EdgeMAX EdgeRouter software release v1.6.0

by Previous Employee UBNT-ancheng ‎11-05-2014 05:25 PM - edited ‎11-07-2014 11:16 AM

New EdgeMAX software version v1.6.0 for EdgeRouter products has been released and is available from our downloads page!
http://www.ubnt.com/download/edgemax/
(Please select the correct product group and model on the page to get the corresponding upgrade image.)

This release includes some important system-level changes such as new kernel (3.10-based) and migrating from Debian squeeze to wheezy release, as well as new features including DHCPv6 prefix delegation (PD), "Config tree" feature in the Web UI for viewing/modifying the entire configuration, a new and more flexible setup wizard in the Web UI, IPsec VTI support, etc. Thanks everyone for your help in testing, reporting issues, discussing solutions, and even contributing patches!

 

[Release Notes v1.6.0]

 

Changelog

 

Changes since v1.5.0

 

New features

  • [Kernel] Update to newer Linux kernel based on kernel 3.10 backported from newer vendor SDK. This brings the system to a much more up-to-date kernel version and hopefully we can benefit from the many enhancements and fixes that have gone into the kernel since 3.4. For example there have been many enhancements/fixes for the HTB mechanism as discussed with David Taht ( @dtaht2 ) before, so hopefully the move to 3.10 will help address some of the issues seen with the HTB behavior.

  • [System] Switch the base system from Debian squeeze (oldstable) to wheezy (current stable). As discussed before, officially squeeze has been EOL, and even though we have been able to pull in a couple of security updates from Debian LTS for squeeze, this is not a long-term solution as LTS is x86-only and we would need to port/build each package ourselves. In addition, many packages in squeeze are quite old, and moving to wheezy provides updates to many such packages.

  • [Web UI] New setup wizard with more flexibility and bridging (!) support.
    wizard2.png

    With the new wizard, eth0 is now the WAN port, and one can change the subnets for the two LANs eth1 and eth2 (or eth1 and switch0 for ER PoE) or even bridge them together if desired. The new wizard does not need to start with default config but will replace the whole configuration and require a reboot when applying the config.

  • [IPv6] Add initial implementation of basic DHCPv6 prefix delegation (PD) support. Currently this is CLI-only, and here is a simple example configuration:
    interfaces {
        ethernet eth0 {
            dhcpv6-pd {
                pd 0 {
                    interface eth1 {
                        service slaac
                    }
                    prefix-length 56
                }
            }
        }
    }
    
    More information will be posted in a separate thread.

  • [Web UI] New "Config Tree" feature allows viewing/modifying the entire configuration with "clicking" instead of "typing commands"!
     ctree.png

  • [IPsec] Add Virtual Tunnel Interface (VTI) support. This allows the creation of a virtual interface for an IPsec tunnel, which makes configuring other features for the IPsec traffic simpler (for example the VTI is a routable interface). For example a VTI can be created and applied to IPsec as follows (rest of IPsec config is omitted):
        set interfaces vti vti0 address 100.0.0.1/24
        ...
        set vpn ipsec site-to-site peer 200.0.0.2 vti bind vti0
        set vpn ipsec site-to-site peer 200.0.0.2 vti esp-group E1
        ...
    
    Then the interface can be used to configure other features, for example in a static interface route:
        set protocols static interface-route 10.10.10.0/24 next-hop-interface vti0
    
    Note that at this time VTI configuration is known to conflict with L2TP/IPsec server configuration (configured under "vpn l2tp remote-access ..."), i.e., if VTI is used, L2TP/IPsec server does not work. We are looking into this known issue to see if there is a way to address or work around it.

Enhancements and bug fixes

 

  • [Web UI] Fix applying firewall policy to bond VLAN interfaces. Reported by @mysticryuujin here.
  • [Web UI] Fix applying firewall policy to PPPoE interface. Reported by @thrca here.
  • [Web UI] Remove overly strict validation for dynamic DNS hostname. Reported by @fLoo here.
  • [Web UI] Add explicit remove buttons for "addable" items for easier removal.
  • [Web UI] Fix input handling on dynamic DNS page. Reported by @TechSolX here.
  • [Web UI] Add validation to prevent duplicate interface and service combinations (as required by implementation limitation). Discussed with @gsaulmon @stan-qaz here.
  • [Web UI] Fix OSPF area config dialog not showing configured networks. Reported by @agilbett @marnog here and here.
  • [Web UI] Add more product images for discovery tool
  • [Web UI] Make DH group configurable on IPsec page. Discussed with @looney128 @hdnhdn @jms33 @itgeekconsult @psydafke here and here.
  • [Web UI] Fix CSS issue with Chrome and its extensions
  • [Web UI] Keep config changed notification bar visible until reload
  • [Web UI] Add syslog level setting in System tab
  • [Web UI] Fix issue with multiple static default routes not showing as separate entries
  • [Web UI] Add indication to discovery tool when discovery is disabled
  • [Web UI] Auto-scroll to show action buttons when dialog is too large and buttons are not visible
  • [Web UI] Fix packaging issue for error page CSS files. Reported by @alesovodvojce  here.
  • [Web UI] Add warning message for IPsec configuration page (overriding CLI changes). Discussed with @jjonsson  here.
  • [Web UI] Add discovery support for EdgeSwitch models
  • [Web UI] Add descriptions for wizard-generated firewall rules
  • [Web UI] Fix result parsing issue for bandwidth test tool that prevented result output in some cases
  • [Web UI] Allow network prefix to be specified in a firewall address group (this was already allowed in the CLI)
  • [Web UI] Remove infotip for field values when user is operator (since values cannot be changed). This fixes issue reported by @thrca  here.
  • [Web UI] Fix firewall ruleset dialog where text disappears after saving. Reported by @abu_cwarky  here.
  • [Web UI] Fix handling of area 0.0.0.0 on OSPF page
  • [Web UI] Improve validate of peer and local address on IPsec site-to-site page to add support for IPv6 address and "any"
  • [Web UI] Improve filtering of interface list in drop-down menus
  • [Web UI] Disable SSLv3 in Web server configuration to prevent CVE-2014-3566 ("POODLE")
  • [System] Follow redirect for upgrade image download. Discussed with @rjh2805 @elgo stan-qaz here.
  • [System] Fix IPv6 check for module loading
  • [System] Fix ebtables init script issues. Reported by and discussed with @NVX @mischa @leonsio in these threads: 1 2 3.
  • [System] Fix disabling IPv6 offload when both forwarding and vlan are enabled
  • [System] Fix IPv4 traceroute when using hostname. Reported by @bjck here.
  • [System] Update help text for "add system image" command. Suggested by @dison4linux  here.
  • [Interface] Adjust configuration priority so that interface MTU is applied before PPPoE client configuration. This resolves the issue where the MTU is set to 1508 (for 1500 PPPoE MTU) after PPPoE is already established. Discussed with @lasersailing @Mephi NVX @Middling @bigsy bjck @mtwll , for example here and here.
  • [Interface] Fix PPPoE configuration for VLAN on switch interface
  • [Interface] Fix disabling source-validation for interfaces. Reported by @ryan3531 rjh2805 here and here.
  • [Interface] Apply 6rd-prefix patch from brielle here. Route add/delete now handled automatically by new kernel.
  • [Interface] Add egress-qos setting for VLAN interface. Discussed with c0mm0n @tivoli here.
  • [Interface] Fix deleting SIT tunnel to prevent issues with module unloading
  • [Interface] Allow SLAAC to be enabled while IPv6 forwarding is also enabled. Discussed with @mgibbons  mrjester here.
  • [Interface] Add description setting for PPPoE client interface
  • [Interface] Enhance "show interfaces" to also show remote access users
  • [Interface] Fix carrier display for remote L2TP/IPsec and PPPoE connections
  • [Interface] Add more error checking for interface description output. This fixes issue reported by ryan3531 here.
  • [Interface] Fix disable-link-detect settings. Issue reported by @Adik  here.
  • [PPPoE server] Add default-interim-interval setting for RADIUS. This setting can be used to work around RADIUS servers who don't/can't send interim accounting requests. Discussed with @Paetur @ajbtv2 here and here.
  • [PPPoE server] Apply patch for RADIUS gigawords support for stats. Suggested and tested by ajbtv2. Patch originally from here.
  • [PPPoE server] Adjust dynamic burst size calculation based on feedback from @Paetur 
  • [PPPoE server] Add new setting for overriding the default local IP address for PPPoE connections. For example:
    set service pppoe-server local-ip 1.1.1.1
    
    Discussed with community members including @Paetur @ajbtv2 @ellisway @marnog NVX, for example here.

  • [PPPoE client] Fix PPPoE configuration for pseudo-ethernet interfaces. Discussed with @irrwitzer here.
  • [PPPoE client] (EdgeRouter PoE only) Fix configuration errors when configuring PPPoE under a VIF on the switch interface
  • [PPPoE client] Fix some issues with PPPoE client under switch or bridge interface
  • [PPPoE client] Remove extraneous templates
  • [PPPoE] Allow dash ('-') character in service name. Reported by @tharude  here.
  • [Routing] Change certain interface checks to warning if Quagga does not fail the interface setting. Reported by @sufk @dragon2611 here and here.
  • [Routing] Fix policy prefix-list ge/le settings validation. Reported by @pyap NVX here and here.
  • [Firewall] Fix invalid address validation for address group
  • [Firewall] Fix "show firewall statistics" issue where chains are shown incorrectly as inactive
  • [Firewall] Allow dynamic "NETv4_..." group to be used in firewall group match (as an address group)
  • [Firewall] Apply patch from @brielle  to separate IPv6 MSS clamping settings from IPv4. So IPv6 MSS clamping can be enabled with
    set firewall options mss-clamp6
    
  • [Firewall/NAT] Fix show statistics commands with new iptables
  • [NAT] Fix output errors for NAT statistics (for example "show nat statistics" command)
  • [Kernel] Include more modules in the build as suggested by and discussed with @robbat2 @infowolfe @wiszmaster @NVX @ljarosz @TRS-80 @train_wreck  in these threads: 1 2 3.
  • [Kernel] Disable bridge-nf-call-iptables and bridge-nf-call-ip6tables by default. This prevents firewall/NAT rules from being applied to bridged traffic. Reported by and discussed with @mglause @brielle  here.
  • [IPsec] Apply patch from @TriJetScud  here to support IKEv2 for site-to-site VPN. For example:
    set vpn ipsec ike-group g1 key-exchange ikev2
  • [IPsec] Make the following config syntax changes:
    • Rename "local-ip" to "local-address"
    • Rename "local subnet" to "local prefix"
    • Rename "remote subnet" to "remote prefix"
    Configuration migration mechanism has also been added such that when loading a config with the old syntax, it will be automatically "migrated" to the new syntax
  • [IPsec] Improve auto-firewall-nat-exclude implementation to cover more scenarios
  • [IPsec] Flush conntrack entries if NAT exclude rules are added automatically to avoid potential issue reported by @ejsearle  here
  • [OpenVPN] Do not allow .ovpn config file to override the device name. This resolves the common issue where .ovpn file contains "dev tun" line. This has been discussed with many community members including @faye @Bullfrog @begunfx @stormym @noseat @neomech @Michel @lerxst , for example in these threads: 1, 2, 3, 4, 5, 6, 7.
  • [L2TP/IPsec server] Add new setting for overriding the default local IP address for L2TP/IPsec VPN connections. For example:
    set vpn l2tp remote-access local-ip 1.1.1.1
    
  • [PPTP server] Add new setting for overriding the default local IP address for PPTP VPN connections. For example:
    set vpn pptp remote-access local-ip 1.1.1.1
    
    Discussed with community members including @cremenescu  ellisway, for example here.
  • [PPTP client] Allow hostname to be used for server. Discussed with @UBNT-Matt_B_ @cmcarey , for example here.
  • [DHCP client] Add configuration setting such that using default route from DHCP server is optional. For example:
    set interfaces ethernet eth0 dhcp-options default-route no-update
  • [DHCP client] Add "default-route-distance" setting for configuring the distance used for default routes received from DHCP server, e.g.
    set interfaces ethernet eth0 dhcp-options default-route-distance 10
  • [Load balancing] Do not disable offload if firewall modify is only used for load balancing (lb-group)
  • [Load balancing] Make sure conntrack is set up when load balancing is enabled
  • [SNMP] Include missing MIB file for Quagga. Discussed with @mefox NVX here.

 

Issues reported and fixed from the alpha/beta testing:

  • [HW acceleration] Fix issue introduced in alpha2 that prevents offload from operating correctly in some cases. Reported by and discussed with @abu_cwarky @wkweksl @c0mm0n @bjck @chaicka @zx2c4 @dragon2611 @infowolfe @mrjester @NVX @hdnhdn  here and here.
  • Include missing ca-certificates package. Reported by MLWALK3R @GaryGapinski  NVX here.
  • [Kernel] Include missing ingress module for QoS. Reported by and discussed with @dtaht2 @Sugaroverdose @ConnorM @Arnold2222 @psydafke  here.
  • [Kernel] Include VTI module in the build. Discussed with NVX mrjester here.
  • [Kernel] Update ebtables to 2.0.10-4 and fix compatibility issue with new kernel. Reported by mglause here.
  • [Kernel] Include missing ppp_async module for ERPro-8 and ER-8. This should fix the L2TP VPN issue reported by @marnog @abulafia @Nexiom  here.
  • [Web UI] Fix packaging error for wizard files. Reported by @RaulRamos  here.
  • [Web UI] Fix firewall rule IPsec match setting. Reported by @hdnhdn  here.
  • [Web UI] Fix firewall rule creation issue reported by @Paetur  hdnhdn here and here
  • [Web UI] Enhancements/fixes for Config Tree feature including
    • Fix handling of partial commit failure cases
    • Fix default values handling
    • Support value nodes with two types (e.g., IPv4 and IPv6). This fixes name-server setting issue reported by @Myron  here.
    • Fix handling of settings under "system login user"
    • Fix Update button when there is no tag (e.g., after deletion)
    • Fix escaping of "\" characters in list
    • Add type validation for configuration settings (only for generic types such as text, number, IP address, etc.)
    • Add help text for configuration settings (hover over the "i" icon)
    • Keep the tree as is after applying changes
    • Fix issue with update button being displayed after node is deleted
    • Only display update list button when necessary
    • Always update right-hand side view when clicking on a new node
    • Improve formatting of error messages
    • Fix several update/display issues for the left-hand side tree view
    • Fix display of change status for user settings
  • [Web UI] Fix handling of syslog settings (certain settings was causing the UI to not load completely) Reported by and discussed with @zoag @psydafke @esseph  here.
  • [DHCPv6 PD] Add enhancements/fixes based on feedback from community members:
    • Add support for PPPoE interface
    • Preserve duid on upgrade
    • Use real prefix rather than sla-len
    • Add prefix-id
    • Add validation for host-address and prefix-id
    • Add operational commands
      release dhcpv6-pd interface ethX
      renew dhcpv6-pd interface ethX
      show dhcpv6-pd log
      show dhcpv6-pd duid
      delete dhcpv6-pd duid
      
    These have been discussed with @Milo_Masters @GaryGapinski NVX abu_cwarky @barkas mrjester @usrhome @jliechty @train_wreck @mnabeel @opencode @irvingpop @videomatic3 @tomazb  chaicka infowolfe, for example here.
  • [DHCPv6 PD] Add option for PD to ignore DNS server from the DHCP server, e.g.:
    set interfaces ethernet eth1 dhcpv6-pd pd 1 interface eth2 no-dns
  • [DHCPv6 PD] Allow RDNSS to be used for all three services (SLAAC and stateful and stateless DHCP)
  • [DHCPv6 PD] Fix setting sysctl values for VLAN interfaces
  • [DHCPv6 PD] Add setting to not use DNS servers from the DHCP server. For example:
    set interfaces ethernet eth0 dhcpv6-pd no-dns
    
  • [DHCPv6 PD] Fix release/renew issues
  • [DHCPv6 PD] Only restart daemons if config has changed. This should address the daemon restart issue discussed with @heldchen @viddy @mgibbons  here.
  • [IPsec] Fix commit failure when dhcp-interface is configured. Reported by and discussed with @hazuki @BranoB @ryan3531  here.
  • [IPsec] Fix "uninitialized" warning messages reported by @dragon2611  here
  • [IPsec] Fix handling of local address "any"
  • [Firewall] Fix timezone usage for time-based firewall rules. Reported by @wkweksl @zoag  here and here.
  • [System] Fix compatibility issue with "find" utility
  • [System] Move tar into separate package to fix dependency issues with Debian wheezy. This allows Debian tar package to be installed without "overwrite error". Discussed with @fromport @ryan3531 @Blooze @NVX @swmike @brielle  here and here.
  • [System] Fix various Perl warnings resulting from newer version of Perl in wheezy. These have been found through both internal testing and reports from community members, for example, Sugaroverdose ryan3531 here and here.
  • [System] Fix permission issue with /config/archive. Reported by @abu_cwarky @marnog @final @jinie @bjck  in these threads: 1 2 3.
  • [System] Fix logrotate issues for log files in /var/log/vyatta directory. Reported by @bl9  here.
  • [System] Fix logrotate issue where syslog daemon is not restarted properly. Reported by @UBNT-James .
  • [System] Fix syslog file logrotate when configured using "archive" settings
  • [System] Fix dynamically loaded completions in wheezy. Reported by final @MLWALK3R  here.
  • [System] Force "traceroute" command to use IPv4 (leave IPv6 to "traceroute6" command. Reported by bjck here.
  • [System] Fix logrotate for ipsec to avoid unnecessary error messages. Suggested by @bl9 here.
  • [Dynamic DNS] Work around ddclient issue (loading wrong Perl module). Reported by Blooze here.
  • [MSS clamping] Add support for VTI interface type. Also added to Web UI MSS clamping wizard. Suggested by  @cremenescu  (who also provided patch) here.

 

Updated software components

 

  • Update base system to Debian wheezy 7.7 release plus all security updates. Some notable updates are listed below.
  • Update bash to 4.2+dfsg-0.1+deb7u3 (also patch vyatta-bash): Fix "Shellshock" related CVEs: CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187.
  • Update openssl to 1.0.1e-2+deb7u13: Fix CVE-2014-3513, CVE-2014-3566 ("POODLE"), CVE-2014-3567, CVE-2014-3568, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139
  • Update krb5 to 1.10.1+dfsg-5+deb7u2: Fix CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-4344, CVE-2014-4345
  • Update lzo2 to 2.06-1+deb7u1: Fix CVE-2014-4607
  • Update squid3 to 3.1.20-2.2+deb7u2: Fix CVE-2014-3609
  • Update curl to 7.26.0-1+wheezy10: Fix CVE-2014-3613 and CVE-2014-3620
  • Update bind9 to 1:9.8.4.dfsg.P1-6+nmu2+deb7u2: Fix CVE-2014-0591
  • Update gnupg to 1.4.12-7+deb7u6: Fix CVE-2014-5270
  • Update apt to 0.9.7.9+deb7u6: Fix CVE-2014-7206, CVE-2014-0487, CVE-2014-0488, CVE-2014-0489, CVE-2014-0490, CVE-2014-6273
  • Update dbus to 1.6.8-1+deb7u4: Fix CVE-2014-3635, CVE-2014-3636, CVE-2014-3637, CVE-2014-3638, CVE-2014-3639
  • Update rsyslog to 5.8.11-3+deb7u2: Fix CVE-2014-3683
  • Update eglibc to 2.13-38+deb7u6: Fix CVE-2014-0475, CVE-2013-4357, CVE-2014-5119
  • Update perl to 5.14.2-21+deb7u2: Fix CVE-2014-4330
  • Update tzdata to 2014h-0wheezy1: Update new DST for Russia
  • Update libtasn1-3 to 2.13-2+deb7u1: Fix CVE-2014-3467, CVE-2014-3468, CVE-2014-3469
  • Update libxml2 2.8.0+dfsg1-7+wheezy2: Fix CVE-2014-3660
  • Update squidguard to version 1.5-1 from Debian wheezy to fix some database initialization issues
  • Update iptables to version 1.4.20 to fix certain issues working with the new kernel
  • Update PHP to 5.4.32: Fix CVE-2014-3981, CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-4049, CVE-2014-3515, CVE-2014-3597, CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120, CVE-2014-4698, CVE-2014-4670
  • Update ddclient to 3.8.2-1