional optical changes: max width set to 1920px, navigation changed to 'single column navigation'.

LTE450: update of cellular engine firmware is possible for MRcard LTE450.

icom Router Management: server certficate can be verfied using OCSP-stapling.

Auto-Update: server certficate can be verfied using OCSP-stapling.

IPsec: certificate revocation policy is now configurable for OCSP or CRL (cert. revocation list).

EST protocol: If the server certificate check fails, the CA certificates are retrieved without a server check and a new trustchain is created.

Modem State Machine: internal changes to the modem state machine fixes multiple support cases in relation with cellular connectivity.

Package loss: Packages with special sizes are sent reliably with certain SIM cards (e.g. mdex). Products affected: MRX3 LTE 1.1, MRX5 LTE 1.1, MRX2 LTES 1.0, MRcard PL 1.0

Connection stability: cellular connection remains stable also for packets with certain fragmentation. Products affected: MRX3 LTE 1.2, MRX5 LTE 1.2, MRX2 LTES 1.1, MRcard PL 1.1.

Known Issue: on ECR-LW300 1.1 with icom OS 7.8 when sending SMS through GSM, special characters are not working.

EST: The EST Protocol (Enrollment over Secure Transport) is now available use for secure Certificate Enrollment.

SCEP removed: the Simple Certificate Enrollment Protocol was removed in this version and is no longer available in icom OS. We suggest all users to use the now available EST protocol instead, which only has advantages.

New UI: the configuration page for Serial-Ethernet-Gateway was added.

System status: a new system status value was introduced, containing the minimum required icom OS firmware version for each individual device. The version depends on the respective hardware variant and is available through CLI and REST and will follow soon in the User Interface. A firmware downdate below this version is not possible.

Port mirroring: the debugging functionality port mirroring is now supported for all interfaces, not only for LAN interfaces on the same switch. (*this debugging option is not yet available in the new user interface, but will follow soon).

IPsec: usage of keys using elliptic curves EC(DSA) was fixed.

Real Time Clock: restoring the system time from the RTC (real time clock) is working again for all MRX and SCR/ECR routers.

UI: cogwheel indicating firmware activiation was fixed - is now turning again.