This release adds quite a few new features and enhancements, including hardware offload support for VLANs, a basic "setup wizard" in the Web UI, RADIUS-based rate limiting for PPPoE server, and more (see release notes below). As usual, many of these are inspired and contributed by the community, so thanks everyone for your participation and contributions!
[Release Notes v1.3.0]
Changes since v1.2.0
[Web UI] Add basic setup wizard for simple WAN+LAN scenario as shown in the screenshot example below:
This will set up the following configuration settings:
WAN connection (supports DHCP, static IP, or PPPoE)
NAT masquerade for WAN interface
Default firewall for WAN interface (only allow established and related traffic for both "local" and "in" traffic)
(EdgeRouter PoE only) Configure eth2/3/4 to be "switched" for the LAN
DHCP server for LAN subnets
DNS forwarding for LAN subnets
TCP MSS clamping if WAN is PPPoE
One thing to note is that currently this basic wizard is only available when the router is running with the default configuration (for example after a reset to defaults). There is also a new function to restore the default configuration from the wizard tab (includes a reboot).
[PPPoE server] Add support for per-session rate limiting using RADIUS attributes. This supports upload/download rate limits using the WISPr RADIUS attributes "WISPr-Bandwidth-Max-Up" and "WISPr-Bandwidth-Max-Down", respectively. To summarize, the RADIUS attributes supported for PPPoE server now include the following:
WISPr-Bandwidth-Max-Up: Max upload rate in "bits/sec"
WISPr-Bandwidth-Max-Down: Max download rate in "bits/sec"
Framed-IP-Address: IP address for session
Acct-Interim-Interval: Number of seconds between interim accounting updates for the session
Session-Octets-Limit: Max number of octets allowed for the session
Octets-Direction: Direction of the Session-Octets-Limit restriction
A simple way to test this is to set up a freeradius server and simply add a user to the "users" file on the server:
Note that this is of course still work in progress and we plan to continue to expand the support. Thanks @Paetur@wtm@NVX@ajbtv2 and others for your input/suggestions!
[HW acceleration] Add VLAN offload. This allows hardware acceleration to be applied to VLAN-to-VLAN and VLAN-to-non-VLAN traffic. Currently this is disabled by default and can be enabled using:
set system offload ipv4 vlan enable
set system offload ipv6 vlan enable
[NAT] Add "group" support for source/destination matching. Previously this was only supported for firewall rules but now added to NAT rules as well. For example:
set service nat rule 10 destination group port-group group1
[Firewall/NAT] Add support for matching "interface alias" in firewall and NAT rules. An "address group" is automatically created for the primary IPv4 address of an interface, and this "alias" can be used in firewall and NAT rules to match the address even if the address is dynamic (for example, DHCP).
For example, to create a NAT rule that matches packets destined to the address on interface eth0, the alias "ADDRv4_eth0" can be used like this:
set service nat rule 10 destination group address-group ADDRv4_eth0
This could make certain configurations simpler, for example, hairpin NAT with dynamic interface address.
[Firewall] Add support for IPv6 address/network groups. Now "ipv6-address-group" and "ipv6-network-group" can be created for IPv6 addresses and networks, respectively. These can then be used in firewall rules to match packet source/destination. For example:
set firewall group ipv6-address-group testv6 ipv6-address 2222::1
set firewall ipv6-name test rule 10 destination group ipv6-address-group testv6
[OpenVPN] Add support for using an ovpn config file directly without requiring any additional CLI settings. For example:
set interfaces openvpn vtun0 config-file /config/test.ovpn
[System] Add support for mDNS reflector service. This can be enabled by:
set service mdns reflector
Thanks @snowball@gjl and others for your suggestions and testing!
[QoS] Add support for priority-queue policy. The new settings are under "traffic-policy priority-queue" and supports up to seven classes that are mapped to queues served in priority order.
[PPPoE client] Fix duplicate unit number detection
[PPPoE] Reduce LCP echo timeout to 30 seconds for both server and client. This provides faster detection of "undead" sessions that are left running when the peer disconnects ungracefully, for example. Reported by NVX and others.
[PPP] Make naming restrictions less strict for PPP hook scripts (suggested by NVX here)
[PPP] Add support for PPP up/down scripts in /config/scripts/ppp (suggested here)
[PPTP server] Add LCP echo timeout to detect undead sessions. Similar to the timeout for PPPoE this makes it faster to detect and terminate the session when the client does not disconnect gracefully.
[Web UI] Change wizard behavior to save configuration if connectivity test fails (suggested by Paetur)
[Web UI] Add "group" support for source/destination matching in NAT rules
[Web UI] Fix UI session timeout issue when system time is updated by NTP for example
[Web UI] Provide more informative error message for certain upgrade failures
[Web UI] Fix NAT address validation to allow wildcard
[Kernel] Cherry-pick a few netfilter SIP enhancements, including TCP support
[Kernel] Apply OpenWRT 160-netfilter_cisco_794x_iphone.patch, which improves support for Cisco IP phones (suggested by @polygnwndhere)
[Kernel] Cherry-pick a few commits from later kernels, for example, jhash3 (suggested by @request_timeout )
[Kernel] Enable network namespaces in kernel configuration needed by certain userspace applications (suggested by NVX here)
Updated software components
Update ipset (both kernel and userspace) to 6.19
Update strongSwan to 4.5.2
Update net-snmp to 5.7.2
Update bind9 to 1:9.7.3.dfsg-1~squeeze11: Fix CVE-2013-4854
Update gnupg to 1.4.10-4+squeeze2: Fix CVE-2013-4242
Update libgcrypt11 to 1.4.5-2+squeeze1: Fix CVE-2013-4242
Update PHP to 5.4.19: Fix CVE-2013-4113 and CVE-2013-4248
Update dnsmasq to 2.62-3+deb7u1 from Debian wheezy (discussed in this thread)
Add mactelnet-client and mactelnet-server packages from Debian wheezy. Currently there is no CLI configuration for this functionality. To use the server, invoke the "/etc/init.d/mactelnet-server" script to start it (credentials are defined in "/etc/mactelnetd.users").