Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×

EdgeMAX EdgeRouter software release v1.8.0

by Previous Employee UBNT-ancheng ‎02-23-2016 02:30 PM - edited ‎03-02-2016 10:56 AM

New EdgeMAX software release v1.8.0 for EdgeRouter products has been released and is available from our download page.

 

https://www.ubnt.com/download/edgemax/

 

Please select the correct EdgeMAX model and select the v1.8.0 firmware. The checksums for the upgrade images are provided below for your reference (since our download site does not provide it):

 

  • ERLite-3 and ERPoe-5: ER-e100.v1.8.0.4853089.tar
    (SHA1: 1d88829f5b70578ac70c8113f11fb135d7f69e28)

  • ER-8, ERPro-8, and EP-R8: ER-e200.v1.8.0.4853089.tar
    (SHA1: e92f793a5cb0934c55b231545fd289416907d79e)

  • ER-X, ER-X-SFP, and EP-R6: ER-e50.v1.8.0.4853089.tar
    (SHA1: 18cdb8dc378e7c6ee339114bdeeb482f871ccab3)

    Note: The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases upgrade may fail due to not enough space. If this happens, remove the old backup image first (using "delete system image" command, see here for more details) before doing upgrade.

 

This release contains many significant new features, and the major news for this release is that we are adding a new proprietary routing protocol stack, which supports new features including Multiprotocol Label Switching (MPLS), Label Distribution Protocol (LDP), Resource Reservation Protocol - Traffic Engineering (RSVP-TE), Virtual Private LAN Service (VPLS), Bidirectional Forwarding Detection (BFD), and more, and these are in addition to improvements to the already supported routing protocols: OSPF, OSPFv3, BGP, RIP, and RIPng of course.

 

Other major new features/enhancements include Advanced Queue QoS feature with full Web UI configuration, Traffic Analysis and DPI support for non-offloaded traffic, updating strongSwan to new version for IPsec improvements, firewall/QoS based on DPI application categories, and more! More details can be found in the release notes below.

 

Note that due to the major changes in the transition to the new routing protocol stack, a number of (uncommon) config settings have been "deprecated", which are documented here. We also have basic "Config Guide" documents that includes basic information and examples for some of the new features and are working on more. The currently available documents are listed here.

 

Special thanks to all the community members who participated in the alpha/beta testing, reported issues, provided feedback, and even came up with fixes! Your contributions were instrumental in helping us find and fix issues with all the major changes, and we really appreciate it!

 



[Release Notes v1.8.0]

 

Changelog

 

Changes since v1.7.0

 

New features

 

  • [Routing] New routing protocol stack with support for new features including Multiprotocol Label Switching (MPLS), Label Distribution Protocol (LDP), Resource Reservation Protocol - Traffic Engineering (RSVP-TE), Virtual Private LAN Service (VPLS), and Bidirectional Forwarding Detection (BFD). These features have been discussed with many community members before, including @bmv @eddief1 @esseph @keefe007 @robbrown @Zerofail @Magician @DrahtlosDSL @Network_Pro @mhotel @Inssomniak @eejimm @glendale2x @twinkletoes @adairw @evelio @mrjester @rebelwireless @devicebusy @Apogee @kvant @JLR @Simon_Powercode @kevinclarkschoen @eflanery @complete @supers @fgoldstein @timberwolf @MHoward @ekisbey @jamiehhl @ivanbon @jaderjvr @NVX @skidmata @rossGiegler @IS @ryan3531 @sabueso @prp8683 @TekunoKage @mcmpr @cheeze_it @petecarlson @Takigama @ginovilla @hoyosa @xuskit @DStahl @ehsab @TurkMcdirt @marcioelias @rhondle @cfikes @twinkie76y @Mhoban @DanSti1000 @csch @Highlands @bfowler @Mephi @nmap @broken @RcRaCk2k @leonsio , for example in these threads: 1 2 3 4 5 6.


    For our WISP/ISP customers, for example, the new features allow the deployment of an MPLS network which enables them to provide new, value-added services (e.g., VPLS) to their end customers. As another example, the new BFD feature provides fast detection of connectivity failure and recovery using alternative routes (e.g., compared with OSPF convergence time).

    This has been a long-term project and the changes are significant, and if you find any issues, let's discuss on the forum so that we can look into and address it. Thanks!

  • [IPsec] Update strongSwan software to 5.2.2 for better IPsec support. This is mainly based on the work done by @TriJetScud and also include some changes from VyOS (by Alex Harpin, Daniil Baturin, Ryan Riske, Jason Hendry et al.). Note that due to this major update, the "show" commands have been reorganized. The "show vpn ike sa ..." commands and the "show vpn ipsec sa ..." commands are consolidated into the "show vpn ipsec sa" command. Some more information can be found here.

    Updating to newer strongSwan and previous IPsec-related issues have been discussed with many community members before, including TriJetScud @snowball @OzPHB @chaicka @iampedro @Benerages @looney128 @thrca @Corny ryan3531 NVX @whereisaaron @jrun @hazuki @jsprig @vgrinber @dimarudman @pmatuszy @abailey @drac @dandman @levicki @inthesky @jharper8014 @train_wreck @ankursethi108 @dustinsterk @gsloop @obenc @steve2 @jclendenan @JustSumDad @avathan @erl3user , for example in these threads: 1 2 3.

  • [Traffic Analysis/DPI] Add support for non-offloaded traffic. Basically this means the limitations mentioned in the previous sticky thread no longer applies. With this support, the Traffic Analysis page is able to show both offloaded and non-offloaded traffic at the same time when the analysis/DPI is enabled. This includes for example bridged traffic, traffic to which QoS policy is applied, etc.

  • [DPI] Add "application" match support for firewall rules. This allows a firewall to match packets that are identified by DPI as certain applications. Currently the following built-in categories are supported (from CLI auto-completion):
    ubnt@ubnt# set firewall name x rule 10 application category 
    Bypass-Proxies-and-Tunnels  TopSites-Games
    File-Transfer               TopSites-Health
    Games                       TopSites-Home
    Instant-messaging           TopSites-KidsnTeens
    Mail-and-Collaboration      TopSites-News
    Mobile                      TopSites-Recreation
    P2P                         TopSites-Reference
    Remote-Access-Terminals     TopSites-Regional
    Social-Network              TopSites-Science
    Stock-Market                TopSites-Shopping
    Streaming-Media             TopSites-Society
    TopSites-Adult              TopSites-Sports
    TopSites-Arts               Voice-over-IP
    TopSites-Business           Web-IM
    TopSites-Computers          
    [edit]
    ubnt@ubnt#
    
    So for example the following rule would match packets that are identified as "P2P" by the DPI engine and drop them:
    ubnt@ubnt# set firewall name x rule 10 application category P2P
    [edit]
    ubnt@ubnt# set firewall name x rule 10 action drop 
    [edit]
    ubnt@ubnt# commit
    
  • [DPI] Add support for configuring custom application categories, which can include specific applications. For example:
    set system traffic-analysis custom-category DROP_APPS name Twitter
    set system traffic-analysis custom-category DROP_APPS name Youtube
    set system traffic-analysis custom-category DROP_APPS name Skype
    set system traffic-analysis custom-category DROP_APPS name Facebook
    

    Note that the application "name" must match one of the applications as shown in the traffic analysis page in the Web UI. Also currently each application can only appear in one custom category.

    After the custom category is configured, it can be used in firewall rules for packet matching, for example:

    set firewall name x rule 10 application custom-category DROP_APPS
    set firewall name x rule 10 action drop
    
  • [Web UI] Support creating custom application categories and assigning apps to the categories from the Traffic Analysis page. For example:

    app-cfg.png

    cat-cfg.png

    Also add application category matching to firewall rule configuration. This includes both built-in and custom categories, for example:
    fw-cat.png

  • [QoS] Add new "Advanced Queue" QoS feature. The new feature provides much more functions and flexibility than the existing "traffic-policy shaper". For example:
    • Hierarchical: With "Advanced Queue", a "tree of queues" can be configured to achieve more complex bandwidth sharing sheme. In contrast, the existing traffic-policy shaper only supports "flat" policy.
    • Global: It is now also possible to attach the QoS policy "globally" instead of to a particular interface only. This can make it easier to design/reason about the policy and also provide greater flexibity as the "global" QoS policy is applied after destination NAT and before source NAT, so for example private IP addresses can be used for QoS policy matching.
    • Host fairness queueing: A new queue type "Host Fairness Queueing" (HFQ) is added and provides simplified policy setup for scenarios where all hosts in a particular subnet share the same policy. Basically it automatically applies the specified policy to every host in the specified subnet.

    To illustrate the new functions, let's take a look at a config example:

     traffic-control {
         advanced-queue {
             branch {
                 queue 11 {
                     bandwidth 100mbit
                     description "Download direction"
                     parent 1
                 }
             }
             filters {
                 match 11 {
                     attach-to 1
                     ip {
                         destination {
                             address 192.168.0.0/16
                         }
                     }
                     target 11
                 }
                 match 12 {
                     attach-to 1
                     ip {
                         source {
                             address 192.168.0.0/16
                         }
                     }
                     target 12
                 }
                 match 21 {
                     attach-to 11
                     ip {
                         destination {
                             address 192.168.1.0/24
                         }
                     }
                     target 21
                 }
                 match 22 {
                     attach-to 11
                     ip {
                         destination {
                             address 192.168.2.0/24
                         }
                     }
                     target 22
                 }
             }
             leaf {
                 queue 12 {
                     bandwidth 25mbit
                     description "Upload direction"
                     parent 1
                     queue-type fc1
                 }
                 queue 21 {
                     bandwidth 75mbit
                     parent 11
                     queue-type sfq1
                 }
                 queue 22 {
                     bandwidth 25mbit
                     parent 11
                     queue-type hfq1
                 }
             }
             queue-type {
                 fq-codel fc1 {
                 }
                 hfq hfq1 {
                     host-identifier dip
                     max-rate 1mbit
                     subnet 192.168.2.0/24
                 }
                 sfq sfq1 {
                 }
             }
             root {
                 queue 1 {
                     attach-to global
                     bandwidth 1000mbit
                 }
             }
         }
     }
    

    At a high level, the above example corresponds to the following hierarchy:
    aq.png

    Basically the tree of queues consists of "root", "branch", and "leaf" nodes. In this example, there is a root node (1) which is attached "globally" (i.e., all traffic and not specific to one interface/direction). Then branch 11 and leaf 12 represents download and upload policies, respectively. For download, the traffic is further divided to use different policies according to the subnet. At each root and branch nodes, filters can be attached to classify the different traffic that belongs to different child nodes. At each leaf node, a queue-type is attached which is defined separately. In this example, the upload direction uses FQ-CoDel. For download, one subnet uses SFQ while the other uses the new HFQ type which applies the specified policy to all hosts in the subnet automatically.

    Note that support for DPI application matching in Advanced Queue is also implemented. For example if a custom DPI category named "blocked-apps" is defined, it can be used for advanced queue filter matching like:

    set traffic-control advanced-queue filters match 100 application custom-category blocked-apps
    

    Much of this work is based on previous discussions with community members etc. on QoS related issues. For example discussions with @wispwest Alan87i rado3105 esseph rebelwireless airnet-tech heviejob MiPSus drb jake_craner mrLuke popcorrin mhotel ludvik sbyrd test1 mike99 satjuice Magician coastalcruiser stargatesys Doublee3 2030ce mrose David2011 rzirzi takumix MCT zsc100 ElbowWilham jdk59404 rps bcdouglas mackintire amishgenius mrhone ringnebula MountainPatrick in these threads: 1 2 3.

  • [Web UI] Add "graphical" configuration page for the new Advanced Queue QoS feature. This allows setting up the root/branch/leaf nodes, filters, queue types in a "graphical" way which should make it easier and more intuitive. Here is a simple example showing how the interface works:


  • [Web UI] Add new load balancing wizard "Load Balancing2" that can be used to set up two wireless links in a load balancing/failover configuration for example:
    lb2.png

  • [mDNS] Add mdns-repeater implementation and configuration. This provides functions similar to what the existing mdns-reflector feature provides, and according to discussions with community members it works better with fewer issues. The configuration is quite simple, basically just specifying the interfaces involved, for example:
    set service mdns repeater interface eth1
    set service mdns repeater interface eth2
    

    The mdns-repeater implementation is from here. The configuration scripts/templates are based on community member lucasec Suggested by and discussed with Sugaroverdose psydafke sixlocal mbwmbw chaicka OzPHB snowball lucasec mnabeel cdub ohhorob rdahlin JnB_be jeroen_ae92 britannic maja-it nayr manxam hunterd hfrid chidlowa 1enginepilot seacycle , for example, here and here.

  • [Load balance] Add support for more than two links per load-balance group. The configuration mechanism remains the same as before, just add more interface to the group as needed, for example:
    set load-balance group g1 interface eth1 weight 50
    set load-balance group g1 interface eth2 weight 25
    set load-balance group g1 interface eth3 weight 25
    
    and the rest is handled automatically as before. Note that in this release we are limiting the number of interfaces to 8, but this is more or less arbitrary so we can increase it if necessary.

  • [QoS] Add "burst" support for rate shaping in Advanced Queue. This is available on leaf nodes or in the HFQ (host fairness queueing) queue type. Basically the burst settings allow the target (either the leaf class or each host in the HFQ case) to send a certain amount of data (specified by "burst-size") at a rate (specified by "burst-rate") that is higher than the base bandwidth limit. For example:
    set traffic-control advanced-queue leaf queue 12 burst burst-rate 30mbit
    set traffic-control advanced-queue leaf queue 12 burst burst-size 20mb
    
    specifies burst rate of 30 Mbps (Mbits per second) and burst size of 20 MB (MBytes). Using these as example and assuming the base bandwidth limit is 20 Mbps, the following chart shows a simplistic example of how the burst settings work:
    burst.png

    Note the following:
    • Initially the target is sending at the base rate 20 Mbps
    • At time t=20 it starts "bursting" and is limited at the burst rate 30 Mbps. Assuming it has not bursted before, the full "burst size" is allowed, which means it is able to send at 30 Mbps until t=36 ( (30 - 20) Mbps * (36 - 20) seconds = 20 MB ), which is indicated by area (1) in the chart.
    • At t=36, the full burst size has been used up so it is then limited at the base rate of 20 Mbps.
    • At t=50, it starts sending at a lower rate of 10 Mbps until t=60. This allows the target to accumulate "credits" for future bursting since it is not sending at the full rate allowed. This is indicated by area (2) in the chart.
    • At t=60, it starts bursting again. At this point it has accumulated 12.5 MB of credits ( (20 - 10) Mbps * (60 - 50) seconds = 12.5 MB ), so it is allowed to burst at 30 Mbps until t=70 ( (30 - 20) Mbps * (70 - 60) seconds = 12.5 MB ). This is indicated by area (3) in the chart.
    • At t=70, the previously accumulated credits have be used up, so it is again limited at the base rate of 20 Mbps.
    The "bursting" feature (note that this is not the same as the "burst" setting in the previous "traffic-policy" feature, which only corresponds to the Linux tc parameter of the same name) and related issues have been discussed before, for example, with wispwest Alan87i rado3105 esseph rebelwireless airnet-tech heviejob MiPSus drb jake_craner mrLuke popcorrin mhotel ludvik sbyrd test1 mike99 satjuice Magician coastalcruiser stargatesys Doublee3 2030ce mrose David2011 here.

 

 

Enhancements and bug fixes

 

  • [DPI] Fix issue with Web traffic all getting identified as "Web - Other". Reported by and discussed with rebelwireless cbull here.
  • [DPI] Fix signature update check across system upgrade
  • [Traffic Analysis/DPI] Add several performance optimizations
  • [Traffic Analysis/DPI] Add function to clear current stats data. Click on "Clear Data" in the Traffic Analysis tab to clear all counters.
    ta-clear.png
    Discussed with final bgh ArendE here.
  • [Kernel] Add CONFIG_ARPD to config. Suggested by adamasay here.
  • [Kernel] Add potential fix for "reboot" issue when traffic analysis/DPI is enabled. This has been reported by a few users, for example abu_cwarky here.
  • [Kernel] Add the RTSP helper modules for certain video streaming applications. This was reported by and discussed with community members including rjh2805 tivoli synackack zx2c4 sufk opimon NovapaX Boko , for example here. The source code is imported from: https://github.com/maru-sama/rtsp-linux.git Noe that currently there is no configuration for this and the modules are not loaded by default. In order to use these, issue the following commands from the CLI:
    sudo modprobe nf_nat_rtsp
    
    If people can verify that it works well, we could load them with the other NAT/conntrack modules and/or add configuration option for this. So please give it a try. Thanks!
  • [Kernel] Fix potential NMI watchdog issue
  • [Offload] Fix an offload issue where under certain scenario it may possibly use incorrect destination address. Reported by and discussed with jdavid DStahl dcortez87 sundbp jclendenan fLoo Krytical levicki BranoB jjlawren Brontide intrepid itsmarcos erl3user mseeEngineer alex992 HanzS rps RRoderick final VinnyL brielle RcRaCk2k ukzerosniper ub40 rymed here. (Special thanks to jdavid who came up with different ways to trigger the issue which were instrumental in helping us replicate it!)
  • [Web UI] Fix possible XSS in error handling. Reported by Matt Foster (Netcraft Ltd).
  • [Web UI] Add security enhancements (IE nosniff header and cookie flag) suggested by Luca Carettoni (ikki).
  • [Web UI] Make eth4 selectable as WAN interface for ER-X. Discussed with bhlowe here.
  • [Web UI] Allow clicking Traffic Analysis "pie chart" to select host in the table.
  • [Web UI] Change setup wizards to allow configuring user accounts during setup. A "User setup" section is added to the "Load Balancing" and "WAN+2LAN2" wizards.
    wiz-user.png
    One of the following can be selected:
    • Enter a password for the default "ubnt" user
    • Create a new admin user (default user will be deleted)
    • Keep the existing configured users (and their passwords)
    This was discussed with Rakota and others, for example here.
  • [Web UI] Add "show password" checkbox for PPPoE password in setup wizards
  • [Web UI] Fix toolbox issue when interacting with wizards. Reported by snapper here.
  • [Web UI] Fix config tree IPv4 subnet validation. Reported by Yudothat here.
  • [Web UI] Fix display issue with interfaces whose index has leading 0. Reported by tyr here.
  • [Web UI] Fix double scroll bar issue in Firefox browser
  • [Web UI] Fix issue with expanding Traffic Analysis table row
  • [Web UI] Change setup wizards to enable PPPoE offload by default when WAN connection is PPPoE.
  • [Web UI] Show percentage for the "top-5" applications in the traffic analysis "pie-chart". Suggested by and discussed with NVX here.
  • [Web UI] Fix CLI window issue where only one line is shown in some cases due to interaction between browser and Flash plugin (Flash is actually not required/used). Reported by community members for example begunfx SavvyChimp 2wander4 here.
  • [Web UI] Add input for second DNS server in DHCP server config. Suggested by tom12e here.
  • [Web UI] Remove traffic analysis and firewall configuration change options for operator sessions. Suggested by tom12e here.
  • [Web UI] Add checkbox to load balancing setup wizard enabling automatic setup of exclusion for LAN-to-LAN traffic etc.
    wiz-lb-l2l.png
    This should simplify the configuration in most common scenarios.
  • [Web UI] Hide IPsec pre-shared secret display for operator sessions. Suggested by R4V3R here.
  • [Web UI] Fix display issues for operator sessions in Service and Firewall Group pages
  • [Web UI] Update validation for port names in firewall group to allow "http" and "smtps". Reported by semijim here.
  • [Web UI] Add description display for static routes. Suggested by techguyjason here.
  • [Web UI] Show source/destination groups in NAT rule tables Suggested by and discussed with wispr Makuckn spynappels dpurgert here and here.
  • [Web UI] Fix IP address sorting in Traffic Analysis table
  • [Web UI] Add validation to disallow prepending 0 for IP address components. Reported by lsh here.
  • [Web UI] Fix DHCP server validation to allow empty range. Reported by mike99 here.
  • [Web UI] Update Traffic Analysis per-user applications in real time. Discussed with community members for example PeterDB here.
  • [Web UI] Fix minimum row attribute for wizard table layout. Reported by britannic here.
  • [Web UI] Update Web server config to allow ECDSA. Suggested by jmw here.
  • [Web UI] Fix special characters handling on Dynamic DNS page. Reported by rjpcomputing here.
  • [Web UI] Fix IP address sorting in the Discover tool dialog. Reported by Mono here.
  • [Web UI] Fix typo in firewall rule help text. Reported by BranoB here.
  • [Web UI] Display indication when number of routes exceeds the limit on data transferred to UI front-end. Discussed with wildcoder Brontide here.
  • [Web UI] Enable LAN-to-LAN exclusion by default in the load balancing setup wizard. Discussed with centeno here.
  • [Web UI] Fix bridge interface configuration in the Web UI for ER-X/ER-X-SFP. Reported by and discussed with danpets jacktooandroid here.
  • [Web UI] Hide "advanced" checkbox for Smart Queue if there is no config (in which case it has no effect). Suggested by danbriant here.
  • [Web UI] Change dialog layout to avoid issues with small screens. Reported by gaetancambier here.
  • [Web UI] Add "interface network" match (corresponding to "NETv4_*" special groups) for firewall rule source/destination. Reported by and discussed with meyergru here.
  • [Web UI] Adjust layout for address group fields in firewall rule config
  • [Web UI] Fix firewall configuration issue that leaves empty firewall section after deletion
  • [CLI] Fix possible command injection for "clear dhcp lease" command. Reported by Luca Carettoni (ikki).
  • [CLI] Fix config files created by "commit-archive" so that they are loadable. Reported by alesovodvojce here.
  • [CLI] Fix edit level issue with "commit-archive". Reported by and discussed with final (who also contributed the patch) rwojo here.
  • [CLI] Fix issue in "yesno" script. Patch contributed by britannic here.
  • [CLI] Fix "show tech-support" commands to remove unavailable information. Reported by britannic here.
  • [CLI] Fix commit-archive configuration issue for ER-X platform. Reported by startoff here.
  • [CLI] Add support for show config path to wrapper script for configuration commands. Patch provided by gaetancambier here.
  • [CLI] Add "show interfaces ethernet physical" command
  • [IGMP proxy] Fix show command output. Patch contributed by adamwu here.
  • [IGMP proxy] Fix IP address output for "show ip multicast ..." commands for ER-X platform. Reported by poisonsnak here.
  • [IGMP proxy] Add PPPoE hook to restart igmpproxy when PPPoE connection is (re-)established. This may help address the issue reported by community members including misterbassman rrduarte here and here.
  • [DHCP server] Add domain-name to static mapping name to allow the same name to be used in different scopes. Patch contributed by adamwu here.
  • [Firewall] Add "mark" match to firewall rules ("name" and "ipv6-name") and also change existing modify "mark" match amd modify "mark" action to allow "mask" specification.
  • [Firewall] Add "reject-tcp" action for firewall rules. This would make the router send a TCP RST packet (instead of the ICMP port unreachable sent by the existing "reject" action).
  • [Firewall] Fix permission error for firewall rules configuration. Reported by and discussed with cycloptivity dragon2611 st1ngr4y dominikh train_wreck here and here.
  • [Firewall] Fix ruleset commit error in "edit" mode. Reported by dragon2611 6keazik7 ochaqi NVX bjck here and here.
  • [Zone Firewall] Fix zone firewall issue on ER-X/ER-X-SFP. Reported by dragon2611 zdsimpso here.
  • [VRRP] Update keepalived to version 1.2.19 which provides enhancements including IPv6 VIP support
  • [Dynamic DNS] Fix update time in show command output. Patch contributed by britannic here.
  • [UPnP] Add up/down rate settings for upnp2. Patch contributed by nextgens here.
  • [UPnP] Add port setting for UPnP listen port. Suggested by and discussed with rsully sorvani britannic Charlz 6keazik7 here and here.
  • [Interface] Allow setting MTU up to 2018 bytes on the ER-X and ER-X-SFP. This increases the limit from 1510 bytes previously and is useful for applications such as VPLS. Discussed with edugas-zf Zerofail NVX jamesrd3 here.
  • [Interface] Fix support for 100 Mbps SFP modules for ER-X-SFP.
  • [QoS] Change traffic-policy shaper "mark" match to allow mask to be specified.
  • [PBR] Add description setting for static table route.
  • [PBR] Remove unneeded error message for static table route configuration.
  • [Tunnel] Disable GRO by default for tunnel interfaces. This was affecting performance negatively as reported by and discussed with danhusan eimann here.
  • [Tunnel] Fix deletion of disabled tunnel interface. Reported by hazuki Myron here.
  • [Tunnel] Fix bridge cost setting for tunnel interface so that it takes effect. Reported by TheCiscoGuy here.
  • [Route map] Fix route-map deletion bug reported by matthardeman here.
  • [OSPFv3] Add support for configuring "nssa" and "stub" area types and associated settings. For example:
    set protocols ospfv3 area 0.0.0.0 area-type nssa ...
    
    or
    set protocols ospfv3 area 0.0.0.0 area-type stub ...
    
    Suggested by and discussed with thomseddon here.
  • [OSPFv3] Add "default-information originate ..." and other new OSPFv3 configuration settings. Discussed with community members including NVX mmu for example here.
  • [Load balance] Fix validation to properly check the length of group name. Reported by Nic sousapro here and here.
  • [Load balance] Fix issues with lb-group modify rule when it is reordered. Reported by alex_cambui here.
  • [SNMP] Fix incorrect quoting in snmpd.conf for sysContact, sysDescr, and sysLocation. Reported by bweisz sxpert NVX tma in these threads: 1 2 3 4.
  • [SNMP] Add configuration to allow interface specification for link-local IPv6 listen address. For example:
    set service snmp listen-address fe80::618:d6ff:fe83:98f0 interface eth0
    
    Discussed with train_wreck Brontide here.
  • [IPsec] Deprecate NAT traversal config settings ("nat-traversal" and "nat-networks") since they are no longer used in the newer strongSwan.
  • [IPsec] Enable more logging for troubleshooting. Logs can be viewed/monitored using "show vpn log" and "show vpn log tail" commands.
  • [IPsec] Remove spurious messages with IPv6 peer.
  • [DHCPv6 PD] Fix "no-dns" configuration with statically configured name servers. Reported by theseal here.
  • [DHCPv6 PD] Modify handling of PD response to restart radvd in some cases where it was not restarted before. This may help with issues discussed with goofball Brontide Aggraxis jasonrm bbfelts KiloJuliet chaicka bjck jquagga here. (Also thanks for helping test the changes!)
  • [DHCPv6] Update wide-dhcpv6-client to latest Debian version 20080615-16 (building our own package). This is suggested by and discussed with goofball Brontide Aggraxis jasonrm here. goofball first tested his own updated package and reported positive result, and he and Aggraxis also helped test/verify our experimental package, so thanks very much!
  • [L2TP/IPsec] Add authentication require configuration to support different authentication methods. For example:
    set vpn l2tp remote-access authentication require pap
    
    Commits from Antonio Cunyat Alario and Toni Cunyat.
  • [L2TP/IPsec] Add fragmentation configuration which may help certain Windows clients. Commit from Jeff Leung.
  • [L2TP/IPsec] Change ipsec action from update to reload. Commit from Jeff Leung.
  • [System] Add "sync" commands to "save" operation to alleviate power loss issue. Reported by and discussed with matthardeman Brontide pokwer dragon2611 here.
  • [System] Only do DPI update check for platforms that support it
  • [System] Use default config on boot if start-up config is invalid (e.g., empty, syntax error, etc.). Discussed with matthardeman Brontide pokwer dragon2611 here.
  • [PoE] Fix PoE output issue on ER-X-SFP when PoE output is enabled on eth0. Reported by and discussed with zdsimpso dpurgert tanuki vchrizz marv2097 MANHATTAN Dave-D here and here.
  • [PPTP client] Add "force" option for the "default-route" setting. This forces the PPTP client to override any existing default route with a new one (the PPTP connection). Reported by and discussed with flap trinketzz here.
  • [PPPoE client] Add "multilink" option for PPPoE client interface which configures the link to be part of a multilink setup. This was discussed with community members including clarknova psydafke arr2036 (who also verified it is working) mWare here.
  • [L2TPv3] Fix configuration for bridging with L2TPv3 interface on the ER-X platform. Reported and fix tested by andhanse here.
  • [IPv6] Update radvd to latest version (2.11) which should help resolve/improve certainly issues (e.g., radvd process dies after some time etc.). Issues reported by and discussed with brian_reiter seacycle rjh2805 fe31nz dremon benjidog Corny jea-jea Brontide (who also built and tested new versions) lunihausen matthardeman DaveC skidmata heldchen goofball Aggraxis aconly Wurgy here and here. They also helped test the experimental package for this. Thanks!
  • [IPv6] Modify validation to allow link-local address to be configured. Discussed with train_wreck Brontide here.
  • [OpenVPN] Add configuration options to allow IPv6 transport. The "protocol" setting now supports new options "udp6", "tcp6-passive", and "tcp6-active". Suggested by 6keazik7 here.
  • [DNS forwarding] Fix typo in CLI configuration help text. Reported by rjh2805 here.

 

Fixes/changes for issues found/reported during alpha/beta testing:

 

  • [System] Remove unneeded debug messages on ER Lite and ER PoE. Reported by danhusan Shcaerp meyergru goofball here.
  • [System] Fix the "df" utility to handle namespace entries correctly. Reported by DaveC britannic here and here.
  • [System] Adjust logging settings so that logs from routing daemons are logged by default without changing log level. Discussed with robfoehl here.
  • [System] Fix /etc/hosts permission issues reported by fromport
  • [Kernel] Fix kernel crash caused by LDP MD5 authentication. This also fixes the previously reported BGP MD5 crash, for example reported by reported by and discussed with webbytech ellisway epacheco NVX mseeEngineer here.
  • [Kernel] Fix tunnel interface TCP/UDP checksum issue reported by adamasay here
  • [Kernel] Include the RTSP helper modules for the ER-X platform. This was missed in beta2 due to packaging issue. Reported by ConnorM here.
  • [Kernel] Fix locking issues in MPLS forwarder module
  • [Kernel] Improve packet forwarding performance for non-MPLS traffic with MPLS forwarder module loaded. Previously the module was causing performance degradation for example reported by and discussed with final dragon2611 Mrcheebs here.
  • [Kernel] Update RTSP helper modules to include changes discussed with tximy Daemon chunkete bcdouglas here. (Also thanks for helping test the experimental packages!)
  • [CLI] Fix misleading "gateway of last resort" message in "show ip route" output. Reported by Paetur
  • [CLI] Fix CLI typos reported by britannic here and here.
  • [CLI] Fix interface capture command reported by sandtrapppp here.
  • [CLI] Clean up show commands for routing protocols:
    • Deprecate OSPFv3 show commands that are no longer supported.
    • Fix OSPFv3 and IPv6 BGP show commands. Reported by skidmata here.
    • Deprecate BGP show commands that are no longer supported.
    • Add additional BGP/OSPF/OSPFv3/RIP/RIPng show commands supported by the new routing protocol stack.
    • Remove "show table" command which is misleading and not applicable. Reported by dison4linux here.
  • [CLI] Remove redundant "undebug" commands. The "no debug ..." commands can be used instead (which are more complete as well). Reported by danhusan here.
  • [CLI] Label "show ip route cache" command as deprecated as it is no longer supported.
  • [BFD] Fix BFD starting issue reported by NVX
  • [SNMP] Fix SNMP server to eliminate unnecessary error messages. Reported by NVX notfixingit ltinnc jaapjolman for example here.
  • [SNMP] Add proper error message if listen address is set to link-local IPv6 address but no interface is configured.
  • [Interface] Fix new routing protocol stack to work correctly with SFP ports on ER Pro (this was a known issue noted in the alpha1 release notes)
  • [Interface] Fix interface address handling in new routing protocol stack to preserve address when link is down. This fixes for example configuration issues when trying to delete interface address when link is down, or in some cases DHCP server not starting when ports are not connected yet.
  • [Interface] Consolidate interface "bandwidth" settings (for OSPF, RSVP, etc. usage). The old "ip ospf bandwidth ..." setting under interface is replaced by, e.g.:
    set interfaces ethernet eth0 bandwidth maximum 200m
    
    In addition, for RSVP-TE the reservable bandwidth can be set with, for example:
    set interfaces ethernet eth0 bandwidth reservable 100m
    
    and bandwidth constraints can be set with, e.g.:
    set interfaces ethernet eth0 bandwidth constraint class-type name1 bandwidth 50m
    
    Note that the class-type name needs to be configured separately prior to use (or in the same commit), for example:
    set protocols mpls class-type ct0 name name1
    
  • [Interface] Add workaround for 6rd issue with new routing protocol stack to set the 6rd default route, for example:
    set interfaces tunnel tun0 6rd-default-gw ::205.171.2.64
    Reported and patch provided by brielle here.
  • [Interface] Fix issue with moving IP address from one interface to another (i.e., delete and set) in the same commit in some cases
  • [Interface] Make warning message more explicit when creating VLAN interface and setting MPLS interface in the same commit. Reported by and discussed with snotr here.
  • [VPLS] Fix VPLS configuration ordering such that instance is configured before interface. This prevents issues where config is accepted but not working.
  • [VPLS] Add more validation for required configuration settings.
  • [BGP] Fix extended ASN configuration issue. Reported by epacheco here.
  • [BGP] Fix BGP issue where kernel FIB is not updated when the nexthop changes. Reported by and discussed with ehsab ClaudeSS DStahl matthardeman here.
  • [BGP] Significantly improve BGP convergence performance and CPU utilization. Reported by and discussed with Shorty_ matthardeman Piniongear here. (Also thanks very much for helping us test experimental packages for the fixes!)
  • [BGP] Fix configuration of "capability dynamic". Reported by matthardeman here.
  • [BGP] Fix peer-group setting for IPv6 neighbor. Reported by matthardeman here.
  • [BGP] Fix configuration errors for neighbor and peer group settings. Reported by jocke here.
  • [BGP] Fix issue with deleting "redistribute connected route-map" under address-family ipv6.
  • [BGP] Fix regular expression handling issue for as-path-list. Reported by janegil here.
  • [BGP] Fix capability dynamic configuration. The deprecated "dynamic" capability under "address-family ipv6-unicast" has been removed and is now only configurable directly under neighbor or peer-group.
  • [BGP] Add missing "graceful-restart" capability under peer-group and also under address-family ipv6-unicast for both peer-group and neighbor.
  • [BGP] Fix community string validation to allow 0. Reported by option82 here.
  • [BGP] Fix issue where IPv6 local prefixes with shortest AS path is not selected as the best
  • [BGP] Fix "update-source" config to handle dynamic interface/address correctly. Reported by matthardeman here.
  • [BGP] Fix "max-paths ebgp" config and add validation. Reported by dragon2611 here.
  • [BGP] Fix incorrect handling of BGP table version which was incrementing the table version unnecessarily. Reported by robfoehl here.
  • [Routing] Add new "clear" operational commands for new routing protocol stack, e.g., LDP, MPLS, etc.
  • [Routing] Remove obsolete operational commands specific to the old routing protocol stack. Reported by NVX here.
  • [Routing] Fix some OSPFv3 and RIPng show commands. Reported by NVX DStahl skidmata here and here.
  • [Routing] Fix syslog support for new routing protocol stack. Now the routing daemons uses syslog for logging.
  • [Routing] Fix validation for expanded community list number. The new routing protocol stack supports 100-199 which is a change from before, and this has been noted in the "config changes from previous releases" document. Reported by and discussed with matthardeman jocke here.
  • [Routing] Change default logging levels for routing modules to be consistent and more verbose.
  • [Routing] Fix prefix-list6 matching issue in route map
  • [Routing] Fix route map deletion issue
  • [Routing] Fix ribd crash issue when IPv6 connected route is being added/deleted in some cases. Reported by and discussed with NVX skidmata BranoB bjck r4m3u5 here and here.
  • [Routing] Fix issue with losing connected routes for VLAN interfaces in some cases. Reported by ringnebula here.
  • [Routing] Reorganize and simplify "debug" operational commands for routing daemons. Now the following "debug" commands are available for the individual daemons (auto-completion result shown):
    ubnt@ubnt:~$ debug 
    Possible completions:
      bfd           Enable Bidirectional Forwarding Detection (BFD) debugging
      bgp           Enable Border Gateway Protocol (BGP) debugging
      ldp           Enable Label Distribution Protocol (LDP) debugging
      nsm           Enable Network Service Module (NSM) debugging
      ospf          Enable Open Shortest Path First (OSPF) protocol debugging
      ospfv3        Enable IPv6 Open Shortest Path First (OSPFv3) protocol debugging
      rib           Enable Routing Information Base (RIB) debugging
      rip           Enable Routing Information Protocol (RIP) debugging
      ripng         Enable RIPNG protocol debugging
      rsvp          Enable Resource Reservation Protocol (RSVP) debugging
    
    
    These can be used to enable debug logging for each component. The "no" version of the command disables the corresponding debug logging, for example, "no debug ospf" cancels the "debug ospf" command. Of course if needed we can add more granular debug control in the future.
  • [Routing] Fix dynamic interface handling for table interface route. Reported by and discussed with tommie NS-K here. They also helped test/verify the fix, so thanks very much!
  • [OSPFv3] Fix redistribute connected configuration
  • [OSPF] Fix configuration issues under OpenVPN interface. Reported by jaapjolman here.
  • [Web UI] Fix firewall configuration issues from Web UI. Reported by community members including erl3user rebelwireless meyergru DarkskyZ zombu2 wdluz mindseyex2 shthead dragon2611 djohanning rjh2805 myhqisp for example in these threads: 1 2 3 4 5.
  • [Web UI] Fix display filtering in Routing tab. Reported by meyergru here.
  • [Web UI] Show custom DPI categories before builtin ones for firewall rules. Suggested by dpurgert here.
  • [Web UI] Fix save issue with DPI category in firewall rule. Reported by alex_cambui here.
  • [Web UI] Fix device ports display on top after using wizard. Reported by DStahl here.
  • [Web UI] Add more enhancements for the Advanced Queue QoS configuration page. These includes the following:
    • Add drag-and-drop support for the nodes so that, for example, a branch node can be easily moved from one root node to another.
    • Add support for "zoom". You can now use, for example, mouse "wheel" to zoom in/out a particular part of the page.
    • Add support for "panning". You can "pan" the tree around by dragging it with mouse. Clicking on a node also "centers" the page around that node.
    • Filters now support all available options under the CLI.
    • Filters are now associated with "nodes" instead of "links". This allows filter to classify directly to any descendant nodes (instead of only the immediate descendants).
    • When deleting a node, the associated filters are now also deleted. This was reported by Myron here.
    • Display the ceiling value for a node if it exists.
  • [Web UI] Fix display of number of BGP routes on Dashboard
  • [Web UI] Fix duplicate display of blackhole route entries
  • [Web UI] Fixes/enhancements for the Advanced Queue QoS configuration page:
    • Change layout of filter configuration dialog to group the match criteria into three types: "IP/ether/Mark", "Interface", and "Application". Currently the implementation only supports one type of match criteria in each filter (e.g., matching both interface and application is not allowed). This also fixed the configuration issue reported by skoenman here.
    • Add legend/help text to provide some usage information
    • Fix display issue in root node config dialog
    • Fix filter creation issue
    • Fix filter display issue for "operator" users
  • [Web UI] Fix typos in Advanced Queue page
  • [Web UI] Add transition to dropdown list for node edit in Advanced Queue page
  • [Web UI] Fix issue with Smart Queue page displaying extra empty policy. Reported by r4m3u5 meyergru here.
  • [Web UI] Fix display issue for Dynamic DNS configuration. Reported by ericnix victorhooi IamDogbert here and here.
  • [Web UI] Fix display issue for dynamic IPv6 addresses on interfaces. Reported by train_wreck here.
  • [Web UI] Add "infotip" for Traffic Analysis "applications" to show their built-in category. Discussed with ub40 here.
  • [Web UI] Update validations on the Smart Queue page to match CLI.
  • [DHCP server] Fix issue where DHCP server does not work when IPsec/VTI is configured. Reported by and discussed with chaicka aavdberg jacotec hazuki jeroen_ae92 robfoehl s0me1_2luv pokwer jbpaux here.
  • [DHCP server] Fix hostfile-update domain name handling. Reported and patch contributed by meyergru here.
  • [DHCP server] Fix hostfile-update issue with Windows clients. Patch contributed by ndfan77 here.
  • [IPsec] Automatically use "rightid=%any" when remote-id is not set and the peer is specified as FQDN. This should resolve some issues reported by and discussed with hazuki chaicka BranoB notfixingit meyergru in these threads: 1 2 3.
  • [IPsec] Fix handling of local-address "%any" or "%defaultroute" in configuration and "show vpn ipsec status" output.
  • [IPsec] Fix protocol "all" handling to address "bad protocol" errors. Reported by and discussed with train_wreck TriJetScud OzPHB grealish chaicka here and here.
  • [IPsec] Fix show command output when IPsec isn't configured
  • [IPsec] Remove ESP options "aes128gcm128" and "aes256gcm128" for now (not working).
  • [IPsec] Fix strongSwan charon daemon CPU utilization issue when updating many routes. Reported by matthardeman here.
  • [IPsec] Fix possible IPsec restart issue when making configuration changes.
  • [IPsec] Implement the include-ipsec-conf option for including a custom strongSwan configuration file. (This option was there but had no effect.) Reported by 6keazik7 and implemented by TriJetScud (see here ).
  • [IPsec] Add the include-ipsec-secrets option for including a custom secrets file. This can be useful for example if an ECDSA key is used. Implemented by TriJetScud
  • [IPsec] Fix "force-encapsulation" config setting and its help text. Reported by train_wreck here.
  • [IPsec] Adjust xfrm4_gc_thresh sysctl default as suggested by eee3 dison4linux here.
  • [IPsec VTI] Fix issue where LAN connectivity is lost after PPPoE client interface disconnects and re-connects. Reported by and discussed with steve_mcneill r4m3u5 BranoB TriJetScud here.
  • [IPsec VTI] Restart IPsec when PPPoE interface reconnects. This allows VTI to continue working after the reconnect.
  • [IPsec VTI] Add mechanism to detect VTI tunnels and not add routes to table 220 (which causes issues with LAN connectivity for example). Fix based on patch from TriJetScud (thanks!). The issue has been reported by and discussed with steve_mcneill r4m3u5 BranoB TriJetScud NVX OzPHB chaicka here and here.
  • [IPsec VTI] Change settings ("disable_policy" and "disable_xfrm") for VTI interfaces as suggested by haihq88 OzPHB BranoB and also discussed with chaicka matthardeman steve_mcneill robfoehl here and here.
  • [Traffic analysis/DPI] Implement several enhancements that should improve application classification accuracy in some cases.
  • [Traffic analysis/DPI] Make offloaded and non-offloaded cases work together better
  • [Traffic Analysis/DPI] Add some more optimizations that may improve the accuracy of application identification in some cases.
  • [DPI] Fix validation for application names with space character in custom category.
  • [DPI] Update built-in signatures to latest
  • [PBR] Add mechanism to insert static table route when nexthop becomes reachable through connected route
  • [PBR] Fixed static table route configuration error on ER-X platform. Reported by dragon2611 here.
  • [VRRP] Fix interoperability issue between 1.8 and 1.7. Reported by pokwer here.
  • [Tunnel] Fix handling for routes with nexthop through tunnel interfaces (e.g., GRE, VTI, etc.). Reported by matthardeman here.
  • [RSVP] Make RSVP interface disable setting explicit
  • [RSVP] Allow multiple neighbors
  • [RSVP] Fix configuration and validation of bandwidth settings
  • [L2TP/IPsec] Fix L2TP server start issue when outside-address is 0.0.0.0. Reported by BranoB here.
  • [QoS] Fix configuration error with QoS class match criteria. Reported by jacotec here.
  • [QoS] Remove unimplemented "interface" match from Advanced Queue for now (may implement it later).
  • [QoS] Add more configuration validation checks for Advanced Queue CLI configuration.
  • [QoS] Add "interface" match for matching the incoming interface of traffic.
  • [QoS] Add built-in DPI category match support in Advanced Queue filters
  • [QoS] Fix DPI initialization for QoS matching
  • [QoS] Fix Perl errors in "show queueing ..." commands output when Advanced Queue is configured. Note that "show queueing ..." commands are for the older "traffic-policy" implementation for QoS and new "show" commands will be added for the new Advanced Queue QoS.
  • [Advanced queue] Fix issue preventing default match to be added
  • [Advanced queue] Add validation to disallow source MAC address match under interface root and destination MAC match under global root. Such matches will not have effect so would be better to disallow it to avoid confusion.
  • [Advanced Queue] Add validation to prevent invalid bandwidth settings
  • [URL filtering] Fix squidguard compatibility issue by updating to new version (1.5-4) from Debian jessie (now building the package ourselves). Reported by jcharnov dison4linux here. They also helped test and verify the fix. Thanks!
  • [PPP] Fix issue where a second PPTP or L2TP/IPsec connection fails sometimes. Reported by inthesky jimg (who also helped test the fix!) here and here.
  • [Static route] Add validation to disallow setting router's own address as nexthop
  • [IPv6] Fix dynamic interface handling for IPv6 autoconf and DAD settings. Reported by and discussed with benjidog jea-jea here.

 

Updated software components

 

  • Update squid to new version 3.4. Suggested by and discussed with jacotec (who also contributed patch) here.
  • Update ipset to 6.23-2. Discussed with pw zdsimpso here.
  • Update tcpdump to 4.7.4-1~bpo70+1. Suggested by DStahl here.
  • Update kernel to fix CVE-2015-5364 and CVE-2015-5366
  • Update conntrack to Fix CVE-2015-6496
  • Update bind9 to 1:9.8.4.dfsg.P1-6+nmu2+deb7u9: Fix CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, CVE-2015-8000, CVE-2015-8704
  • Update libexpat1 to 2.1.0-1+deb7u2: Fix CVE-2015-1283
  • Update openldap to 2.4.31-2+deb7u1: Fix CVE-2015-6908
  • Update base-files to 7.1wheezy9
  • Update tzdata to 2015f-0+deb7u1
  • Update PHP to 5.5.30: Major PHP update (from 5.4.x to 5.5.x). Also fix CVE-2015-3152, CVE-2015-5589, CVE-2015-5590, CVE-2015-6831, CVE-2015-6832, CVE-2015-6833, CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838, CVE-2015-7803, CVE-2015-7804
  • Update miniupnp to fix CVE-2015-6031. Reported by and discussed with optimiz3 dpurgert here.
  • Update ntp to fix CVE-2015-7691, CVE-2015-7962, CVE-2015-7702, CVE-2015-5300, CVE-2015-5219, CVE-2015-5195, CVE-2015-5194, CVE-2015-5146, CVE-2015-3405, CVE-2015-7871, CVE-2015-7855, CVE-2015-7851, CVE-2015-7852, CVE-2015-7701, CVE-2015-7704, CVE-2015-7850
  • Update strongSwan to fix CVE-2015-8023
  • Update dpkg to 1.16.17: Fix CVE-2015-0860
  • Update gnutls26 to 2.12.20-8+deb7u5: Fix CVE-2015-8313, CVE-2015-7575
  • Update libpng to 1.2.49-1+deb7u2: Fix CVE-2015-7981, CVE-2015-8126, CVE-2015-8472, CVE-2015-8540
  • Update openssl to 1.0.1e-2+deb7u19: Fix CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-7575
  • Update libxml2 to 2.8.0+dfsg1-7+wheezy5: Fix CVE-2015-1819, CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-7941, CVE-2015-7942, CVE-2015-8035, CVE-2015-8241, CVE-2015-8317, CVE-2015-8710
  • Update ISC DHCP: Fix CVE-2015-8605
  • Update openssh to 1:6.0p1-4+deb7u3: Fix CVE-2016-0777 and CVE-2016-0778
  • Update sudo to 1.8.5p2-1+nmu3+deb7u1: Fix CVE-2015-5602
  • Update eglibc to 2.13-38+deb7u10: Fix CVE-2014-8121, CVE-2015-1781, CVE-2015-7547 (getaddrinfo), CVE-2015-8776, CVE-2015-8777, CVE-2015-8778, CVE-2015-8779
  • Update libgcrypt11 to 1.5.0-5+deb7u4: Fix CVE-2015-7511
  • Update krb5 to 1.10.1+dfsg-5+deb7u7: Fix CVE-2015-8629, CVE-2015-8631