EdgeMax software release v1.3.0

by Previous Employee UBNT-ancheng on ‎10-15-2013 10:06 AM

EdgeMax software release v1.3.0 for EdgeRouter Lite and EdgeRouter PoE is now available from our downloads page: http://www.ubnt.com/download#edgemax.

This release adds quite a few new features and enhancements, including hardware offload support for VLANs, a basic "setup wizard" in the Web UI, RADIUS-based rate limiting for PPPoE server, and more (see release notes below). As usual, many of these are inspired and contributed by the community, so thanks everyone for your participation and contributions! Icon Smile


[Release Notes v1.3.0]


Changes since v1.2.0

New features

  • [Web UI] Add basic setup wizard for simple WAN+LAN scenario as shown in the screenshot example below:

    This will set up the following configuration settings:
    • WAN connection (supports DHCP, static IP, or PPPoE)
    • NAT masquerade for WAN interface
    • Default firewall for WAN interface (only allow established and related traffic for both "local" and "in" traffic)
    • (EdgeRouter PoE only) Configure eth2/3/4 to be "switched" for the LAN
    • DHCP server for LAN subnets
    • DNS forwarding for LAN subnets
    • TCP MSS clamping if WAN is PPPoE
    One thing to note is that currently this basic wizard is only available when the router is running with the default configuration (for example after a reset to defaults). There is also a new function to restore the default configuration from the wizard tab (includes a reboot).

  • [PPPoE server] Add support for per-session rate limiting using RADIUS attributes. This supports upload/download rate limits using the WISPr RADIUS attributes "WISPr-Bandwidth-Max-Up" and "WISPr-Bandwidth-Max-Down", respectively. To summarize, the RADIUS attributes supported for PPPoE server now include the following:
    • WISPr-Bandwidth-Max-Up: Max upload rate in "bits/sec"
    • WISPr-Bandwidth-Max-Down: Max download rate in "bits/sec"
    • Framed-IP-Address: IP address for session
    • Acct-Interim-Interval: Number of seconds between interim accounting updates for the session
    • Session-Octets-Limit: Max number of octets allowed for the session
    • Octets-Direction: Direction of the Session-Octets-Limit restriction
    A simple way to test this is to set up a freeradius server and simply add a user to the "users" file on the server:
    testuser Cleartext-Password := "testpassword"
            WISPr-Bandwidth-Max-Up = 1000000,
            WISPr-Bandwidth-Max-Down = 5000000,
            Framed-IP-Address =,
            Acct-Interim-Interval = 120,
            Session-Octets-Limit = 1000000000,
            Octets-Direction = 1,

    Note that this is of course still work in progress and we plan to continue to expand the support. Thanks @Paetur @wtm @NVX @ajbtv2 and others for your input/suggestions!

  • [HW acceleration] Add VLAN offload. This allows hardware acceleration to be applied to VLAN-to-VLAN and VLAN-to-non-VLAN traffic. Currently this is disabled by default and can be enabled using:
    set system offload ipv4 vlan enable
    set system offload ipv6 vlan enable
  • [NAT] Add "group" support for source/destination matching. Previously this was only supported for firewall rules but now added to NAT rules as well. For example:
    set service nat rule 10 destination group port-group group1
  • [Firewall/NAT] Add support for matching "interface alias" in firewall and NAT rules. An "address group" is automatically created for the primary IPv4 address of an interface, and this "alias" can be used in firewall and NAT rules to match the address even if the address is dynamic (for example, DHCP).

    For example, to create a NAT rule that matches packets destined to the address on interface eth0, the alias "ADDRv4_eth0" can be used like this:

    set service nat rule 10 destination group address-group ADDRv4_eth0

    This could make certain configurations simpler, for example, hairpin NAT with dynamic interface address.

  • [Firewall] Add support for IPv6 address/network groups. Now "ipv6-address-group" and "ipv6-network-group" can be created for IPv6 addresses and networks, respectively. These can then be used in firewall rules to match packet source/destination. For example:
    set firewall group ipv6-address-group testv6 ipv6-address 2222::1
    set firewall ipv6-name test rule 10 destination group ipv6-address-group testv6 
  • [OpenVPN] Add support for using an ovpn config file directly without requiring any additional CLI settings. For example: 
  • set interfaces openvpn vtun0 config-file /config/test.ovpn
  • [System] Add support for mDNS reflector service. This can be enabled by:
  • set service mdns reflector

     Thanks @snowball @gjl and others for your suggestions and testing!

  • [QoS] Add support for priority-queue policy. The new settings are under "traffic-policy priority-queue" and supports up to seven classes that are mapped to queues served in priority order.


Enhancements and bug fixes

  • [OpenVPN] Allow keys generated using easy-rsa (suggested by @infowolfe )
  • [OpenVPN] Fix validation for TLS key file (reported by @Schnitzelchen )
  • [OpenVPN] Change CA certificate validation to allow chained/stacked certificates (suggested by @brumma )
  • [Firewall] Fix member deletion for ipv6-network groups (reported by @csch )
  • [Firewall] Fix "show firewall statistics" for zones
  • [Firewall] Fix typo in error message
  • [Dynamic DNS] Add support for afraid.org (with help from @Blooze @Josh_SPITwSPOTS here)
  • [NAT] Fix NAT rule number help string
  • [PPPoE server] Fix "No client slots available" issue where PPP daemon gets stuck during connection establishment due to abnormal client termination (reported and tested by ajbtv2)
  • [PPPoE server] Fix interface renaming issue with simultaneous connection attempts and concurrent sessions (tested and reported by ajbtv2 here)
  • [PPPoE Server] Fix output of "show pppoe-server" (reported by @agilbett )
  • [PPPoE Client] Add "default-route force" option to replace an existing default route (suggested and reported by @libertysys and @bjck )
  • [PPPoE Client] Fix long delay when restarting PPP if the interface is not up (reported by @locus )
  • [PPPoE client] Fix IPv6 interface renaming, patch contributed by NVX
  • [PPPoE client] Add PPPoE client support for pseudo-ethernet (contributed by @dmbaturin )
  • [PPPoE client] Fix duplicate unit number detection
  • [PPPoE] Reduce LCP echo timeout to 30 seconds for both server and client. This provides faster detection of "undead" sessions that are left running when the peer disconnects ungracefully, for example. Reported by NVX and others.
  • [PPP] Make naming restrictions less strict for PPP hook scripts (suggested by NVX here)
  • [PPP] Add support for PPP up/down scripts in /config/scripts/ppp (suggested here)
  • [PPTP server] Add LCP echo timeout to detect undead sessions. Similar to the timeout for PPPoE this makes it faster to detect and terminate the session when the client does not disconnect gracefully.
  • [QoS] Fix configuration with both "u32" and "fw" filters (reported by @fgp and @TomAshbee here and here)
  • [DNS forwarding] Enable resolv.conf polling to address DNS forwarding issues when name servers are obtained dynamically (e.g., DHCP), and also include changes suggested by @FTZ 
  • [LLDP] Fix configuration output that is confusing (reported by Schnitzelchen)
  • [Interface] (EdgeRouter PoE) Fix issue with creation of switch interfaces (reported by @amishgenius ).
  • [Interface] (EdgeRouter PoE) Fix issue with bridged switch interface configuration on boot (reported by @shortcut3d ).
  • [DHCP] Fix tab completion for "renew dhcp interface" for VLAN
  • [mDNS] Fix permission issue for mDNS reflector configuration (reported by snowball here)
  • [IPsec] Fix RSA key parsing to support OpenSSL-generated keys (with help from mutemule @mutemule and @ryan3531 in this thread)
  • [BGP] Add "clear ip bgp all soft", "clear ip bgp all soft in", and "clear ip bgp all soft out" operation commands.
  • [IPsec] Add support for IPv6 peers/subnets
  • [BGP] Allow configuring peer-group without remote-as (reported here)
  • [Interface] Fix link_filter for IPv6
  • [DNS forwarding] Allow IPv6 name server
  • [HW acceleration] Move offload enable/disable settings to "system offload"
  • [System] Add pre-config.d mechanism (discussed with dmbaturin here).
  • [System] Update /etc/timezone file when changing time zone. This is needed by some applications such as cron.
  • [System] Fix permission issue for config migration during config loading
  • [System] Improve robustness of upgrade procedure with more checks, validations, etc.
  • [System] Fix "show configuration commands" output for config setting with empty value (reported by @mathewss )
  • [System] Change upgrade script to copy /config more completely
  • [System] Add enhancements for initial-setup script contributed by dmbaturin
  • [System] Remove console configuration
  • [Web UI] Fix deleting network in OSPF Area dialog.
  • [Web UI] Fix handling of firewall ruleset name with slash ("/") or dot (".") character. Tested and reported by @bonienl and @Josh_SPITwSPOTS .
  • [Web UI] Allow IPv6 access by default (suggested by @Scissor in this thread).
  • [Web UI] Change wizard behavior to save configuration if connectivity test fails (suggested by Paetur)
  • [Web UI] Add "group" support for source/destination matching in NAT rules
  • [Web UI] Fix UI session timeout issue when system time is updated by NTP for example
  • [Web UI] Provide more informative error message for certain upgrade failures
  • [Web UI] Fix NAT address validation to allow wildcard
  • [Kernel] Cherry-pick a few netfilter SIP enhancements, including TCP support
  • [Kernel] Apply OpenWRT 160-netfilter_cisco_794x_iphone.patch, which improves support for Cisco IP phones (suggested by @polygnwnd here)
  • [Kernel] Cherry-pick a few commits from later kernels, for example, jhash3 (suggested by @request_timeout )
  • [Kernel] Enable network namespaces in kernel configuration needed by certain userspace applications (suggested by NVX here)


Updated software components

  • Update ipset (both kernel and userspace) to 6.19
  • Update strongSwan to 4.5.2
  • Update net-snmp to 5.7.2
  • Update bind9 to 1:9.7.3.dfsg-1~squeeze11: Fix CVE-2013-4854
  • Update gnupg to 1.4.10-4+squeeze2: Fix CVE-2013-4242
  • Update libgcrypt11 to 1.4.5-2+squeeze1: Fix CVE-2013-4242
  • Update PHP to 5.4.19: Fix CVE-2013-4113 and CVE-2013-4248
  • Update dnsmasq to 2.62-3+deb7u1 from Debian wheezy (discussed in this thread)
  • Add mactelnet-client and mactelnet-server packages from Debian wheezy. Currently there is no CLI configuration for this functionality. To use the server, invoke the "/etc/init.d/mactelnet-server" script to start it (credentials are defined in "/etc/mactelnetd.users").

on ‎10-15-2013 10:12 AM

I get an upload failed error message.

by Previous Employee UBNT-ancheng
on ‎10-15-2013 10:16 AM

We have seen some cases where memory usage is high and causing the upload to fail (for example discussed in this thread), and you could try rebooting the router before the upgrade, for example.


‎10-17-2013 02:06 AM - edited ‎10-17-2013 02:08 AM

"[NAT] Add "group" support for source/destination matching. Previously this was only supported for firewall rules but now added to NAT rules as well."

Hurray Finally, doing things properly is going to be rewarding Man Happy

on ‎10-17-2013 12:26 PM

"[NAT] Add "group" support for source/destination matching. Previously this was only supported for firewall rules but now added to NAT rules as well."

Exactly what I was waiting for, thanks!

Continue to wait for load balancing with link availability detection like we can see in VC 6.5.
This is must-have option for product like yours. 

by Previous Employee UBNT-ancheng
on ‎10-17-2013 12:41 PM

Yes as mentioned before we are working on load balancing/failover, and if things go well it might even show up in the next beta cycle Icon Smile

on ‎10-19-2013 03:36 PM

I get the following error when I try to run the WAN+2LAN wizard.  

"Failed to apply the wizard configuration (Invalid WAN option)"

Any ideas?

‎10-20-2013 07:27 AM - edited ‎10-20-2013 07:47 AM

Hey guys...i am new to UBIQUITI.. but its a great product.. which i have heard... i updated the firmware to 1.3 and used the wizard but i am getting one error ... please if any one can help....

The wizard configuration has been applied successfully (but Internet connectivity test failed)

i even checked my home internet router is working fine and am getting internet.....

can some one help me to setup this... ... thanks a lot

on ‎10-20-2013 07:53 AM

Just curious after reading the release notes and wanted a closer look at the first (hope not the last) of many wizzards. This is a screen-shot of what I see. It it normal to get a blank page if the router has already been setup?




by Previous Employee UBNT-ancheng
on ‎10-20-2013 09:57 AM

@chad121 and @BruceFerjulian : These symptoms have been discussed on the beta forum before and are caused by browser compatibility issues. Could you try a recent version of Chrome or Firefox and see if that makes any difference?

@jatincpa : The message means the router is not able to access the Internet after applying the config. Maybe check the cable connections etc. to see if it is correct?

By the way it is probably easier to get help by posting on the forum since not all community members look at blog comments.

on ‎10-20-2013 10:25 AM

Chrome worked.  Thanks!  I should have checked the forum.  

on ‎10-23-2013 02:00 AM

Hi Guys,

Great news on the new release and hardware VLAN support.

Quick question though, we user the EdgeRouters in our offices, however we also use the Unifi AP's in these offices too. Are there any plans to implement the Unifi AP controller into the EdgeRouters, is this possible already by installing the library on the router?

This would allow us to remotely control and configure the AP's via just loging into that sites router......




on ‎10-23-2013 08:10 AM

Is the SIP ALG fixed now?

on ‎10-23-2013 09:19 AM

I keep getting a failed to upgrade system

Also Upload failed.

Ver 1.30  I have nothing running on the router  cpu and ram jump to 52% right at the end .

Any suggestions

by Previous Employee UBNT-ancheng
on ‎10-23-2013 09:28 AM

@cragdor : As discussed before the UniFi controller software requires Java and other components that do not work well on the EdgeRouter platform (for example performance is not acceptable due to lack of optimized Java implementation). So in the immediate term there is no plan to port the controller to the platform.

@cobrawnl : There are some changes to the SIP components in v1.3.0, but testing will be needed to determine whether that solves particular issues in a particular network environment.

@bfced : As discussed before (for example here) in some cases there is memory exhaustion issue that causes the upgrade to fail, in which case rebooting the router before upgrading usually resolves the issue. We have also been looking into this to address it.

‎10-24-2013 04:50 AM - edited ‎10-24-2013 04:52 AM

@UBNT-ancheng : From my understanding the Controller is only used to send firmware and configuration to the AP's, We are using Unfi UAP-Pro AP's and once configured they do not need the controller running. The question was not if to point the controller at it in its current Java version, but if a compatible controller could be written into the router interface to allow for the upload of configuration.

It just seems like it makes sense since in most cases where people are using the EdgeRouters they are also using Unfi AP's. I agree that the full blow java client remains useful on laptops/desktops/servers for situations where Firmware update or on site debugging is required. But a cutdown configuration screen implemented on the EdgeRouters would make remote management, and network status alot more usable in one place.

on ‎10-28-2013 07:49 AM
Hello, where can I find the setting speed limits on different IP address? thanks
on ‎12-29-2013 09:05 AM

Just FYI, I got a pair of ERLs for christmas and wasn't able to upgrade to 1.3 on either box.  It wasn't a memory issue.  They shipped with 1.0.2 code IIRC and I had to step through 1.1 or 1.2 to get to 1.3.  Both previous versions worked; I stepped through 1.1 on one ERL and 1.2 on the other.

on ‎01-10-2014 11:15 AM


I am having some problems with my edge router lite, and I hope you guys may help me...

I have upgraded it to v1.3.0, when finished, I ran setup wizards (wan + 2lan)… it appeared a message: “The router is going back to manufactory configuration”, I replied “yes” and the router restarted…

Now, I cannot enter the setup again… even after I physically reseted it…

What could I do to solve it? Can I downgrade? How?

Thanks a lot!

by Previous Employee UBNT-stig
on ‎01-10-2014 01:23 PM
@DEDOZIN it's better to ask a question like that in the forum and as a comment to a blog, but once you reset you'll only have configured on eth0. So you'll need a address in that range on your laptop to connect to it again.
on ‎01-14-2014 03:42 AM

I was using eth1 as described on the manual... it's working now, many thanks!

on ‎03-04-2015 04:12 PM


  • [QoS] Add support for priority-queue policy. The new settings are under "traffic-policy priority-queue" and supports up to seven classes that are mapped to queues served in priority order.


Is there an list the seven classes and the order they are in?