EdgeMax software release v1.3.0

by Previous Employee UBNT-ancheng on ‎10-15-2013 10:06 AM

EdgeMax software release v1.3.0 for EdgeRouter Lite and EdgeRouter PoE is now available from our downloads page: http://www.ubnt.com/download#edgemax.

This release adds quite a few new features and enhancements, including hardware offload support for VLANs, a basic "setup wizard" in the Web UI, RADIUS-based rate limiting for PPPoE server, and more (see release notes below). As usual, many of these are inspired and contributed by the community, so thanks everyone for your participation and contributions! Icon Smile


[Release Notes v1.3.0]


Changes since v1.2.0

New features

  • [Web UI] Add basic setup wizard for simple WAN+LAN scenario as shown in the screenshot example below:


    This will set up the following configuration settings:
    • WAN connection (supports DHCP, static IP, or PPPoE)
    • NAT masquerade for WAN interface
    • Default firewall for WAN interface (only allow established and related traffic for both "local" and "in" traffic)
    • (EdgeRouter PoE only) Configure eth2/3/4 to be "switched" for the LAN
    • DHCP server for LAN subnets
    • DNS forwarding for LAN subnets
    • TCP MSS clamping if WAN is PPPoE
    One thing to note is that currently this basic wizard is only available when the router is running with the default configuration (for example after a reset to defaults). There is also a new function to restore the default configuration from the wizard tab (includes a reboot).

  • [PPPoE server] Add support for per-session rate limiting using RADIUS attributes. This supports upload/download rate limits using the WISPr RADIUS attributes "WISPr-Bandwidth-Max-Up" and "WISPr-Bandwidth-Max-Down", respectively. To summarize, the RADIUS attributes supported for PPPoE server now include the following:
    • WISPr-Bandwidth-Max-Up: Max upload rate in "bits/sec"
    • WISPr-Bandwidth-Max-Down: Max download rate in "bits/sec"
    • Framed-IP-Address: IP address for session
    • Acct-Interim-Interval: Number of seconds between interim accounting updates for the session
    • Session-Octets-Limit: Max number of octets allowed for the session
    • Octets-Direction: Direction of the Session-Octets-Limit restriction
    A simple way to test this is to set up a freeradius server and simply add a user to the "users" file on the server:
    testuser Cleartext-Password := "testpassword"
            WISPr-Bandwidth-Max-Up = 1000000,
            WISPr-Bandwidth-Max-Down = 5000000,
            Framed-IP-Address =,
            Acct-Interim-Interval = 120,
            Session-Octets-Limit = 1000000000,
            Octets-Direction = 1,

    Note that this is of course still work in progress and we plan to continue to expand the support. Thanks @Paetur @wtm @NVX @ajbtv2 and others for your input/suggestions!

  • [HW acceleration] Add VLAN offload. This allows hardware acceleration to be applied to VLAN-to-VLAN and VLAN-to-non-VLAN traffic. Currently this is disabled by default and can be enabled using:
    set system offload ipv4 vlan enable
    set system offload ipv6 vlan enable
  • [NAT] Add "group" support for source/destination matching. Previously this was only supported for firewall rules but now added to NAT rules as well. For example:
    set service nat rule 10 destination group port-group group1
  • [Firewall/NAT] Add support for matching "interface alias" in firewall and NAT rules. An "address group" is automatically created for the primary IPv4 address of an interface, and this "alias" can be used in firewall and NAT rules to match the address even if the address is dynamic (for example, DHCP).

    For example, to create a NAT rule that matches packets destined to the address on interface eth0, the alias "ADDRv4_eth0" can be used like this:

    set service nat rule 10 destination group address-group ADDRv4_eth0

    This could make certain configurations simpler, for example, hairpin NAT with dynamic interface address.

  • [Firewall] Add support for IPv6 address/network groups. Now "ipv6-address-group" and "ipv6-network-group" can be created for IPv6 addresses and networks, respectively. These can then be used in firewall rules to match packet source/destination. For example:
    set firewall group ipv6-address-group testv6 ipv6-address 2222::1
    set firewall ipv6-name test rule 10 destination group ipv6-address-group testv6 
  • [OpenVPN] Add support for using an ovpn config file directly without requiring any additional CLI settings. For example: 
  • set interfaces openvpn vtun0 config-file /config/test.ovpn
  • [System] Add support for mDNS reflector service. This can be enabled by:
  • set service mdns reflector

     Thanks @snowball @gjl and others for your suggestions and testing!

  • [QoS] Add support for priority-queue policy. The new settings are under "traffic-policy priority-queue" and supports up to seven classes that are mapped to queues served in priority order.


Enhancements and bug fixes

  • [OpenVPN] Allow keys generated using easy-rsa (suggested by @infowolfe )
  • [OpenVPN] Fix validation for TLS key file (reported by @Schnitzelchen )
  • [OpenVPN] Change CA certificate validation to allow chained/stacked certificates (suggested by @brumma )
  • [Firewall] Fix member deletion for ipv6-network groups (reported by @csch )
  • [Firewall] Fix "show firewall statistics" for zones
  • [Firewall] Fix typo in error message
  • [Dynamic DNS] Add support for afraid.org (with help from @Blooze @esseph here)
  • [NAT] Fix NAT rule number help string
  • [PPPoE server] Fix "No client slots available" issue where PPP daemon gets stuck during connection establishment due to abnormal client termination (reported and tested by ajbtv2)
  • [PPPoE server] Fix interface renaming issue with simultaneous connection attempts and concurrent sessions (tested and reported by ajbtv2 here)
  • [PPPoE Server] Fix output of "show pppoe-server" (reported by @agilbett )
  • [PPPoE Client] Add "default-route force" option to replace an existing default route (suggested and reported by @paulgear and @bjck )
  • [PPPoE Client] Fix long delay when restarting PPP if the interface is not up (reported by @locus )
  • [PPPoE client] Fix IPv6 interface renaming, patch contributed by NVX
  • [PPPoE client] Add PPPoE client support for pseudo-ethernet (contributed by @dmbaturin )
  • [PPPoE client] Fix duplicate unit number detection
  • [PPPoE] Reduce LCP echo timeout to 30 seconds for both server and client. This provides faster detection of "undead" sessions that are left running when the peer disconnects ungracefully, for example. Reported by NVX and others.
  • [PPP] Make naming restrictions less strict for PPP hook scripts (suggested by NVX here)
  • [PPP] Add support for PPP up/down scripts in /config/scripts/ppp (suggested here)
  • [PPTP server] Add LCP echo timeout to detect undead sessions. Similar to the timeout for PPPoE this makes it faster to detect and terminate the session when the client does not disconnect gracefully.
  • [QoS] Fix configuration with both "u32" and "fw" filters (reported by @fgp and @TomAshbee here and here)
  • [DNS forwarding] Enable resolv.conf polling to address DNS forwarding issues when name servers are obtained dynamically (e.g., DHCP), and also include changes suggested by @FTZ 
  • [LLDP] Fix configuration output that is confusing (reported by Schnitzelchen)
  • [Interface] (EdgeRouter PoE) Fix issue with creation of switch interfaces (reported by @amishgenius ).
  • [Interface] (EdgeRouter PoE) Fix issue with bridged switch interface configuration on boot (reported by @cgrey001 ).
  • [DHCP] Fix tab completion for "renew dhcp interface" for VLAN
  • [mDNS] Fix permission issue for mDNS reflector configuration (reported by snowball here)
  • [IPsec] Fix RSA key parsing to support OpenSSL-generated keys (with help from mutemule @mutemule and @ryan3531 in this thread)
  • [BGP] Add "clear ip bgp all soft", "clear ip bgp all soft in", and "clear ip bgp all soft out" operation commands.
  • [IPsec] Add support for IPv6 peers/subnets
  • [BGP] Allow configuring peer-group without remote-as (reported here)
  • [Interface] Fix link_filter for IPv6
  • [DNS forwarding] Allow IPv6 name server
  • [HW acceleration] Move offload enable/disable settings to "system offload"
  • [System] Add pre-config.d mechanism (discussed with dmbaturin here).
  • [System] Update /etc/timezone file when changing time zone. This is needed by some applications such as cron.
  • [System] Fix permission issue for config migration during config loading
  • [System] Improve robustness of upgrade procedure with more checks, validations, etc.
  • [System] Fix "show configuration commands" output for config setting with empty value (reported by @mathewss )
  • [System] Change upgrade script to copy /config more completely
  • [System] Add enhancements for initial-setup script contributed by dmbaturin
  • [System] Remove console configuration
  • [Web UI] Fix deleting network in OSPF Area dialog.
  • [Web UI] Fix handling of firewall ruleset name with slash ("/") or dot (".") character. Tested and reported by @bonienl and @esseph .
  • [Web UI] Allow IPv6 access by default (suggested by @Scissor in this thread).
  • [Web UI] Change wizard behavior to save configuration if connectivity test fails (suggested by Paetur)
  • [Web UI] Add "group" support for source/destination matching in NAT rules
  • [Web UI] Fix UI session timeout issue when system time is updated by NTP for example
  • [Web UI] Provide more informative error message for certain upgrade failures
  • [Web UI] Fix NAT address validation to allow wildcard
  • [Kernel] Cherry-pick a few netfilter SIP enhancements, including TCP support
  • [Kernel] Apply OpenWRT 160-netfilter_cisco_794x_iphone.patch, which improves support for Cisco IP phones (suggested by @polygnwnd here)
  • [Kernel] Cherry-pick a few commits from later kernels, for example, jhash3 (suggested by @request_timeout )
  • [Kernel] Enable network namespaces in kernel configuration needed by certain userspace applications (suggested by NVX here)


Updated software components

  • Update ipset (both kernel and userspace) to 6.19
  • Update strongSwan to 4.5.2
  • Update net-snmp to 5.7.2
  • Update bind9 to 1:9.7.3.dfsg-1~squeeze11: Fix CVE-2013-4854
  • Update gnupg to 1.4.10-4+squeeze2: Fix CVE-2013-4242
  • Update libgcrypt11 to 1.4.5-2+squeeze1: Fix CVE-2013-4242
  • Update PHP to 5.4.19: Fix CVE-2013-4113 and CVE-2013-4248
  • Update dnsmasq to 2.62-3+deb7u1 from Debian wheezy (discussed in this thread)
  • Add mactelnet-client and mactelnet-server packages from Debian wheezy. Currently there is no CLI configuration for this functionality. To use the server, invoke the "/etc/init.d/mactelnet-server" script to start it (credentials are defined in "/etc/mactelnetd.users").