EdgeMAX EdgeRouter software release v1.7.0

by Previous Employee UBNT-ancheng ‎06-29-2015 04:23 PM - edited ‎07-15-2015 08:00 PM

New EdgeMAX software release v1.7.0 for EdgeRouter products has been released and is available from our download page!


(Please select the correct EdgeMAX model and select Firmware to see all available versions.)


This release adds quite a few new features and enhancements/fixes including traffic analysis feature with application identification using deep packet inspection (DPI), "smart queue" QoS feature providing FQ-CoDel + HTB function, hardware offload support for GRE tunnel, L2TPv3 interface support, new dynamic DNS functions, fix for "watchdog interrupt reboot" issue, fix for "skb_under_panic" issue, etc. More details can be found in the release notes below. Thanks everyone who participated in the alpha/beta testing and provided feedback and result. We really appreciate all your contributions!


EDIT: The original release notes missed several Web UI security enhancements added back in 1.7.0alpha1 release. This has now been noted in the "Enhancements and bug fixes" section below.



[Release Notes v1.7.0]




Changes since v1.6.0


New features


    • [Web UI] Add new "Traffic Analysis" feature with application identification using deep packet inspection (DPI). We've added an advanced, proprietary DPI engine with latest application identification signatures and integrated this with "traffic analysis" feature. So in the Web UI, now you can not only see who is using the most bandwidth but also what "applications" the particular IP address is using.


      In the right-hand side table, each row corresponds to one host and can also be expanded to show the "applications" usage of the particular host. In the "pie chart", mouse-over a particular host and that host's "top apps" will be displayed in the middle of the pie chart.

      A few things to note:
      • This feature is integrated with the offload feature, so unlike NetFlow (flow accounting), it does not disable offload. Conversely, stats are not available for traffic that is not offloaded. More specifically, here are examples of the common cases where traffic would not show up in traffic analysis:
        • In this context "offload" refers to the IPv4 forwarding, VLAN, PPPoE, and GRE offload. If offload is disabled in the configuration ("system offload ipv4 ...") then traffic analysis would not show traffic of course.
        • Currently if NetFlow ("system flow-accounting ...") or "modify" firewall rule ("firewall modify ...") is configured, offload is disabled completely in which case no traffic is eligible for traffic analysis. (Exception is if "modify" firewall is only used for "table" or "lb-group" action then offload is not disabled.)
        • Traffic to which QoS policy is applied is not eligible for offload and therefore will not appear in traffic analysis. This includes the "traffic-policy" and the new "traffic-control" (smart queue) settings in the configuration. In such cases traffic that are not affected by QoS (e.g., traffic on other interfaces) can still be offloaded and still be displayed in traffic analysis.
        • Traffic going through certain interface types are not offloaded, for example, bridge, bonding, pseudo-ethernet, VPN interfaces, etc.
        • Traffic that needs to be processed by certain firewall rules are not offloaded, for example, packets going through firewall rules that involve "limit", "recent", or "time" matching criteria will not be offloaded.
      • The data entries (each of which corresponds to the combination of an IP and an application) are "aged out" after 30 minutes. However, as long as a particular IP/app combination still sees traffic, the stats for the "expired" flows are still kept for that IP/app. When an IP/app combination has not seen any traffic for 30 minutes, then the entry is expired.
      • By default, traffic analysis and DPI are "disabled". From the Traffic Analysis tab, two other operational modes can be selected: "enabled" will allow traffic analysis with application identification using DPI, and "hosts only" means traffic analysis at the host level only without DPI.
      • These can also be configured using the following CLI settings. To enable "hosts only" traffic analysis:
        set system traffic-analysis export enable
        To also enable DPI:
        set system traffic-analysis dpi enable
      • The system implements an automatic signature update mechanism. Currently this is a scheduled task (cron job) that is executed daily at 06:25 system time. If there is a new update for the DPI signatures, it will be downloaded and installed automatically. We do plan to add more flexible update methods, for example, configuration setting for scheduled update time etc. Periodic signature updates (e.g., monthly) will be provided to keep up with the latest applications.
      • Current the traffic analysis and DPI/application identification features are not available on the new EdgeRouter X and EdgeRouter X SFP models due to platform differences.
      The DPI and application identification features have been discussed with many community members, including @zeg @chaicka @esseph @mrjester @SPITwSPOTS @mgthump2 @dalenorman2005 @iamkinghenry @mhoppes @Dignan17 @robertfranz @alan87i @dballan @centeno @dpurgert @JPCIjohn @MDDA @skidmata @GaryGapinski @mygeeknc @levicki @sirthor @alex_cambui @malicianet @Knowbody @Deleted Account , for example in these threads: 1 2 3 4 5 6 7.

      Currently this only provides monitoring/reporting functionality, but of course this is just the beginning and it provides the infrastructure on which more functions can be added as discussed before, for example application-based firewall matching, blocking, or even QoS etc. at some point.

    • [QoS] Add new "smart queue" feature providing FQ-CoDel + HTB function and this can be configured in the Web UI to provide better QoS experience for the WAN connection. The basics are simple to set up:


      In other words, just setting the WAN interface and the upload and download rates should be sufficient. Checking the "Show advanced options" checkbox will allow the more advanced settings to be tweaked (should not be necessary in most cases):


      Of course this can also be configured using the CLI, under "traffic-control", for example:
      set traffic-control smart-queue sq1 wan-interface eth2
      set traffic-control smart-queue sq1 upload rate 10mbit
      set traffic-control smart-queue sq1 download rate 50mbit
      A few things to note:
      • The actual rate limits will be set to 95% of the specified value, so you could experiment with different values if necessary.
      • Dynamic interfaces are also supported, for example:
        set traffic-control smart-queue sq1 interface pppoe0
        This works even if the dynamic interface does not exist yet, in which case the policy will be applied later when the interface comes up.
      • Note that when setting the first interface, there is currently a spurious error message "Insufficient arguments for option intf-unique", which can be ignored.
      • Currently this feature conflicts with the existing "traffic-policy" configuration, so the two cannot be applied to the same interface at the same time.
      • The HTB rate limiting is computation intensive, and therefore above a certain rate the rate limiting would not work well (cannot achieve the specified rate). The actual threshold (applied to the sum of "rate-up" and "rate-down") depends on the specific model and also the exact environment of course. As discussed with community members (including @Milo_Masters @Ric878 @final @Stickygears @Arnold2222 @NicholasP request_timeout @ubnat @WisTech @jjonsson Josh_SPITwSPOTS @PeterFalken dtaht2 for example here), here are some rough guidelines:
        • ERLite-3 and ERPoe-5: below 60 Mbps most likely will work, above 200 Mbps most likely will not work.
        • ER-8: below 160 Mbps most likely will work, above 450 Mbps most likely will not work.
        • ERPro-8: below 200 Mbps most likely will work, above 550 Mbps most likely will not work.
        • ER-X and ER-X-SFP: below 100 Mbps most likely will work, above 250 Mbps most likely will not work.
        Of course the exact threshold depends a lot on the actual setup, traffic pattern, etc. and therefore will require testing in the actual environment to determine.
      • Each smart-queue policy applies to one interface. If it is needed on multiple interfaces, multiple policies can be defined.

      The FQ-CoDel function have been in discussion for some time. In particular we would like to thank @dtaht2, who contributed the original backport patches for fq_codel and also provided invaluable information on the subject! Many other community members participated and contributed as well, including but not limited to @psydafke @wkweksl @jzaw @berrybartels @martyh levicki Josh_SPITwSPOTS @twinkletoes @Zerofail chaicka @ryan3531 request_timeout @bcdouglas @kai_h @videomatic3 @zbeyuz @leeandy Ric878 @CiscoKid85 @shado @Sugaroverdose @r4m3u5 WisTech @paszczus Arnold2222 final (who implemented a Web UI wizard for the script!) @amishgenius @mackintire @moeller0 @Xand @BillCardiff @em3491 @waheuler jjonsson @asat @cinnamw @skyflash @axp @Djursland01 for example here and here.


    • [Load balance] Add support for "sticky" connections. This allows configuration of any combination of "5-tuple" (protocol and source/destination IP/port) to "stick" to a single interface. For example, to make all connections from the same LAN source be routed through the same interface, enable sticky on "source address":
       load-balance {
           group g1 {
               sticky {
                   source-addr enable

      This could avoid issues such as HTTPS Web sites requiring connections in a session to come from the same IP for example.


      In addition to "source-addr", there are also "dest-addr" (destination address), "proto" (protocol, i.e., TCP, UDP, etc.), "source-port" (source port), and "dest-port" (destination port) sticky settings that can be enabled. So for example, enabling "dest-addr" only would mean connections going to the same server would be routed through the same interface. A combination of these settings can be used depending on the requirements.

      This has been discussed with community members including @neotron @NVX @LittleBill @redfive @Blooze for example here and here.


    • [HW acceleration] Add GRE offload support for GRE-encapsulated tunnel traffic. This is disabled by default and can be enabled with:
      set system offload ipv4 gre enable
    • [Interface] Add L2TPv3 interface support based on changes from VyOS and community member @mglause  (for example see the discussion here). Here is an example of the configuration for an L2TPv3 interface:
       interfaces {
           l2tpv3 l2tpeth0 {
               encapsulation ip
               peer-session-id 10
               peer-tunnel-id 100
               session-id 10
               tunnel-id 100


  • [Dynamic DNS] Add several new features for dynamic DNS:
      • Allow "custom" services to be defined. This makes it possible to configure two services that use the same "protocol". (Previously the protocol is tied to the service name.) For example:
         service {
             dns {
                 dynamic {
                     interface eth2 {
                         service custom-service1 {
                             host-name host-name-1
                             login login-1
                             password password-1
                             protocol dyndns2
                             server service1.server
                         service dyndns {
                             host-name host-name-2
                             login login-2
                             password password-2
        The above example configures two services that both use the "dyndns2" protocol. Note that for custom services any arbitrary names can be used as long as it is in the "custom-..." format.

        This functionality has been discussed before with many community members including @idave @jea-jea @WALK3R @Adrao @friction87 @Mephi @thrca Blooze skidmata @UBNT-Bane , for example here and here.

      • Add configuration settings for using Web page to obtain external IP address (previously the interface IP is always used). For example:
         service {
             dns {
                 dynamic {
                     interface eth2 {
                         service dyndns {
                             host-name host-name-2
                             login login-2
                             password password-2
                         web dyndns
        The above example would use the builtin "dyndns" Web-based mechanism to obtain the external IP address. A custom Web page can also be used instead, for example:
         service {
             dns {
                 dynamic {
                     interface eth2 {
                         web checkip.dyndns.com/
                         web-skip "IP Address: "
        The above example would use the specified Web page and the "web-skip" pattern to obtain the external IP address. This should support the scenarios where the router is behind another level of NAT, which has been discussed before with community members including martyh @vendex @bunjicat @itsmarcos @thiagoc jea-jea, for example here.

      • Add configuration setting for specifying "free-form" ddclient options. For example:
         service {
             dns {
                 dynamic {
                     interface eth2 {
                         service dyndns {
                             host-name host-name-2
                             login login-2
                             options mx=x.y.z,backupmx=yes,wildcard=yes
                             password password-2
        This will add the "mx=..." line into the ddclient config file. Discussed with @ckoehler here.

    • The new dynamic DNS features (except for the free-form option) can also be configured in the Web UI now:



Enhancements and bug fixes


  • [Web UI] Add several enhancements to prevent CSRF. Issue first discovered and reported by Seth Art (sethsec@gmail.com), and later also independenly discovered and reported by Sasha (sasha@cataphract-security.co.uk).
  • [Web UI] Improve input validation to prevent command injection. Issue first discovered and reported by Seth Art (sethsec@gmail.com), and later also independenly discovered and reported by Sasha (sasha@cataphract-security.co.uk).
  • [Web UI] Remove the restriction of 10 peers in the IPsec site-to-site page. However, note that with the current implementation the operation can become quite slow when there are many peers. Discussed with @dfrea  here.
  • [Web UI] Fix handling of certain characters input in Config Tree
  • [Web UI] Fix potential Toolbox layout issue when the view is zoomed out
  • [Web UI] Add validation to prevent erros caused by duplicate DHCP server names. Reported by @CodyLoco  here.
  • [Web UI] Fix interface field display issue for DNS forwarding
  • [Web UI] Fix whitespace display issue in Config Tree confirmation dialog
  • [Web UI] Fix firewall ruleset dialog to display scrollbar correctly. Reported by and discussed with @aweber @Matchstick @joedoe  here and here.
  • [Web UI] Fix potential script injection in description input fields. Reported by @Myron  here.
  • [Web UI] Fix messages sorting in the Log Monitor. Reported by @Schnitzelchen  here.
  • [Web UI] Fix Config Tree validation to allow "" for network values
  • [Web UI] Remove internal "dummy0" interface from UI drop-down input. Discussed with @amarden  here.
  • [Web UI] Fix validation issues for "tag" values in Config Tree
  • [Web UI] Fix UI login issue when non-default HTTPS port is used. Reported by and discussed with @marnog @mveitenheimer @painless @khatfield psydafke @Dron750 @CharlesRenault waheuler mvn sm0tsc here and here.
  • [Web UI] Fix Config Tree arrow display issue
  • [Web UI] Fix validation issue for IPv6 network notation. Reported by loke  here.
  • [Web UI] Add peer description for IPsec site-to-site page. Suggested by chrish13 here.
  • [Web UI] Fix handling of space character for dynamic DNS "Web-skip" configuration. Reported by tucker here.
  • [Web UI] Reorder config settings for system log in System tab and disable level input if server is not configured. Discussed with petecarlson here.
  • [Web UI] Fix deletion of bridge interface. Reported by Paetur .
  • [Web UI] Fix space character handling in Config Tree. Reported by STL-Kabong here.
  • [Web UI] Update TCP MSS clamping wizard to add support for "all" interface type. Discussed with vypregts here.
  • [Web UI] Fix interface IP address display issue with OpenVPN interface. Reported by pw here.
  • [Web UI] Add "delete" function for removing user-uploaded wizards. Suggested by mackintire mcmpr here.
  • [Web UI] Fix DHCP server stats calculation to exclude static IP mappings from dynamic pool size. Discussed with vctwt painless rmhopper RiQ_SwarE dpurgert here and here.
  • [Web UI] Fix Web UI access using IPv6 address. Reported by Myron here.
  • [Web UI] Add number of static mappings to the DHCP server stats display, for example:

  • [Web UI] Add description for masquerade NAT rules created by the setup wizards. Suggested by danbriant here.
  • [Web UI] Clarify Dashboard text for NAT rules. Suggested by moonlander here.
  • [Web UI] Change interface address configuration from Dashboard. Now it allows for example both static IPv4 address and DHCPv6 at the same time. Suggested by intelx86 wizdum here.
  • [Web UI] Fix date/time in the name of downloaded backup file to use the correct timezone. Reported by pervect final here.
  • [Web UI] Fix enable/disable button for OpenVPN interfaces on Dashboard. Reported by zfa here.
  • [Web UI] Remove unnecessary Debian package repo config generated by the load balancing wizard.
  • [DHCP server] Fix potential VLAN packets handling issue in DHCP server implementation
  • [PPPoE] Allow dash/period in names for service and access concentrator (both PPPoE client and PPPoE server). Reported by and discussed with tharude hyphenatic here.
  • [Interface] Add "enable-proxy-arp" setting for switch0 interface (ER PoE 5-port only). Reported by polygnwnd smashr  here and here.
  • [Interface] Adjust default bridge STP priority. Suggested by Scissor  here.
  • [Interface] Rework the interface initialization sequences to prevent the original MAC from being used in some cases even when a different MAC is set. This should fix the issue where some modems only allows the first MAC seen for example. Reported by and discussed with Advocate99 agbiront  here.
  • [Interface] Fix validation to prevent configuration of mirror/redirect on "switched" interfaces (which does not work).
  • [Interface] (ER-X-SFP only) Fix link state issue for the SFP interface after a power cycle
  • [Firewall] Fix show firewall command parse error
  • [Firewall] Fix address group validation to disallow space characters in address (which led to configuration issue when deleting such addresses). Reported by jacotec here.
  • [Firewall] Fix IPv6 firewall group subnet validation. Reported by jocke here.
  • [Firewall] Fix log-martians setting getting overriden on reboot. Reported by Shcaerp here.
  • [Firewall] Add firewall settings for PPPoE interface over pseudo-ethernet interface. Suggested by hyphenatic here.
  • [Firewall/NAT] Fix address group validation for /32 addresses. Reported by Zubr here.
  • [Bridge] Make multicast bridging configurable. To enable it:
    set interfaces bridge br0 multicast enable
    Discussed with AdamF BHSAZ zfa markvl and solution provided by markvl here.
  • [Bridge] Make connection tracking for bridged traffic configurable. This also restores kernel setting allowing netfilter to be applied to bridged traffic. This is disabled by default as enabling it may impact hairpin NAT functionality for example. To enable connection tracking for bridged traffic:
    set interfaces bridge br0 bridged-conntrack enable
    Discussed with community members including rps douglastodd legacy0 dpurgert Zyrtec  here and here.
  • [Conntrack] Adjust default TCP established timeout per RFC 5382. Suggested by mst  here.
  • [Conntrack] Fix default conntrack table size
  • [mDNS] Disable caching for mDNS reflector. This may resolve the "multiple names" issue discussed with community members including Sugaroverdose psydafke sixlocal mbwmbw chaicka OzPHB snowball dc1 cthil ringods sorvani dmoutal 6keazik7 here and here. The fix is suggested by 6keazik7 here.
  • [DHCPv6 PD] Add "duid" configuration for setting a fixed DUID
  • [DHCPv6 PD] Fix generated radvd.conf file when stateful service is used
  • [DHCPv6 PD] Fix potential issues when restarting DHCPv6 PD on an interface. Reported by and discussed with bjck BranoB here.
  • [DHCPv6 PD] Allow "prefix-only" configuration. For example:
    set interfaces ethernet eth1 pppoe 1 dhcpv6-pd prefix-only
    Reported and fix suggested by Mephi here.
  • [DHCPv6 PD] Fix configuration of DHCPv6 PD on PPPoE interfaces. Reported by cycloptivity here.
  • [DHCPv6 PD] Add script to renew DHCPv6 PD over PPPoE interface when the interface connects/reconnects. Suggested by and discussed with bjck abu_cwarky lunihausen Mephi rhooper in these threads: 1 2 3.
  • [System] Update kernel IGMP parameters. Suggested by cz_ranger here.
  • [System] Increase default neighbour table size parameters
  • [System] Adjust package dependency to allow different MTA to be installed. Suggested by alchemyx  here.
  • [System] Fix the "watchdog interrupt" reboot issues for ER PoE and ER Lite. There have been some reports on the forum for example from kholmar fe31nz mcmpr dolfs jlycett TMinus36 leverd obg thruck  in these threads: 1 2 3.
  • [System] Set system time to last known time on boot. This workaround could help avoid issues such as certificate creation date being later than system time causing configuration to fail before NTP syncs the time. Discussed with prometheanfire spwireless zx2c4 in these threads: 1 2 3.
  • [System] Fix comment format in resolv.conf, based on changes provided by jsribeiro  here
  • [System] Adjust ARP/neighbor table size defaults. Discussed with iv here.
  • [System] Restart syslog daemon when hostname is changed (otherwise it will continue using old name). Reported by Schnitzelchen here.
  • [System] Fix commit archive SSH issue with known_host file. Reported by faye  here.
  • [System] Add "custom-attribute" config setting. This can be used to define custom attribute data in the configuration. For example:
    set custom-attribute attribute1 value value1
    Based on patch provided by thrca here.
  • [System] Fix handling of negative temperature readings from the temperature sensors. Reported by Magician .
  • [System] Implement potential fix for Web UI backend process issue.
  • [System] Use temporary file during save operation. Patch contributed by community member final
  • [System] Only start internal telnetd (for Web UI "CLI window") if Web UI is enabled. Discussed with community members including ryan3531 mrjester Xand rjh2805 budcar apleschu GaryGapinski zx2c4, for example in these threads: 1 2 3 4.
  • [System] Patch iptables to support the IMQ target. Suggested by and discussed with 6keazik7 fgrep  here.
  • [System] Fix for "skb_under_panic kernel crash" reported before and also add code to prevent the crash should the condition still happens. Reported by espencb iv nayr final bjck, for example in these threads: 1 2 3 4 5.
  • [System] Include mod_accesslog for lighttpd. Suggested by jocke here.
  • [System] Include etherwake package from Debian. Discussed with final here.
  • [System] Remove unsupported "show file" commands. Reported by britannic here.
  • [System] Move temporary session files (for PPPoE server, PPTP server, and L2TP/IPsec server features) into tmpfs (instead of persistent storage).
  • [SNMP] Fix output for "show snmp v3" command
  • [IPsec VTI] Add default MTU for VTI interfaces
  • [IPsec VTI] Fix issues with iptables rules for VTI
  • [IPsec VTI] Apply VyOS patch (from Masakazu Asama) as a potential fix for VTI tunnel stability issue. Reported by and discussed with the_crowbar dpurgert here.
  • [IPsec VTI] Adopt kernel internal VTI change and related changes from VyOS (Alex Harpin). This prevents VTI from interfering with other features that use "markings".
  • [IPsec] Fix "show vpn ipsec status" to use local-address instead of local-ip
  • [IPsec] Apply patches from Jason Hendry <jhendry@mintel.com> which fix the handling of IKEv2 etc. for "show vpn ipsec ..." commands
  • [OpenVPN] Fix OpenVPN bridge errors with 1.6.0. Reported by gps-au joelika  here.
  • [L2TP/IPsec] Fix typo in help text. Reported by train_wreck  here.
  • [RADIUS] Add RADIUS key length validation for PPPoE server, L2TP/IPsec server, and PPTP server. Reported by benno16 ankursethi108  here.
  • [QoS] Fix issues caused by "bandwidth auto" setting when interface is down. Reported by and discussed with MountainPatrick  here.
  • [RIP] Fix ripng config validation issues. Reported by csch  (who also provided the fix) here.
  • [HW offload] Allow offload to be used with "modify table" action (for policy-based routing) in "modify" firewall rules.
  • [PPPoE server] Add configuration option for enabling MPPE encryption (default disabled). To enable:
    set service pppoe-server encryption enable
    This allows airOS PPPoE client to connect if "encryption" is enabled on the client. Reported by and discussed with ajbtv2 Paetur Twoopi86 here and here.
  • [MSS clamping] Add support for clamping "all" traffic
    set firewall options mss-clamp interface-type all
    Discussed with community members, for example drac here.
  • [MSS clamping] Apply MSS clamping in both directions. Discussed with bjck Adze1502 here.
  • [Static route] Add description setting to static routes configuration. For example:
    set protocols static route next-hop description 'lab network'
    Discussed with community members for example ttt_travis here.
  • [NetFlow] Fix "clear flow-accounting counters" command to also clear egress counters. Reported by zx900e20 here.
  • [CLI] Fix "commit-archive" to send whole config (ignore "edit level"). Patch contributed by community member final (discussed here).
  • [CLI] Allow multiple IP addresses for static host mapping. Patch contributed by community member zx2c4 here.
  • [CLI] Fix issue with "save" when using SCP. Reported by unwiredhokie here.
  • [CLI] Make help strings more consistent. Reported by and discussed with chaicka waheuler bjck here.
  • [CLI] Fix output formatting of several show commands. Reported and patch contributed by rjh2805 here.
  • [VRRP] Allow VRRP to be configured on switch and bridge interfaces. Suggested and tested by Sergiy here.
  • [Load balance] Fix issue with transition script if it calls "show load-balance status" command. Reported by anthony_s here.
  • [Load balance/PBR] Change packet marking mechanism for load balance and PBR to use a "mask". This allows the remainder of the mark to be used for user-defined marking. Incidentally this also fixes a bug in offload that was preventing such traffic from getting offloaded.
  • [PPPoE client] Fix configuration script to properly handle passwords containing certain special characters. Reported by WalkingZombie7 and patch provided by hyphenatic here.
  • [IPv6] Add configuration setting for RDNSS, for example:
    set interfaces ethernet eth0 ipv6 router-advert name-server 2001:4860:4860::8888
    Suggested by mikhlevich here. Patch from Ivan Malyarchuk (via VyOS).
  • [IPv6] Fix issue of radvd not restarting correctly (exits with CLI session). Reported by and discussed with sebastianmarkow rps magenbrot danhusan jocke johnsom robfoehl here.
  • [DHCP client] Add definition of DHCP option 121 in DHCP client config file. Suggested by and discussed with c0mm0n tivoli bjck here.
  • [IGMP proxy] Add CLI command for restarting igmp-proxy:
    restart igmp-proxy
    This is useful for example when interface IP address changes. Suggested by and discussed with bjck Mephi here.
  • [Port forwarding/NAT] Fix ordering of NAT hooks so that port forwarding configuration takes precedence. Reported by alex_cambui here.


Changes for new features implemented during alpha/beta testing:


  • [Web UI] Fix display issue of VLAN interfaces under parent interfaces whose name end in "0". Reported by community members including dcplaya MountainPatrick nlpdk jndfx22 RyLeeRyno jjonsson britannic dragon2611 Cznet for example in these threads: 1 2 3.
  • [Web UI] Fixes/enhancements for the traffic analysis feature:
    • Fix issue that could "freeze" the browser when there are too many IP addresses. Reported by and discussed with brielle ov hdnhdn here and here.
    • Change pie chart to use a "legend" instead of text linked to the graph. This also resolves the overlapping text issue reported by abu_cwarky here.
    • Display hostname for an IP address if it is known (for example from DHCP). Suggested by Klockworks here.
    • Improve aggregation of traffic for hosts and add support for non-NATed traffic
  • [Web UI] Fix display when there is no traffic data in traffic analysis
  • [Web UI] Use "system static-host-mapping" configuration to obtain hostnames for traffic analysis. This is in addition to the current mechanism which uses the names available from the DHCP server. Discussed with danbriant bgh dcplaya m_theredhead foshak lunihausen here.
  • [Web UI] Allow applying Smart Queue to one direction only. This was already allowed in the CLI and can be done in the Web UI now as well. Reported by ToBeFrank waheuler ely105 here and here.
  • [Web UI] Change default bandwidth units on Smart Queue QoS tab. Suggested by ely105 here.
  • [Web UI] Show default values on Smart Queue QoS tab where applicable. Suggested by ely105 here.
  • [Web UI] Update validation checks on Smart Queue QoS tab.
  • [Web UI] Fix unclickable "arrow" for expanding a host on the traffic analysis tab. Reported by snapper here.
  • [Web UI] Remove default values for target and interval on QoS Smart Queue tab. This allows the auto-adjustment for low-bandwidth links to work.
  • [DPI] Fix some of the cases generating debug log messages reported by community members. The debug messages are also rate-limited now to avoid impacting system operations. Reported by and discussed with final jocke Blooze abu_cwarky Xand erwinquek gabry89 ToBeFrank gmartine hyphenatic Shcaerp britannic drac here.
  • [DPI] Fix exit status of signature update script. Reported and fix provided by bl9 here.
  • [OpenVPN] Add symlink for OpenVPN plugin to avoid issues due to plugin renaming in the newer OpenVPN version. Reported by and discussed with WayneGee gundam212 sorvani here and here.
  • [QoS] Fix timing issue with smart-queue configuration that was preventing config changes from taking effect in some cases. Reported by centeno here.
  • [QoS] Add more enhancements for smart-queue QoS feature (note that since the config syntax for smart-queue has changed, if you had already configured it in the previous versions, you'll need to re-configure it using the new syntax):
    • Separate settings for upload and download directions, i.e., different values can now be used for each direction. Discussed with ToBeFrank here.
    • Add more advanced settings for smart-queue.
    • Change "interface" setting to "wan-interface" and allow only one value. Multiple smart-queue policies can still be configured for different interfaces.
    • Add basic validations for the settings. More specifically the following value ranges are allowed.
      • burst: 1500 bytes to 10 megabytes
      • flows: 1 to 65535
      • fq-quantum: 256 bytes to 65535 bytes
      • htb-quantum: 1 bytes to 65535 bytes
      • interval: 1 ms to 20 s
      • target: 10 us to 10 s
      • limit: 1 to 1000000
    • Automatically compute "target" and "interval" for low-bandwidth links if they are not specified. Suggested by dtaht2.
    • Fix validation issue when setting interface. Reported by ToBeFrank here.
    • Fix default value for ECN setting (default should be enable)
  • [IGMP proxy] Make "restart" command also start the daemon if configured but not running. Reported by Mephi here.
  • [Port forwarding] Fix hairpin NAT issue for ER-X and ER-X-SFP models. Reported by and discussed with WisTech lainy CorneliousJD augustf dison4linux in these threads: 1 2 3.


Updated software components


  • Update bind9 to 1:9.8.4.dfsg.P1-6+nmu2+deb7u4: Fix CVE-2014-8500, CVE-2015-1349
  • Update curl to 7.26.0-1+wheezy13: Fix CVE-2014-3707, CVE-2014-8150, CVE-2015-3143, CVE-2015-3148
  • Update openssl to 1.0.1e-2+deb7u17: Fix CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288, CVE-2014-3571, CVE-2015-0209, CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792
  • Update dbus to 1.6.8-1+deb7u6: Fix CVE-2014-7824, CVE-2015-0245
  • Update libevent to 2.0.19-stable-3+deb7u1: Fix CVE-2014-6272
  • Update libgcrypt11 to 1.5.0-5+deb7u3: Fix CVE-2014-5270, CVE-2014-3591, CVE-2015-0837
  • Update mime-support to 3.52-1+deb7u1: Fix CVE-2014-7209
  • Update openvpn to 2.3.2-7~bpo70+2: Use newer version from Wheezy backports. Suggested by rolfl here.
  • Update tcpdump to 4.3.0-1+deb7u2: Fix CVE-2014-8767, CVE-2014-8769, CVE-2014-9140, CVE-2015-0261, CVE-2015-2153, CVE-2015-2154, CVE-2015-2155
  • Update ntp: Fix CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9297, CVE-2014-9298, CVE-2015-1798, CVE-2015-1799
  • Update PHP to 5.4.42: Fix CVE-2014-3668, CVE-2014-3669, CVE-2014-3670, CVE-2014-3710, CVE-2014-8142, CVE-2015-2301, CVE-2015-2787, CVE-2015-2348, CVE-2015-2305, CVE-2015-2331, CVE-2015-0235, CVE-2015-0273, CVE-2014-9705, CVE-2015-0231, CVE-2014-9427, CVE-2015-0232, CVE-2014-9652, CVE-2015-3330, CVE-2014-9709, CVE-2015-2783, CVE-2015-3329, CVE-2015-1352, CVE-2015-4024, CVE-2015-4025, CVE-2015-4022, CVE-2015-4026, CVE-2015-2325, CVE-2015-2326, CVE-2015-4021, CVE-2015-3414, CVE-2015-3415, CVE-2015-3416
  • Update strongswan: Fix CVE-2014-9221, CVE-2015-4171
  • Update eglibc to 2.13-38+deb7u8: Fix CVE-2015-0235, CVE-2012-6656, CVE-2014-6040, CVE-2014-7817, CVE-2015-1472, CVE-2015-1473, CVE-2012-3406, CVE-2014-4043, CVE-2014-9402, CVE-2013-7424
  • Update binutils to 2.22-8+deb7u2: Fix CVE-2014-8484, CVE-2014-8485, CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504, CVE-2014-8737, CVE-2014-8738
  • Update krb5 to 1.10.1+dfsg-5+deb7u3: Fix CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423
  • Update miniupnpd: Fix potential issues in CERT Note VU#184540. Reported by UserMax here.
  • Update libxml2 to 2.8.0+dfsg1-7+wheezy4: Fix CVE-2014-0191, CVE-2014-3660, CVE-2014-3660
  • Update apt to
  • Update base-files to 7.1wheezy8
  • Update debian-archive-keyring to 2014.3~deb7u1
  • Update tzdata to 2014j-0wheezy1
  • Update gnupg to 1.4.12-7+deb7u7: Fix CVE-2014-3591, CVE-2015-0837, CVE-2015-1606
  • Update libcomerr2 to 1.42.5-1.1+deb7u1: Fix CVE-2015-0247, CVE-2015-1572
  • Update gnutls26 to 2.12.20-8+deb7u3: Fix CVE-2015-0294, CVE-2015-0282
  • Update libssh2 to 1.4.2-1.1+deb7u1: Fix CVE-2015-1782
  • Update sudo to 1.8.5p2-1+nmu2: Fix CVE-2014-9680
  • Update dpkg to 1.16.16: Fix CVE-2015-0840
  • Update openldap to 2.4.31-2: Fix CVE-2013-4449, CVE-2014-9713, CVE-2015-1545
  • Update ppp: Fix CVE-2014-3158 (reported by bjck here) and CVE-2015-3310
  • Update libtasn1-3 to 2.13-2+deb7u2: Fix CVE-2015-2806
  • Update libxml-libxml-perl to 2.0001+dfsg-1+deb7u1: Fix CVE-2015-3451
  • Update dnsmasq to 2.62-3+deb7u3: Fix CVE-2015-3294
  • Update sqlite3 to 3.7.13-1+deb7u2: Fix CVE-2015-3416