New EdgeMAX software version v1.8.5 for EdgeRouter products has been released and is available here:
As discussed before the focus of this release is on bug fixes and there are many fixes/enhancements based on reports/feedback from community members. In addition, there are also several new features (offload, per-port VLAN, traffic analysis/DPI) for the ER-X platform, and more details can be found in the release notes below. Thanks everyone for reporting issues, providing feedback, and participating in the alpha/beta testing to help us improve the products!
[Release Notes v1.8.5]
Changes since v1.8.0
set system offload hwnat enableThis has been discussed with many community members including @veresk @dpurgert @Ubeavis @jacktooandroid @mike99 @ashamon @Isolus @Unwired @ngilles @Psudo @mobbarley @dremon @guran @jamesfry @dukzcry @jjonsson @foresto @sagho @stcbus @o_cee @BranoB @ConnorM @bjck @hazuki @charettepa @frinnst @gaetancambier @raidz2 for example in these threads: 1 2 3 4.
set interfaces switch switch0 switch-port vlan-aware enable set interfaces switch switch0 switch-port interface eth3 vlan pvid 100 set interfaces switch switch0 switch-port interface eth3 vlan vid 200 set interfaces switch switch0 switch-port interface eth3 vlan vid 300This would set VLAN 100 to be "untagged" on port eth3, and VLANs 200 and 300 are "tagged" on port eth3. Note that the global "vlan-aware" setting (default disabled) enables the new "per-port VLAN" feature. If this is not enabled the swith ports will function the same way as before, i.e., simple L2 switching with no per-port VLAN and will pass all VLANs automatically. Also none of the per-port VLAN settings will have any effect if vlan-aware is not enabled.
set system traffic-analysis export enable set system traffic-analysis dpi enableThis has been discussed with many community members before including @WisTech @rdahlin @snapper @HillHeadTim dragon2611 @RyLeeRyno ConnorM @keefe007 NVX gaetancambier @jbrisko @calpines @psych0l @skoenman @pokwer @twoolums @idxman01 @plopes1960 Ubeavis @No_WaY @voiprouting @djwujek Psudo , for example in these threads: 1 2 3 4 5 6 7 8.
Enhancements and bug fixes
set service gui older-ciphers disableIf older ciphers are disabled, the ones used are (based on Mozilla "Modern" recommendations):
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256The change is based on discussions with community members including di3 MZorzy blackoutCH3 soehest atvirtual rickyloera jmw thermionic jquagga NVX here and here.
set service gui http-port 8080The HTTP port now also observe the configured "listen-address" as well (previously it always listens on all interfaces). This has been suggested by and discussed with community members including jfunk hyphenatic intrepid yatahaze kiyose dpurgert in these threads: 1 2 3 4.
set service gui cert-file /config/auth/server.pemTo specify a "CA file" for chained certificates:
set service gui ca-file /config/auth/ca.pemThese have been discussed before for example with jtenniswood iampedro jjr aloishammer oxfrombws Luppie1975 secesh frinnst whereisaaron rMacbookPro Blooze OzPHB NVX o_cee darco for example in these threads: 1 2 3 4.
set system traffic-analysis signature-update update-hour 3would check for updates between 3 AM and 4 AM. Or to disable signature update:
set system traffic-analysis signature-update disable
show bgp l2vpn show bgp l2vpn detail
Fixes/changes for issues found/reported during alpha/beta testing:
Updated software components