RSA-M4 Series 
Version 1.0 software Release Notes

---

Notes and warnings:

1. These release notes apply to all models in the RSA-M4 series.

2. From version 1.0.4 onwards, a single firmware file supports all RSA-M4 series models.

3. These release notes have version 1.0.3 as starting point, whose features are comparable to
    those of version 2.2.16 of the RSA-M2 series.

---

Version 1.0.7
(release date: April 8, 2026)


New Features

• Added dedicated management interface for accessing management services via addresses
  other than the router’s WAN address.
• Added optional NAT rule for outbound traffic from the Management interface. This
  feature rewrites the regular source address of the WWAN interface into the address
  of the management interface for specific destination addresses and ports.
• Added support for the IPsec (IKEv2) 'Virtual IP' method, which allows the responder to
  automatically assign an IP address to the loopback interface for management purposes.
• Added 'Power-on' alert to alert rule list.
• Added HTTP POST alerts for pager services: supported protocols: KPN Nat3 and WCTP.
• Added Connection tracking and MAC address tables.
  
• Added clickable column sorting in ARP table.
• Added customisable alert messages for RTS, DTR and CI inputs.
• Added state reporting of RTS, DTR and CI inputs.
• Added SNMP Informs (confirmed notifications) to alert messaging protocols.
• Show TACACs+ authorization response message as MOTD message upon SSH login.
• Added PPPoE server to LAN setup page. This feature is intended for testing purposes and to
  offer a simple means to automativally assign addresses to devices without DHCP support.
  It is not intended to be a full featured PPPoE server.
• Added customisable timeout values to "Advanced" settings of Physical ports > WWAN.
• Added an option to reset SNMP uptime when changes are detected in the MIB2 ifTable.
  This allows SNMP monitors to automatically reload and refresh the ifTable contents.
• Added "sfpgpio" debugging page to show the state of SFP control signals.
• Added EST Certificate enrollment method.
• Added creation of self-signed local and HTTPS certificates.
• Added tables for detected MAC addresses and Connection tracking with column sorting.
• Added clickable column sorting in ARP table (similar to MAC and Connection tracking tables).
• Added AES-256 encrypted export/import of configuration files. 
  

Changes

• Several changes to reduce WWAN search time when only previously unseen radio bands
  are available, and to avoid prolonged band/PLMN searches on congested networks.
• Keep WWAN connection attached but disable IP interface when WWAN port Data mode is
  "Off" or not active in "On demand" mode. This ensures that SMS messages can still be sent
  when in 4G-only mode without the need to fall back to 2G or 3G.
• Forced /32 IP address for WWAN interfaces.
• Gracefully stop PPP links on reboot.
• Reordered list of Alert rules for Alert messaging.
• Removed DCD/CTS/DSR/RNG alert targets from alert rules table.
• Also trigger initial RTS/DTR state alerts for Alert messaging.
• Updated and made corrections of System Alert traps in mulRsaFeatures MIB file.
• Close SSH and telnet sessions on reboot and system shutdown.
• Removed "Terminal" option for users with the role of Operator.
• Renamed 'registering' state to 'searching' in Registration state of WWAN status page.
• Improved synchronization of the syslog ring buffer to an USB flash drive.
• Removed subject and issuer information from PEM output. (for EST).
• Changed password hashing from MD5 to SHA-512. Saved MD5 passwords will still work.
• Suppress firmware version string in html footer when not yet logged in.
• Increased minimum amount of characters for passwords to 8.
• HTTPS is now enabled by default.
  
• Removed MuLogic Test Certificate and CA from default settings. A self signed HTTPS cert
  is created automatically when no certificates are present.
  
• Changed default TACACS+ authentication service to "login".
  
• Changed TACACS+ and RADIUS server_port node in settings database to server_port_1*.

Note*:  When this firmware version is loaded, the database field server_port will be automatically
           renamed to server_port_1.
           However, if you roll back to a previous firmware version, the server_port_1 field will not be
           recognised and the port values will revert to their defaults (1812 for RADIUS, 49 for TACACS+).
           Make sure that you have enabled Local Authentication and Authorization as a fallback to
           enter the correct port numbers in case they are different from their default values.    
          


Bug Fixes

• Fixed occasional errors in WWAN firmware version reporting.
• Fixed occasional error to read SIM2 on startup and SIM changeover.
• Trap names and description of traps 50, 51, 52, and 53 have been corrected.
• Added traps 56 (serialOneRtsUp) and 57 (serialOneRtsDown).
• Traps/Informs without an explicit trap number are no longer sent, instead of being sent with ID 0.
• Fixed refresh of EthWAN page.
• Corrected SFP-present LED behavior after replacement with an unidentifiable SFP module.
• Fixed the "Gateway address" column in Routing > Static Rules overview.
• Fixed Authentication Type detection on TACACS+ login names with more than 31 chars
• Corrected the 'Remote Host' and 'Service' field values on the 'Device Info > Logged-in Users' page
  for SSH and HTTP users authenticated via TACACS+.
• Fixed Eth LED on RSA-1420D models.
• Syslog: improved syncing syslog ringbuffer to flash so wdt does not get triggered
• Fixed "friendly mount points" /mnt/usb-ext1 and /mnt/usb-ext2
• Fixed errors (falling back to UTC) in local time reporting.
• Fixed password lenght check.

Version 1.0.6
(release date: October 4, 2025)

Changes

• Improved the power usage calculation to better reflect the power drawn at the power supply input and to
  compensate for the non-linear efficiency of the DC-DC converter.
• Changed the SIM2 check of the selftest. Now the ICCID of the SIM is read instead of the IMSI.
  This drastically reduces the time needed for testing SIM2 presence and SIM1/SIM2 change-over.

Bug fixes

• Fixed software link detect of the SFP port.

Version 1.0.5
(release date: August 30, 2025)

New features

• Added automatic detection of PON serial number (PON-ID) for FS XGS-ONU-25-20NI SFP.
  The PON serial number is written in "Device info>SFP module".
• Added Dying gasp (on restart and firmware update) for SFP+ modules
• Added SNMP OIDs for SFP port.
• Added 'flush_conntrack' shell command. This command immediately flushes the conntrack tables.
• Added VDSL2 Profile 30a to DSL setup.
• Added automatic generation of self signed HTTPS certificate when no cert for the web server is present.
• Added generation of self signed certificates for IPsec and OpenVPN use. This creates a cert/key pair and
  a CA certificate that is used by the remote peer for authentication.
• Added configuration of SANs (Subject Alternative Names) to "Generate Certificate" page.
• Added EC prime256v1, secp384r1 and secp521r1 key algorithms to "Generate Certificate" page.
• The RTS and DTR inputs of the RS232 port can now be used as inputs (Logic 1 level ranging from 2,7 to 25 V)
• The CTS, DCD, DSR, and RI output can now be used as outputs (logic 0/1 level is -10/+10 V).
  When these RS232 signals are configured as general purpose I/O, the data pins (RxD and TxD) can still be
  used for serial communication.
• Added supoort for RSA-1420D model.
  
  

Changes

• Reversed order of authorization and authentication for TACACS+
• When CIG XG-99S or FS XGS-ONU-25-20NI SFP modules are used, the SFP link/act LED now turns off
   when the physical fiber link is disconnected.
• Changed RSA-series MIB file to support OIDs for SFP port.
• SFP port/module and media converter now are switched off completely when SFP port is disabled
    in Setup>Physical ports>Ethernet/SFP. This saves power when the SFP port is not in use.
• The firewall and NAT conntrack tables are now flushed immediately when Firewall rules are changed.
    This causes direct blocking of addresses that are added to the firewall, even when there already
    is an established connection from such address.
• Deleted VLAN "Auto detect feature" for xDSL interfaces. This feature no longer seems to serve a purpose.
• Moved initiation of SIM7600 and ML620 WWAN modules to an earlier moment in the boot process.
• Various changes in ML620EU (WWAN) RIL to improve switch-over time from one SIM to the other.
• The naming of Local Certificates, keys, and CA certificates (including file names) now is uniform
  and based on what is filled out in the "Name" field of the "Generate Certificate" page.
• Various "Upload" and "Download" buttons have been renamed to "Import" and "Export".
• For models with a single Ethernet port like the RSA-1420D and RSA-1420M is now possible to configure
  the EthWAN settings while the Ethernet port is still in LAN mode.
• Increased the amount of lines that can be read back in the Syslog web page.

Bug fixes

• Fixed unifwc tool for updating ML620EU firmware.
• Fixed issues related to hidden fields on the OpenVPN setup page.
• Fixed watchdog timeout issue that occurred when the TACACS+ server denies access due to an incorrect key
• The TACACS+ server is declared 'not reachable' when the client and server keys do not match.
• Fixed roaming indication in Device info>WWAN for ML620 WWAN modules.
• Fixed late SIM select control at reboot, ensuring that SIM1 is selected before the WWAN module starts
• reading the SIM card.
• Fixed occasional long WWAN band scan when manual operator selection was used on devices with an ML620
• WWAN module.
• Fixed xDSL "dying gasp" on shurtdown or reboot.
• Fixed Ping and Traceroute network tools when multiple WAN ports share the same gateway address.
• Fixed issues related to hidden fields on the OpenVPN setup page.
• Fixed conntrack table flush when changing from one WAN interface to another.
• Fixed time notation of the syslog lines.

Security fixes and changes

• Patched or fixed several critical CVEs. The list is avalable on request.
• The firewall now blocks IKE (for IPsec) traffic to port 4500. Prior to this change, unsolicited IKE packets to port 4500 could pass through the firewall and trigger 'No IKE config found for…' warnings
  when IPsec was enabled.
• Users with the role of "Web-administrator" can no longer enable the serial console port.
  

Version 1.0.4
(release date: April 30, 2025)

New features

• Added automatic detection of PON serial number (PON-ID) for FS XGS-ONU-25-20NI SFP.
  The PON serial number is written in "Device info>SFP module".
• Added Dying gasp (on restart and firmware update) for SFP+ modules with Dying gasp support.
• Added TACACS+ authentication service field.
• Added system alerts for SIM changeover.
• Improved TR-069 operation with GenieACS.
• Added seting for allowing TR-069 connection requests via LAN (instead of WAN only).
• TR-069 URL error checking and ConnectionRequestURL on LAN when WAN is not available
• TR-069 index depth of level is now configurable.
• Added Digest authentication support for TR-069 ACS access.

Changes

• Reversed order of authorization and authentication for TACACS+
• Changed maximum username and password length to 128 characters.
• Changed default TACACS+ service to "PPP".
• Changed representation of Hardware version via TR-069 CWMP.
• Changed TR-069 "next-level depth" from 3 to 4.
• TR-069 product classes now are: "RSA-M1-series", "RSA-M2-series" and "RSA-M4-series".
• Added parameter "InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1.ExternalIPAddress"
  to the TR-098 portion of the data model for TR-069 CWMP.
• Moved WWAN MTU and MTU negotiation from global WWAN setting to SIM settings.
  

Bug fixes

• Fixed PH8 WWAN network reporting.
• Fixed serial number and OUI reporting via TR-069 CWMP.
• Fixed MTU negotiation for units with with ML620EU (LTE450) WWAN module.
• Fixed some issues with ML620EU (LTE450) WWAN module when network search and registration takes a long time.

---