EdgeMAX EdgeRouter software release v1.9.0

by Previous Employee UBNT-ancheng on ‎08-08-2016 02:21 PM

New EdgeMAX software version v1.9.0 for EdgeRouter products has been released and is available here:

 

 

Some notable features/enhancements in the 1.9.0 release include:

  • New "Basic Queue" QoS feature for configuring simple QoS policies
  • IPsec crypto offload support for ER-X platform (ER-X, ER-X-SFP, and EP-R6 models)
  • Add support for VLAN and DHCPv6 PD options to the basic Web UI setup wizard
  • New "switch" setup wizard for ER-X platform
  • Use kernel mode for L2TP/IPsec server for improved performance

More details can be found in the release notes below. I would like to thank everyone for their participation in the community, as always helping with testing, reporting issues, providing feedback, suggestions, even patches! We certainly could not have done it without you Icon Smile Thank you very much!

 



[Release Notes v1.9.0]

 

Changelog

 

Changes since v1.8.5

 

New features

 

  • [Web UI] Add "Basic Queue" QoS feature in the Web UI which allows users to configure simple QoS policies without the complexity of the "Advanced Queue" feature. Here is one simple example:bq1.png

    In the above screen, the first "queue" specifies that the host 192.168.100.101 has "upload" rate limit of 2 Mbps (megabits per second) and "download" rate limit of 10 Mbps (using SFQ in both directions). In this context "upload" means "source" (192.168.100.101) to "destination" (not specified so "any"), and download means destination to source. The second queue specifies a rate limit of 20 Mbps for traffic going from 192.168.1.0/24 to 192.168.2.0/24, and 15 Mbps for the reverse direction (192.168.2.0/24 to 192.168.1.0/24), using simple FIFO in both directions.


    Here is another example that includes some more settings:

    bq2.png

    First, note that "Show burst settings" is enabled and so the Basic Queue page now shows the burst rate/size settings for each direction. The first queue specifies "P2P" traffic (as identified by the DPI feature) for host 192.168.100.101 has 2 Mbps upload rate limit, allowing bursting up to 3 Mbps for 1 MB (megabytes) of data, and 10 Mbps download rate limit (bursting up to 15 Mbps for 5 MB), using FQ-CoDel in both directions.

    The second queue specifies an upload rate limit of 30 Mbps (with FQ CoDel) for the 192.168.1.0/24 network. For the download (reverse) direction, the rate limit is 60 Mbps and the queue type is HFQ (host fairness queueing), which further specifies that each client in the 192.168.1.0/24 subnet has download rate limit of 1 Mbps, bursting up to 1.5 Mbps for 500 KB.


    One important thing to note is that the Basic Queue Web UI actually generates "Advanced Queue" configuration "under the hood". If the configuration is changed "outside" the Basic Queue page (e.g., through the CLI or Advanced Queue Web UI), the Basic Queue Web UI will no longer be able to show the config. Therefore, for now if the Basic Queue Web UI is used, it would probably be best to stay with the Basic Queue Web UI for making config changes.


    Issues related to basic and simplified QoS configuration have been discussed with many community members before, including @Magician @Paetur @wispwest @esseph @SPITwSPOTS @WisTech @Kevo @SpecialK @doush @rzirzi @takumix @MCT @zsc100 @ElbowWilham @jdk59404 @rps @bcdouglas @mackintire @amishgenius @danutz49 @lumaform @remikk @leeandy @broken @rebelwireless @mrhone @jacobturner @wyopno @CWescott @gaetancambier @redfive @skoenman @turtles2 for example in these threads: 1 2 3 4 5 6 7 8.

  • [Offload] Add IPsec crypto offload support for ER-X platform (including the ER-X, ER-X-SFP, and EP-R6 models) which provides significant IPsec performance improvement. This is disabled by default and can be enabled using the CLI (or the equivalent in the Web UI Config Tree):
    set system offload ipsec enable
    
    and then "commit" and "save", and then a router reboot is currently required for the setting to take effect.
    One thing to note is that IPsec offload only applies to ESP (for the actual data traffic), not IKE. In addition, not all algorithms are compatible with IPsec offload, and there are also some differences with the other platforms. Therefore here is a summary of the current status. For the ER-X platform:
    • ESP encryption algorithms that can be "offloaded": 3des, aes128, aes256
    • ESP hash algorithms that can be "offloaded": md5, sha1, sha256
    • ESP encryption algorithms incompatible with "offload": aes128gcm128, aes256gcm128. (More specifically, if these are configured then IPsec offload cannot be enabled, and vice versa.)
    • ESP hash algorithms incompatible with "offload": sha384, sha512. (More specifically, if these are configured then IPsec offload cannot be enabled, and vice versa.)
    • IKE encryption algorithms that are not supported: aes128gcm128, aes256gcm128. (More specifically, these are not supported for IKE on the ER-X platform.)
    • All config options for IKE hash algorithms are supported.
    In comparison, for the previous models (e.g., ER Lite, ER Pro, etc.):
    • ESP encryption algorithms that can be "offloaded": 3des, aes128, aes256
    • ESP hash algorithms that can be "offloaded": md5, sha1
    • ESP encryption algorithms incompatible with "offload": aes128gcm128, aes256gcm128. (More specifically, unlike on the ER-X platform, these can be configured with IPsec offload enabled but just won't be offloaded.)
    • ESP hash algorithms incompatible with "offload": sha256, sha384, sha512. (More specifically, unlike on the ER-X platform, these can be configured with IPsec offload enabled but just won't be offloaded.)
    • All config options for IKE encryption and hash algorithms are supported.

    The IPsec offload function on the ER-X platform has been discussed with many community members before, including @sarpkaya @chaicka @BranoB @idxman01 @dragon2611 @jacob_vn ringnebula WisTech @danbriant @Isolus @ashamon @Unwired @ngilles @Psudo @mobbarley @dremon @guran @jamesfry @Deleted Account @jjonsson @foresto @sagho @stcbus @Steve28 @oraclerouter rebelwireless @o_cee @ConnorM @bjck @hazuki @charettepa @frinnst gaetancambier @raidz2 @rdahlin @TriJetScud @munch @nickmcs @gfunkdave @tguire for example in these threads:1 2 3 4 5 6 7.

  • [DHCP server] Add alternative DHCP server implementation using dnsmasq (based on script from @final here ). Note that the original implementation using ISC DHCP is still the default. To use dnsmasq instead, enable the "use-dnsmasq" setting:
    set service dhcp-server use-dnsmasq enable
    
    A few things to note:
    • One of the advantages of using dnsmasq is that, if DNS forwarding is also configured, the "name resolution for local hosts" function is integrated, and the "hostfile-update" setting for the ISC DHCP implementation is not needed (it is ignored when use-dnsmasq is enabled).
    • When use-dnsmasq is enabled, DHCP server will serve the "listen-on" interfaces configured under "service dns forwarding", or all interfaces if that is not configured.
    • Since some of the existing DHCP server config settings are specific to the ISC DHCP implementation (e.g., the failover settings, the "free-form" parameters settings), those will be ignored when use-dnsmasq is enabled.
    • If "free-form" parameters for dnsmasq are needed, they can be entered under DNS forwarding config, e.g., "set service dns forwarding options ...".
    • When use-dnsmasq is enabled, the "authoritative" setting is not "per-shared-network", i.e., "authoritative" will be enabled if it is set under any shared-network.
    • When use-dnsmasq is enabled, the entries configured under "static-mapping" will be tralsnated to statically assigned A records in dnsmasq (using the dnsmasq host-record directive). If a client with a static-mapping entry sends a DHCP request with a different client-name, that client-name will be ignored.
    • Currently use-dnsmasq only handles "configuration", and status reporting (including show commands in the CLI and the leases display in the Web UI for example) is not supported yet.
    Using dnsmasq for DHCP server has been discussed with many community members before, including @m6w6 @dprus @mnabeel @FTZ @ubnoobi @stan-qaz @DeathNight @levicki @RaulRamos @koraborospl gfunkdave @bradd @itsmarcos @ptr727 @zx2c4 @dmoutal @eseelke @aliquid @rubin110 @zebrafoot @ripat @mwahlert @Xaero @techtomas @nickandre @aweber @dazealex @staze @Xelas final @snowzach @ST33LDI9ITAL etique57 charettepa bolts for example in these threa1 2 3 4 5 6 7.

  • [Web UI] Add "Switch" setup wizard for ER-X platform to simplify the task of setting up the device as simple layer-2 switch (utilizing all ports on the device).
    sw-wiz.png
    As can be seen from the screenshot, management VLAN and IP address settings can be configured, as well as the per-port VLAN settings (if VLAN aware is enabled) and user accounts (same as other setup wizards). A reboot will be needed after applying the config for it to take effect. Note that care should be taken to make sure the management IP/VLAN settings and the port VLAN settings would allow management access. For example, if management VLAN is set but the VLAN is not set on any of the ports, then the device will not be accessible after the reboot and a reset to defaults will be needed.

  • [Web UI] Add support for "Internet connection on VLAN" (required by some ISPs) and also DHCPv6 PD (used by some ISPs to provide IPv6 service) in basic setup wizard. For example:
    wiz.png

    • If the ISP uses a tagged VLAN to provide the Internet connectivity (including also the PPPoE scenario and/or DHCPv6 PD), enable the "Internet connection is on VLAN" option in the wizard and enter the VLAN ID used by the ISP. Then the configuration generated by the wizard will place the needed settings under the VLAN interface instead.
    • When IPv6 PD is enabled on the WAN interface, the prefix length and whether to enable default IPv6 firewall can be configured. The IPv6 LAN interfaces are not configurable currently and are the same as the LAN interfaces for the IPv4 part of the wizard (e.g., in this case two LANs are used so the corresponding interfaces eth1 and eth2 are shown in "IPv6 LANs"). Also note that currently all LAN interfaces will use "service slaac". We may expand the wizard to allow more configuration options for the LAN interfaces in the future.
    These features have been discussed with community members including irvingpop (who also contributed a DHCPv6 PD wizard for older releases) jliechty DrDyno erictooth cremenescu mbnn aavdberg stylnchris sirbrent BigGuy59 itsmarcos psydafke jacktooandroid Adrao skidmata dragon2611 chaicka johnsom mackintire wanttotree 3van ahasenack dutch2005 for example in these threads: 1 2 3 4.
  • [L2TP/IPsec] Use kernel mode support for L2TP/IPsec server. This includes adding pppd plugin and xl2tpd kernel mode support, and it should provide significant performance improvements for L2TP/IPsec server. Discussed with mdu113 NVX stralex pstolpe train_wreck DemonX rsully jbeez PaulCarlucci hyphenatic stasv 6keazik7 for example in these threads: 1 2 3 4.

 

 

Enhancements and bug fixes

 

  • [Bridge] Fix various bridge configuration issues, in particular config going out of sync with the system when deleting bridge under interface and leaving empty bridge-group. This has been reported by and discussed with many community members before, including leonsio mrjester sxpert stlnets anash kavehs7 swmike cupiboris ClaudeSS rbezio ekisbey holbor ehsab Zyrtec joseppe spynappels karog , for example in these threads: 1 2 3 4 5 6 7 8.
  • [Interface] Add MAC address setting for VLAN interface under switch0. Suggested by and discussed with walterav BranoB here.
  • [DNS forwarding] Fix Perl warnings from "show dns forwarding nameservers" caused by custom "server" options. Reported by gfunkdave here.
  • [System] Lower the log level of the "intf-proto Config is locked" messages since they are normal and do not indicate errors. Reported by and discussed with fpagan DaveC IamDogbert here and here.
  • [System] Add the "libjson-any-perl" package to the system as it is needed by the new ddclient version to support cloudfare update. Reported by poisonsnak here.
  • [SNMP] Fix missing ifDescr and ifName for PPPoE interface after a reconnect. Reported by and discussed with BranoB here.
  • [PPPoE server] Fix IP range validation to allow single IP. Reported by Paetur here.
  • [DHCP server] Fix handling of domain name setting when "use-dnsmasq" is enabled. Reported by and discussed with Natrixz nickwhite TriJetScud windhammer here.
  • [Dynamic DNS] Update CLI help text to show "custom-" option. Suggested by Thias here.
  • [CLI] Fix validation for "system login user <user> authentication encrypted-password <password>" to allow "!", which is valid for disabling password.
  • [CLI] Fix auto-completion error for BGP IPv6 peer-group. Reported by NVX here.
  • [Web UI] Add more checks to prevent operator from uploading wizard files. Suggested by user "ikki".
  • [Web UI] Allow multiple VLAN IDs (comma-separated) to be entered for switch ports VID setting on ER-X platform
  • [Web UI] Fix error from firewall rule tables caused by reordering rules. Reported by and discussed with poisonsnak buzurk SteveSt DStahl wkweksl BranoB walterav ericnix LinuxPhil here and here.
  • [Web UI] Remove deprecated settings (interface etc.) in IPsec VPN page and the generated configuration
  • [Web UI] Hide VLAN settings for switch ports (ER-X platform) if "VLAN aware" is not enabled. Suggested and discussed with Solideco mattiL here.
  • [Web UI] Fix duplicate IPv6 address display when configured address has "0" next to "::". Reported by Tywin here.
  • [Web UI] Disable unused jsonp handler to prevent possible CSRF. Reported and suggested by Luca Carettoni (ikki).
  • [Web UI] Fix typo in configuration generated by basic setup wizard. Reported by jmdomini here.
  • [Web UI] Fix System tab configuration error when SNMPv3 is configured without community setting. Reported by dragon2611 here.
  • [Web UI] Add the "Wizard" Perl module contributed by justMeh here. This can make implementing custom wizard easier with Perl scripts.
  • [Web UI] Improve the CPU utilization calculation for the Web UI to include softirq stats etc. Reported by nickolai lupinglade here.
  • [QoS] Fix configuration failure for "limiter" policy. Reported by poisonsnak zdsimpso bgh ephraim1 in these threads: 1 2 3 4.
  • [QoS] Add more specific help text to clarify usage of "priority" settings
  • [QoS] Fix various traffic-policy validation issues for port match setting. Reported by marnog gloups RevGonzo19 in these threads: 1 2 3.
  • [DPI] Improve application identification mechanism to also include packet data that was not used in some cases previously
  • [OSPF] Fix OSPF handling of point-to-point interface (e.g., PPPoE) to allow multiple with the same "local" address. Reported by NVX here.
  • [OSPFv3] Fix several OSPFv3 configuration issues based on report from dmcgrandle here.
    • Remove "protocols ospfv3 area range advertise" setting since "advertise" is the default and therefore setting it has no effect.
    • Fix configuration of "protocols ospfv3 area range not-advertise" setting (which had no effect before).
    • Fix commit failure when deleting "protocols ospfv3 area range not-advertise" setting.
  • [Load balancing] Add config setting to disable balancing/failover traffic originated from the router, for example:
    set load-balance group x lb-local disable
    
    (Default is enable which is the same as previous behavior.)
  • [Load balancing] Improve load balancing/failover behavior when interface or link is down
  • [Load balancing] Fix routing when a load balancing interface is not configured
  • [Firewall] Addd DSCP value match for firewall rules. Patch provided by nickolai here.
  • [NAT] Fix NAT configuration issue that could make config out-of-sync with the system. Reported by and discussed with MZorzy dpurgert avdberg navlrac tseward TyShawn DStahl fenrir here.
  • [GRE] Fix config for "key" to allow it to be used for "gre-bridge" also. Reported by reitblatt who also helped test the fix.
  • [IPv6 GRE] Add support for IPv6 GRE tunnel. Patch contributed by tommie here. The configuration is similar to the existing IPv4 GRE tunnel with a different interface type and naming convention, for example:
    set interfaces ipv6-tunnel v6tun0 encapsulation ip6gre
    set interfaces ipv6-tunnel v6tun0 local-ip '2a02:f00d:::1'
    set interfaces ipv6-tunnel v6tun0 remote-ip '2a01:cafe::1'
    set interfaces ipv6-tunnel v6tun0 address 10.6.6.1/32
    set protocols static interface-route 10.6.6.2/32 next-hop-interface v6tun0
    
    Discussed with Corny tommie matthardeman jwilko Kazyini here.
  • [GRE] Apply kernel patch suggested by mweinelt here to fix IPv6 multicast issue. Also reported by flokli
  • [BGP] Fix performance issue of bgpd/ribd caused by frequent route updates, including making communication asynchronous and optimizing hashtable usage. Reported by and discussed with drac wdeman (who also helped test the fixes) matthardeman mdassilva NVX here.
  • [BGP] Add "no-activate" setting to support IPv6-only configuration, for example:
    set protocols bgp 111 neighbor 2001::1 no-activate
    set protocols bgp 111 neighbor 2001::1 address-family ipv6-unicast
    
    Reported by and discussed with NVX matthardeman wdeman here.
  • [IPsec] Fix configuration issue where extra "%any" is generated in IPsec secrets file.
  • [IPsec] Improve performance in corner case when no NAT/stateful firewall/connection tracking are needed.
  • [IPsec] Make sure tunnel is restarted when algorithms settings are changed in the configuration.
  • [VPLS] Improve memory handling and locking for possible memory leak and crash in some cases. Based on reports from markqvist who also helped test fixes during development. Note that the reported issues have not been fixed completely yet and we will of course continue looking into them. Discussed with markqvist Tritorus banc DStahl bledd hectorornelas NVX here and here.
  • [Switch] Add more validation for switch VLAN settings (pvid and vid) on ER-X platform (both CLI and Web UI)
  • [Switch] Fix a corner case where PVID cannot be set correctly when changing the per-port VLAN configuration on ER-X platform.
  • [Switch] Clear the MAC address table on switch when the switch VLAN configuration is changed on ER-X platform.
  • [Switch] Fix switch ports configuration ordering issue that was causing "leakage" during configuration changes (e.g., a few seconds) on ER-X platform. Reported by 16again here.
  • [Switch] Fix switch ports pvid/vid configuration issue on ER-X platform when both pvid and vid are configured. Reported by cdhgee bweisz bjck Think-Networks here and here (they also helped test the fix!).

 

Updated software components

 

  • Update miniupnpd to version 2.0. Discussed with thefloweringash fzoc here.
  • Update PHP to 7.0.8: Fix CVE-2015-8874, CVE-2016-5766, CVE-2016-5767, CVE-2016-5768, CVE-2016-5769, CVE-2016-5772, CVE-2016-5773
  • Update squidguard to fix CVE-2015-8936
  • Update dnsmasq to version 2.76. Discussed with catapult botkiller chrisg11 here.
  • Update ddclient to version 3.8.3 for some new functions including for example CloudFlare support. Discussed with metamatt sollie zfa storrgie britannic rconan pclerie Adrao here and here.
  • Update base-files to 7.1wheezy11 for Debian 7.11 point release
  • Update dpkg to 1.16.18
  • Update libldap-2.4-2 to 2.4.31-2+deb7u2
  • Update tzdata to 2016d-0+deb7u1
  • Update ntp to fix CVE-2015-7974, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8158, CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, CVE-2016-2516, CVE-2016-2518
  • Update PHP to 7.0.9: Fix CVE-2016-5385, CVE-2016-5399, CVE-2016-6207, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297
  • Update squid3 to 3.4.8-6+deb8u3: Fix CVE-2016-4051, CVE-2016-4052, CVE-2016-4053, CVE-2016-4054, CVE-2016-4553, CVE-2016-4554, CVE-2016-4555, CVE-2016-4556
  • Update lighttpd to include CVE-2016-1000212 mitigation