EdgeMAX EdgeRouter software release v2.0.0

by Ubiquiti Employee 2 weeks ago - last edited 2 weeks ago

New stable release v2.0.0 is available here:



Note: The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using "delete system image" command, see here for more details) before doing an upgrade.


More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!


[Release Notes v2.0.0]




Changes since v1.10.8


New features:

  • [PlatformOS] - Upgraded underlying Debian distribution from Wheezy to Stretch. NOTE: You will need to manually update "system package repository xxx distribution stretch" if you wish to install 3rd party packages from Debian repository


  • [IPSec] - Add new "vpn ipsec gobal-config" CLI command that allows overriding any strongswan config option. For instance following commands reconfigures bypass-lan plugin by excluding eth0 from bypass list:

    set vpn ipsec global-config "charon.plugins.bypass-lan.load := yes"
    set vpn ipsec global-config "charon.plugins.bypass-lan.interfaces_ignore := eth0"

    Syntax of "vpn ipsec gobal-config" should be compliant with format-options.py utility from strongswan suite as defined here


  • [IPSec] - Add new CLI command allow-access-to-local-interface that configures firewall to accept traffic destined to local interfaces of EdgeRouter:

    set vpn ipsec allow-access-to-local-interface enable
    Previously hosts from remote IPSec networks were not able to access ER, but now, if allow-access-to-local-interface is enabled, then hosts from remote IPSec networks can reach ER local interface and access management interface (SSH or WebGUI). Discussed here



  • [UNMS] - Add CLI command to enable/disable LLDP in UNMS. When UNMS is configured then it uses LLDP to discover neighbor routers. This functionality is enabled by default but it can be disabled via CLI like so:

    set service unms lldp disable


Enhancements and bug fixes:

  • [SSH] - Remove deprecated SSHv1. Discussed here
  • [BGP] - Fix bug when rib process was constantly consuming 60% CPU time if "maximum-paths" was set. Discussed here
  • [BGP] - Fix "Commit failed" error when setting BGP neighbour configuration. Discussed here
  • [OSPF] - Fix bug when OSPF hello-timer for point-to-multipoint interfaces was ignored. Discussed here
  • [OSPF] - Fix Fletcher16 checksum calculation bug that caused OSPF session timeout with Cisco IOS routers. See description here
  • [OSPF] - Fix bug when ospfd randomly crashed after changing OSPF interface network type
  • [DHCP] - Enable DHCP on eth1 in factory default configuration
  • [DHCP] - Fix bug when ubnt-util daemon randomly crashed when reconfiguring DHCP server
  • [DHCP] - Fix bug when default gateway was not set when DHCP server assigned /32 address. Discussed here
  • [H/W] - Optimize fan control logic for ER-Infinity to make sure that CPU does not overheat. Discussed here
  • [Interface] - Fix bug when ethernet interfaces randomly failed to send/receive all packets after changing interface speed.
  • [Interface] - Fixed bug when eth0 speed/duplex could not be changed on ER-Infinity
  • [Offload] - Add offloading support for bonding interfaces for Cavium-based routers with "system offload ipv4 bonding enable" config settings
  • [Offload] - Fix bug when "show ubnt offload flows" caused router to crash if offloading was disabled
  • [IPSec] - Add logrotation for "/var/log/charon.log"
  • [PPPoE] - Fix bug when PPPoE client did not reconnect after server restart
  • [Routing] - Fixed bug when nsm daemon randomly crashed when removing bridge/switch/bond interfaces causing short-term routing outage
  • [Routing] - ECMP route selection method is switched from round-robin to hash-based, This became possible after migrating to 4.x linux kernel. Discussed here
  • [Dnsmasq] - Removed 1K DHCP max lease limit in dnsmasq. Prior to this dnsmasq would stop leasing additional IPs after reaching 1000 active leases. Removing this limit has minimal impact on memory usage and solves issue when dnsmasq would suddenly stop leasing new IP addresses.
  • [DHCPv6] - Fix bug when DHCPv6 client stops (or restarts) when admin logs out of terminal. Discussed here

Known issues:

  • [LoadBalancing] - LoadBalancing randomly fails if hwnat offloading is enabled on ER-X and ER-X-SFP models. LoadBalancing watchdog randomly reports false-positive interface-failure events and switches to backup link when it should not. Workaround is to disable hwnat offloading.
  • [PPPoE] - PPPoE client interface randomly fails to reconnect with PPPoE server when hwnat offloading is enabled on ER-X and ER-X-SFP router models. This issue was noticed only when in LoadBalancing or ECMP setups. Workaround is to disable hwnat offloading.
  • [Offloading] - IPSec offloading does not work on ER-X and ER-X-SFP

Updated software components:

  • Bash (4.4-5)

  • Perl (5.24.1-3+deb9u4)

  • NTP (1:4.2.8p10+dfsg-3+deb9u2)

  • OpenSSH (7.4p1-10+deb9u3)

  • OpenSSL (1.1.0f-3+deb9u2)

  • OpenVPN (2.4.0-6+deb9u2)

  • SNMP(5.7.3+dfsg-3)

  • Strongswan(5.6.3-1)

  • Systemd (232-25+deb9u4 )

  • Dnsmasq (2.79)


  • Upgraded linux kernel to v4.9.79 for Octeon-based routers (ER, ER-pro, ER-lite, ER-PoE, ER-Infinity) 

  • Upgraded linux kernel to v4.14.54 for Mediatek-based routers (ER-X, ER-X-SFP)

Bootloader enhancements and fixes:

  • n/a 

Note: Latest bootloader is stored inside EdgeOS firmware since v1.10.7. You can check currently installed bootloader version with "show system boot-image" CLI command and then upgrade it with "add system boot-image" CLI command .