EdgeMax software release v1.4.0

by Previous Employee UBNT-ancheng ‎01-20-2014 10:12 AM - edited ‎01-29-2014 01:32 PM

New software release v1.4.0 is now available from our downloads page! http://www.ubnt.com/download#edgemax

Note that this release supports all current EdgeRouter models, so please select the correct model on the downloads page to get the corresponding upgrade image.

Quite a few new features and enhancements have been added in v1.4.0, including load balancing/failover, newer Linux kernel, new "feature wizard" infrastructure in Web UI (with "API" definition for community development), new port forwarding feature (with Web UI wizard), and more (see release notes below). Thanks you all for participating in the testing, providing feedback, and even contributing code! Icon Smile


[Release Notes v1.4.0]


Changes since v1.3.0

New features

  • [Load balancing] Add load balancing/failover feature to support multiple WAN connections with the ability to monitor actual connectivities (not just physical link status), spread traffic across all connections, and perform failover.

    Currently this needs to be configured from the CLI, but adding support for it in the Web UI is on the TODO list of course. As an basic example, assuming that the "eth0" and "eth1" interfaces are the two WAN connections and we want to balance all traffic from the LAN (on eth2) to go out on both connections. First, define a "load balance group":
     load-balance {
         group test {
             interface eth0 {
             interface eth1 {

    Then define a firewall modify ruleset that directs traffic to this load balance group:

     firewall {
         modify lb {
             rule 10 {
                 action modify
                 modify {
                     lb-group test

    Finally, apply this modify ruleset to the LAN traffic on eth2:

     interfaces {
         ethernet eth2 {
             firewall {
                 in {
                     modify lb

    This will set up the load balancing between eth0 and eth1. Internet connectivities for both interfaces will be monitored as well and failover will be performed if one loses connectivity.

    Note that the above assumes the interfaces themselves are already configured (addresses etc.) and of course there are also more advanced settings available. More complete documentation will be posted on this forum for these and other issues.

  • [Web UI] Add infrastructure support for "feature wizards" and also add the first feature wizards: port forwarding, TCP MSS clamping, and UPnP, which can be seen in the screenshots below.





  • [Web UI] In addition to the implemented feature wizards above, what may be more significant is that the infrastructure support for feature wizards defines a sort of "API" for wizard development, which enables community members to write their own wizards for their favorite features! Furthermore, once a wizard has been developed, it can be shared with others who can then upload the wizard to their router (through the Web UI) and start using it as well! In fact, a couple of them have already been implemented and posted on the beta forum by community members. If you are interested in these and other development, join us on the beta forum! Icon Biggrin

  • [Port forwarding] New port forwarding wizard in the Web UI (shown above) lets you simply specify the original port to be forwarded and the internal forward-to LAN address. Moreover, hairpin NAT can be enabled with a single checkbox, and firewall is opened automatically for all the port forwarding rules as well!

    This is based on the new CLI port-forward configuration. For example, the CLI configuration corresponding to the wizard screenshot above is the following:
     port-forward {
         hairpin-nat enable
         lan-interface eth1.10
         lan-interface eth2
         rule 1 {
             forward-to {
             original-port ssh
             protocol tcp
         rule 2 {
             forward-to {
                 port 5000-6000
             original-port 3000-4000
             protocol udp
         rule 3 {
             forward-to {
                 port 54321
             original-port 12345
             protocol tcp_udp
         wan-interface eth0
    The new port forwarding feature has been inspired by feedback and help from many community members, including @JohnDoe2  @lightsabersetc @tycoonbob @BruceFerjulian @LittleBill @l33n0x @jtenniswood @WALK3R Mark-Etienne, just to name a few. Thank you all for your contributions and hopefully this new feature will make all of our lives a little easier! Icon Smile

  • [PPPoE/PPTP] Add simple TCP MSS clamping configuration. Now instead of defining a "firewall modify" ruleset and applying it to a specific interface in the configuration (or using iptables directly if that is not possible), TCP MSS clamping can be enabled like this:
    set firewall options mss-clamp

    Currently this will default to use 1412-byte MSS and will apply to traffic going out on any "pppoe*" and "pptp*" interfaces on the system (this can be changed using the "mss" and "interface-type" settings under "mss-clamp"). Also since this no longer requires "firewall modify", it does not disable offload either and therefore would be good in cases where "modify" is only needed for MSS clamping.

    This has been discussed with community members before, for example js here and here. A wizard for this configuration has also been added to the Web UI as shown above and allows enabling TCP MSS clamping with a single checkbox.

  • [Kernel] Back port 3.4 kernel from new vendor SDK to run on the ER Lite and PoE models. This may not sound very exciting at all, but it does provide some significant benefits:
    • 3.4 kernel is much less ancient than 2.6.32 Icon Smile
    • It allows us to use the same kernel base for all current products (ERLite/ERPoe/ERPro/ER). Previously the ERPro/ER needs the new kernel while the ERLite/ERPoe needs the old one. Using the same kernel can significantly reduce our maintenance efforts, for example.
    • Similarly, it unifies the offload modules as well and we won't need to maintain two separate trees for the two kernels.
    • Certain features are only available in newer kernels, for example, the new network namespace mechanism discussed with @NVX here.
  • [Web UI] New dashboard graphs in the Web UI:


    The new TX/RX graphs on the dashboard now allows you to select which interfaces to be graphed. Also, previously only the physical interfaces (ethX) are graphed, but now VLAN and other interface types are supported too.
  • [Web UI] Improve browsers compatibility, in particular WebSocket detection and related logic. With the latest changes, support for the major browsers is described below:
    • Firefox (any recent version), Chrome (any recent version), Safari version 6 and higher, IE version 10 and higher:
      • Native WebSocket supported
      • Both stats updates and CLI window available
    • Safari version 5.x and lower, IE version 9 and lower.
      • No native WebSocket support, use Flash-based implementation
      • Requires Flash, which also requires port 843 to be open
      • Only supports stats updates (CLI window not available)
    Note that for Safari version 6 and higher, it also seems to be necessary to select "Always trust the certificate" or similar (e.g., have system default to that etc.) when first accessing the router's Web UI. If not, the WebSocket connection may fail due to certificate verification issue. We have also added a warning message when such a case is suspected.


Enhancements and bug fixes

  • [Web UI] Re-establish WebSocket connections when user clicks "Try again" after losing connection so that stats updates etc. continue to work
  • [Web UI] Add automatic retry when Web UI loses connection to the router
  • [Web UI] Add "TCP" and "UDP" as options for "protocol" match in firewall/NAT rules
  • [Web UI] Fix OSPF network boundary check to allow /32 (reported by @wispr here)
  • [Web UI] Fix WebSocket issue for CLI window for Chrome version 31 and higher, reported by @Blooze @samyil @sxpert @esseph @UBNT-MikeD @bugu4787 @bartlanz @neomech 
  • [Web UI] Add warning messages for PoE output
  • [Web UI] Add support for filtering on VLAN interfaces in Discover tool
  • [Web UI] Fix display issue for NAT rules after making changes in wizard. Reported (e.g., here and here) by @abu_cwarky @ajbtv2 @bonienl @ub40 
  • [Web UI] Add the following enhancements for dashboard graphs during the beta cycle based on community feedback:
    • Add graph overlay (mouse hover) info for rates and total stats
    • Add auto-scaling (Kbps, Mbps, etc.) for units
    • Make interface selection "persistent"
    • Make interface color static when selecting/deselecting interfaces
    • Make interface ordering static when selecting/deselecting interfaces
    • Use interface names instead of description
    • Make colors more contrasty
    Most of these are based on discussions with community members including @wkweksl @js bonienl ajbtv2 NVX @chaicka @usrhome @skidmata @Paetur @levicki and others (for example in these threads: 1 2 3).

  • [Web UI] Allow switch0 to be selected for PPPoE server. Reported by ajbtv2 here.
  • [Web UI] Allow "other" interfaces (user input) for DNS forwarding
  • [Port forwarding] Add the following enhancements during the beta cycle based on community feedback:
    • Add "auto-firewall" setting for enabling/disabling automatic opening of firewall for specified port forwarding rules. If disabled (e.g., "set port-forward auto-firewall disable" in CLI), firewall rules must be defined separately using the existing firewall configuration mechanism (Web UI or CLI) to allow port-forwarded traffic.

      This allows advanced users to take advantage of the simplified port forwarding settings (including hairpin NAT function) but retain the flexibility/semantics of the existing firewall rules configuration.
    • Add "description" setting for per-rule text description.
    • Allow multiple ports to be specified for "original-port" in a single rule (for example, "ssh,12345,1000-2000").
    These improvements are based on discussions with community members (for example in these threads: 1 2 3 4), including ajbtv2 js @Milo_Masters @mvn bonienl @ixnu ub40 abu_cwarky and others.

  • [System] Include lighttpd mod_proxy module (suggested by @rdahlin )
  • [System] Allow both IPv4 and IPv6 addresses for a static host mapping entry (reported/suggested by @lukas2511 @barkas @jfunk and others), for example:
    ubnt@ubnt# set system static-host-mapping host-name foo inet
    ubnt@ubnt# set system static-host-mapping host-name foo inet 2001::1
    ubnt@ubnt# compare
    [edit system]
    +static-host-mapping {
    +    host-name foo {
    +        inet
    +        inet 2001::1
    +    }
    ubnt@ubnt# commit
    ubnt@ubnt# grep foo /etc/hosts  foo     #vyatta entry
    2001::1  foo     #vyatta entry
  • [IPv6] Change defaults on boot for "forwarding" and "autoconf" (to 1 and 0, respectively) to be consistent with the configuration (reported by @timberwolf barkas here and here)
  • [Switch] (ER PoE only) Fix creation of VLAN interfaces on switch interface (reported by ajbtv2)
  • [Switch] (ER PoE only) Set default MTU to 1500 for VIF on switch. Reported by Paetur here.
  • [Interface] (EdgeRouter PoE only) Fix configuring bridging for switch interface. Reported by NVX here.
  • [Interface] Fix MTU check for bond VIF. Reported by @malbertus here.
  • [Bridge] Add support for creating VLAN interfaces on a bridge interface, for example:
    set interfaces bridge br0 vif 100 address
  • [Firewall] Fix icmpv6 type match with protocol "icmpv6" in firewall rules (reported by @Grizzletooth @final here)
  • [Firewall] Add connmark/mark match and connmark modify action (suggested by @fgp  here)
  • [Firewall/NAT] Allow networks in network groups (now supported by new ipset), reported by @elgo  here
  • [Firewall/NAT] Allow network to be specified in "address group". Discussed with @dlopezc and others (for example here).
  • [DHCP relay] Fix "relay-options relay-agents-packets" config setting (discovered/reported by @Adik  here)
  • [PPPoE client] Add support for PPPoE client on a bridge interface or a VLAN interface on a bridge interface, for example:
    set interfaces bridge br0 pppoe 0 user-id ...

    set interfaces bridge br0 vif 100 pppoe 0 user-id ...

    Discussed on the forum before, for example with @csch  here.

  • [PPPoE client] Fix "access-concentrator" and "service-name" settings
  • [PPPoE client] Add workaround for issue of QoS policy not applied correctly on boot. Reported by for example @itsmarcos here.
  • [PPPoE client] Set MTU to configured value to work around MTU negotiation issue. Discussed with NVX @glipschitz @dhoulbrooke @bjck abu_cwarky @skidmata  and others (for example here).
  • [Kernel] Tweak root filesystem (ext3) mount options. This may improve reliability in certain rare scenarios involving unclean shutdown (e.g., power loss).
  • [Flow accounting] Add support for IPFIX export version 10 and "direction" setting
  • [PPPoE server] Fix typos in CLI help text reported by NVX here.
  • [PPPoE server] Fix potential PPPoE interface rename issue when router load is high (reported by ajbtv2 here)
  • [PPPoE server] Allow non-"ethX" interfaces to be used without warning. Discussed with ajbtv2 @marnog here.
  • [PPPoE server] Relax regex for interface names for show commands. Suggested by NVX here.
  • [PPPoE server] Add PPPoE disconnect daemon contributed by ajbtv2 and supporting RADIUS Disconnect message (RFC 3576) to terminate specific PPPoE session. Note that this is not enabled by default for now. To use this feature, issue the following command from the router CLI:
    sudo cp /opt/vyatta/etc/pppoe-server/start-pppoe-radius-disconnect /config/scripts/post-config.d/

     which will start the daemon when router boots up. Discussed with ajbtv2 Paetur and others, for example here.

  • [DHCP server] Add "hostfile-update" setting. When enabled, client leases (client name and IP) will be added automatically to /etc/hosts file, which, for example, can then be used by DNS forwarding to resolve DNS queries. Discussed with @BarryWard @torpesco and others. Implementation is based on the settings/scripts contributed by @bradd here.

    This defaults to disabled but can be enabled using the following:
    set service dhcp-server hostfile-update enable
  • [DHCP server] Add "unifi-controller" setting for UniFi inform (DHCP option 43). Discussed before with Blooze @Mtnmann and others (for example here and here). For example:
    set service dhcp-server shared-network-name test subnet unifi-controller

     This is also added to the Web UI and can be configured in the DHCP server configuration.

  • [DHCP server] Fix "clear dhcp lease" commands. Reported and tested by @Advocate99 here.
  • [DHCP server] Make address range optional for DHCP server configuration in CLI. Suggested by @mike99  here. (Note that Web UI configuration for this will be in the next release.)
  • [System] Add default rotate for "auth.log" file (reported/suggested by @askbjoernhansen @GaryGapinski  here)
  • [System] Add "system ip override-hostname-ip" setting that allows overriding the default IP address ( corresponding to the rotuer's hostname in "/etc/hosts". This could be useful in certain cases such as PPPoE server with RADIUS, etc. Reported/suggested by jfunk @faye @ellisway Paetur ajbtv2 and others
  • [System] Merge "system conntrack" CLI settings from upstream. This includes moving a number of conntrack options out of the "firewall" section and add new conntrack-related settings. These include timeouts, table sizes, module enable/disable and parameters, etc. For example:
    set system conntrack table-size 262144
    set system conntrack modules sip disable
  • [System] Signal dnsmasq (DNS forwarding) to reload /etc/hosts when host name or override IP is changed. Discussed with @mrjester here.
  • [IPsec] Fix ordering of peers in ipsec.secrets so that "wildcard" entry is at the end. Reported by @jwilling @relume here and here.
  • [IPsec] Fix script for (re-)starting VPN when PPPoE interface comes up. Reported and tested by @dragon2611  here.


Updated software components

  • Update iproute2 to version 3.4 to match new kernel. This allows access to some new features available in the new kernel (e.g., the new network namespace functions discussed with NVX here).
  • Update PHP to fix CVE-2013-4508, CVE-2013-4560, CVE-2013-4559, CVE-2013-6712, and CVE-2013-6420
  • Update curl to 7.21.0-2.1+squeeze6: Fix CVE-2013-4545
  • Update strongSwan to Fix CVE-2013-6075
  • Update to Debian 6.0.8
  • Update ddclient to 3.8.1-1.1
  • Update gnupg to 1.4.10-4+squeeze3: Fix CVE-2013-4402 and CVE-2013-4351
  • Update libxml2 to 2.7.8.dfsg-2+squeeze8: Fix CVE-2013-2877
  • Update openssh to 1:5.5p1-6+squeeze4: Fix CVE-2011-5000
  • Update pmacct (for NetFlow) to 1.5.0rc1
  • Update quagga to fix CVE-2013-2236