EdgeMax software release v1.5.0

by Previous Employee UBNT-ancheng ‎06-23-2014 11:36 PM - edited ‎07-02-2014 01:21 PM

New software version v1.5.0 has been released and is available from our downloads page! http://www.ubnt.com/download

Please select "EdgeMAX" platform and the correct model on the page to get the corresponding upgrade image.

We have added quite a few new features and enhancements in this release, including PPPoE offload, Web UI for IPsec VPN, bandwidth test tool in Web UI, support creating/modifying PPPoE interface from UI dashboard, and many others (see release notes below). Thanks everyone for your help in testing, reporting issues, discussing solutions, and even contributing patches!

[Release Notes v1.5.0]


Changes since v1.4.1

New features

  • [HW acceleration] Add support for PPPoE offload. Currently this is disabled by default and can be enabled using:
    set system offload ipv4 pppoe enable
    set system offload ipv6 pppoe enable
    Note one current limitation is that for IPv6, PPPoE and VLAN offload functions are mutually exclusive, i.e., only one can be enabled (this limitation does not apply to IPv4 PPPoE and VLAN).

    This has been discussed quite a few times on the forums, for example with @NVX @bjck hyphenatic @PLan @MailGuy @cremenescu @abu_cwarky SimmyD @ben_ adiatric @timberwolf @skidmata and others.

    Also, during the beta cycle, issues were resolved based on testing by community members including adiatric cremenescu MailGuy NVX abu_cwarky c0mm0n @spiderben25 (for example here). Thanks everyone for your feedback!

  • [Web UI] Reorganize UI tabs: "Security" tab now becomes two separate tabs, "Firewall/NAT" and "VPN".
  • [Web UI] Move port forwarding feature to the new Firewall/NAT tab and also add stats support. When "show stats" is clicked, the UI will show the packet/byte hit counters for each port forwarding rule, which can be useful for testing/troubleshooting/etc.



    This has been discussed on the forum before with @ajbtv2 @bonienl ixnu @ub40 @levicki @kai_h @bobcart @js abu_cwarky and others.

  • [Web UI] Add basic IPsec site-to-site configuration to the new VPN tab. Currently this supports multiple peers, multiple tunnels per peer, and pre-shared secrets.

    Also improvements were made during the beta cycle based on feedback by community members including branob @ryan3531 @Tim783 @psydafke @looney128 (for example 1, 2, and 3).

  • [Web UI] Add load balancing setup wizard, which can be used to set up a simple load balancing configuration with two Internet connections (each can be DHCP, static, or PPPoE). A reboot of the router is required to apply the configuration from the wizard.

  • [Web UI] Add bandwidth testing tool (Toolbox -> Bandwidth). To run the bandwidth test between two routers, run the tool as "receiver" on one side and as "sender" on the other side. Then on sender side, enter the receiver's IP address and click on "Run Test". More settings can be tweaked on the sender by clicking the "Show Advanced Setting".


  • [Web UI] Add support for creating/editing PPPoE connection. This allows the creation of PPPoE client interface for connecting to ISP, and username/passwords/etc. can also be edited in the UI.

    The interface will also show up in the dashboard (with IP etc.) as well as the graphs for monitoring. This has been suggested by and discussed with community members including @dragon2611 @dpFlipFlop kai_h @BranoB @dcui and others (for example here).

  • [Web UI] Add support for converting dynamic DHCP lease to static mapping. Now you can go to the DHCP server lease table and "convert" a currently dynamic lease into a static mapping in the configuration.
    This has been suggested by and discussed with community members including @clarknova @mhohman @Idea @Paetur @gveresex @sorvani and others (for example here).

    Also improved the implementation based on feedback from community members including gveresex bonienl @stan-qaz @jackpal levicki clarknova @dison4linux (for example here and here).

  • [Kernel] Merge codel/fq_codel backport contributed by Dave Taht (see here). Thanks very much Dave! Icon Smile Note that this is not yet configurable from the configuration settings, but the iproute2 tool has also been updated to support codel/fq_codel, so one can use "tc" directly to play with them. An example script has also been included to set up simple fq_codel policy. If you are interested in playing with it, try the following commands:
    sudo cp /usr/share/doc/ubnt-platform-e200/fqcodel-example /config/scripts/post-config.d/
    sudo chmod +x /config/scripts/post-config.d/fqcodel-example
    (Note: Change the "e200" to "e100" for ER Lite and ER PoE.) Then edit the script "/config/scripts/post-config.d/fqcodel-example" and change the basic settings (WAN interface and upload/download speeds) at the beginning of the file to match your setup. Then run the script to apply the policy:
    sudo /config/scripts/post-config.d/fqcodel-example
    To try different settings, modify the script, then clear the current policy and apply the new one:
    sudo /config/scripts/post-config.d/fqcodel-example clear
    sudo /config/scripts/post-config.d/fqcodel-example
    Note that since the script is in the post-config.d directory, it will be executed automatically on boot, and it will also be preserved across upgrades.

    Of course this script is just an example and if you play with it, please join us on the beta forum to discuss any questions and share your experience. Thanks very much!

  • [IPv6] Add 6rd tunnel support contributed by @brielle (originally from http://enog.jp/~masakazu/vyatta/vyatta-cfg-system-6rd.patch). Discussed in this thread.

  • [UPnP] Add miniupnpd support. This is a new UPnP implementation that uses miniupnpd instead of linux-igd. For now, this is configured under "service upnp2 ..." (the old implementation is still available under "service upnp ..."). Discussed previously for example in this thread with @Sugaroverdose @elgo @mlewisclark @ConnorM  and others.


Enhancements and bug fixes

  • [Web UI] Reduce memory usage and improve speed for the upgrade function. The new implementation no longer supports the "percentage progress display", but the upgrade speed should be faster, and this should also reduce the chance of upgrade failing due to memory exhaustion. Note: This new implementation will only take effect at the "next upgrade" after upgrading to 1.5.0 of course.
  • [Web UI] Add Dynamic DNS (DDNS) configuration to "Services -> DNS" tab. Based on DDNS feature wizard contributed by @Horfic here.
  • [Web UI] Improve usability for mobile devices (tablets). This include mostly layout changes, resizes, etc. Small devices such as phones are most likely still not usable for the Web UI.
  • [Web UI] Update lighttpd to 1.4.35 and update default config (Discussed with Marcel Schüller)
  • [Web UI] Add support for creating VLAN on a bridge interface. Suggested by @CiscoKid85 here.
  • [Web UI] Fix interface address configuration to allow reordering addresses. Reported by sorvani here.
  • [Web UI] Fix login error message for wrong username/password. Reported by @Matchstick stan-qaz sorvani @madou  and others here.
  • [Web UI] Fix timeout issue for loading feature wizard. Reported by @JanBal  here and Sugaroverdose here.
  • [Web UI] Fix WebSocket issue that was causing "double typing" in CLI window. Reported by @Eggplant  stan-qaz @jandafields  and others, for example here.
  • [Web UI] Relocate custom wizards to /config/wizard so that they are preserved on upgrades. Suggested by ajbtv2 here.
  • [Web UI] Add validations for TCP MSS clamping wizard
  • [Web UI] Make DHCP server start/stop range optional. Suggested by @mike99  here.
  • [Web UI] Make dashboard graphs resizable
  • [Web UI] Fix spinner for deleting VLAN interface
  • [Web UI] Fix config syncing from CLI in System tab
  • [Web UI] Move Save button for user settings to ensure it is visible
  • [Web UI] Change UI files packaging to resolve the issue where "clear browser cache" is needed on ugprade
  • [Web UI] Change upgrade implementation to potentially reduce memory usage. This may help in previously reported cases where upgrade fails due to memory exhaustion.
  • [Web UI] Add Delete button for PPTP remote access, DNS forwarding, and PPPoE server
  • [Web UI] Add mouseover stats in bandwidth test dialog
  • [Web UI] Fix firewall rule validation when changing to different tab
  • [Web UI] Improve loading speed for Port Forwarding tab. Reported by @Altheran abu_cwarky here.
  • [Web UI] Fix scrollbar and "Show advanced" checkbox for Port Forwarding tab. Reported by abu_cwarky ConnorM @pducharme here
  • [Web UI] Fix Port Forwarding stats for non-admin users
  • [Web UI] Fix issues with infotip icons (placements etc.). Reported by Matchstick @chaicka psydafke here and here.
  • [Web UI] Fix dialog menu overflow issue. Reported by Sugaroverdose here.
  • [Web UI] Fix DHCP server actions after deleting one server
  • [Web UI] Add arrow icon to toggle button for bottom tabs to be consistent with other products
  • [Web UI] Add enabling/disabling setting for UBNT discovery in System tab
  • [Web UI] Fix advanced options so their values are used even if the fields are hidden Reported by @joswell here
  • [Web UI] Change wizard infrastructure to allow overwriting an existing wizard when uploading a new one. Sugested by bonienl here
  • [Web UI] Fix notification dialog to show scrollbar when needed. Reported by @dcs-brock here
  • [Web UI] Add dynamic DNS service option for afraid.org. Suggested by @Keis here
  • [Web UI] Fix interface colors for dashboard graphs. Reported by and discussed with @sebastianmarkow @Jackalito chaicka @Blooze @WisTech @WALK3R @BHSAZ @dittman here and here
  • [Web UI] Fix refresh issue for discovery setting in System tab
  • [Web UI] Add Remove button for networks in OSPF area configuration
  • [Web UI] Modify WebSocket error message for Safari browser as suggested by and discussed with kai_h here.
  • [IPsec] Add "auto-firewall-nat-exclude" setting. When enabled, it will automatically set up firewall rules to allow IPsec traffic and add NAT exclusion for each configured tunnel. For example:
    set vpn ipsec auto-firewall-nat-exclude enable
  • [IPsec] Don't load the IPsec offload module (which depends on the IPv6 module) if IPv6 is disabled (i.e., module blacklisted)
  • [IPsec] Apply patch from ryan3531 (see here) to support additional DH groups (14, 15, 16, 19, 20, 21, 25, and 26)
  • [IPsec] Add support for IKE SHA2 hash algorithms. Patch contributed by community member ryan3531 here.
  • [IPsec] Fix warning message when updating pre-shared-secret. Reported by @wilhil ryan3531 here.
  • [IPsec] Apply patches from ryan3531 to install SPD entries before initiating IKE negotiation and also change the behavior for "respond" side when peer address is known. See discussion here.
  • [System] While system is booting, disallow login (Web UI, SSH, etc.) until the configuration loading is finished. This prevents some issues (both Web UI and CLI) reported before when user logs into the system while the configuration is still being loaded.
  • [System] Add "firstboot" mechanism to allow custom scripts that will be executed when the router is booted for the first time after an upgrade (and only the first time). Such scripts can be placed in the "/config/scripts/firstboot.d" directory. Discussed with NVX and others.
  • [System] Repeat sysctl loading after configuration in case some settings only become available after configuration (modules loaded etc.)
  • [System] Include ebtables in system to allow advanced usage outside the current configuration
  • [System] Allow login on boot after config loading finishes but before post-config scripts run. This prevents the scripts from accidentally blocking login. Discussed with NVX @Halino here.
  • [System] Increase rmem_max default to address netlink buffer space issue. Reported by @Domattps here.
  • [System] Fix typos in commit-confirm output. Reported by @ripat here.
  • [System] Add packages install mechanism for "first boot". Any Debian package (.deb) files placed in the "/config/data/firstboot/install-packages" directory will be automatically installed on the first boot after an upgrade. This can be used to preserve a set of extra packages that should be installed across upgrades.
  • [DHCP client] Clean up old name server info on boot to prevent adding outdated servers
  • [DHCP client] Add option to prevent DHCP client from updating the name servers. For example:
    set interfaces ethernet eth1 dhcp-options name-server no-update

     Discussed with @storrgie @faye  levicki onlyoneme skidmata TomS_ @bcdouglas @clickwir dragon2611 @ShockTech @ClaudeSS NVX stan-qaz here.

  • [DHCP client] Add "dhcp-options client-option" setting to allow entering free-form DHCP client options (e.g., "set interfaces ethernet eth0 dhcp-options client-option ..."). Discussed with @c0mm0n bjck here.
  • [DHCP server] Fix hosts file update when DNS forwarding is not enabled
  • [DHCP server] Improve hostsfile-update implementation to address issues reported by and discussed with community members including @itsmarcos NVX @mnabeel @Xand stan-qaz @GaryGapinski @chibby85 @final @ruudboon @chaos215bar2 (for example these threads: 1 2 3 4).
  • [DHCP server] Fix handling of incomplete leases for "show dhcpv6 server leases". Discussed with chaicka and NVX here.
  • [DHCP server] Fix cron jobs for housekeeping. Reported by @bl9 here.
  • [Interface] Fix PPTP interfaces handling for show commands
  • [Interface] Add per-interface source-validation setting for strict/loose reverse path forwarding support. For example:
    set interfaces ethernet eth2 ip source-validation strict

    Suggested by @rps , who also provided some implementation information here.

  • [Interface] Fix address validation for adding tunnel interface to a bridge. Reported by @whoknowz  here.
  • [Interface] (EdgeRouter PoE) Fix interface link status on switch ports when interface eth0 is disabled
  • [Interface] (EdgeRouter PoE) Make MTU configurable for switch0 interface. Discussed with @mcmpr @nayr and others, for example here.
  • [MSS clamp] Add IPv6 support for MSS clamping
  • [MSS clamp] Add "mss-clamp" support for "tun" interface type. This is enabled by default (if mss-clamp is enabled) or can be set explicitly with "set firewall options mss-clamp interface-type tun".
  • [Load balancing] Fix "show load-balance status" to prevent leftover zombie processes. Reported by @jinie  here.
  • [Load balancing] Improve robustness of mechanism for finding gateway and reduce CPU usage. Discussed with @syuexiehou @elp here
  • [Load balancing] Fix several issues reported by and discussed with community members including @kc6nkk @neotron @wiszmaster psydafke (for example here).
  • [Load balancing] Add support for transition script. Discussed with @thrca Blooze here.
  • [Load balancing] Fix potential issue with gateway discovery
  • [NAT] Fix "show nat statistics" for rules matching both TCP and UDP
  • [NAT] Fix "clear nat counters rule" command for rule with "tcp_udp". Reported by @kareem-ali here.
  • [NetFlow] Add aggregation settings for aggregating flows using specified fields. For example:
    set system flow-accounting aggregate ingress src-ip
  • [NetFlow] Add show commands for egress ("show flow-accounting egress" etc.)
  • [NetFlow] Add engine-id config setting for egress. Suggested by and discussed with NVX here.
  • [PPP] Add lcp-echo-adaptive option (from Debian) to pppd implementation. When enabled, this allows better link failure detection at high load. Discussed with @Stickygears  and skidmata here. This is now enabled by default for PPPoE client/server and PPTP server.
  • [PPPoE server] Fix RADIUS rate limits when PPPoE offload is enabled. Discussed with Paetur @ellisway for example here.
  • [PPPoE server] Fix potential interface renaming issue when many connection attempts happen simultaneously. Reported/tested by ajbtv2 Paetur @paszczus (for example here).
  • [PPPoE server] Change RADIUS upload rate limit to use TBF instead of ingress policing. This can improve the accuracy of the rate limiting in some cases. Discussed with Paetur here.
  • [PPPoE server] Reorder interface renaming mechanism to prevent potential issue Working with ajbtv2 and Paetur to continue troubleshoot remaining issues.
  • [PPPoE client] Fix password quoting issue reported by @Lighthalzen here.
  • [Web proxy] Add "proxy-bypass-source" configuration setting Patch from here and suggested by ajbtv2 here.
  • [Kernel] Include virtual Ethernet pair (veth) device driver. Suggested by NVX here and can be used for VRF for example.
  • [HW acceleration] Enhance the offload mechanism such that configuring "traffic-policy" (QoS) no longer disables offload completely. More specifically, now traffic that does not require QoS can still be offloaded (however, traffic requiring QoS will still not be offloaded). For example, if QoS policies are only applied to the WAN interface, LAN-to-LAN traffic between LAN interfaces can still be offloaded.
  • [HW acceleration] Fix jumbo packets handling. Reported by elgo here.
  • [HW acceleration] Fix minor issues with configuration settings for different offload features
  • [HW acceleration] Fix packet forwarding issue when multicast traffic is being offloaded. Reported by bjck Jackalito c0mm0n here.
  • [UPnP] Add ACL rules configuration for the new UPnP implementation based on miniupnpd ("service upnp2").
  • [UPnP] Enable PCP in miniupnpd build and include miniupnpdctl and upnpc
  • [Firewall] Fix ICMP type/code in firewall rules. Reported by @majestic21 here.
  • [Firewall] Fix disable setting of load balancing modify rule
  • [Firewall] Allow iptables' subnet mask syntax (e.g., ""). Suggested by NVX here.
  • [Firewall] Fix show commands output when ruleset name contains "/"
  • [RIP] Change passive-interface existence check to only a warning. Reported by @sufk  here.
  • [PPTP server] Apply patch from @elbuit (see here) to allow remote client IP address to be passed to PPP (such that it is available for RADIUS accounting for example).
  • [SNMP] Add SNMPv3 support ("set service snmp v3 ...") adopted from "upstream".
  • [SNMP] Change sysObjectID to Suggested by NVX here.
  • [Cron] Add "vyatta-cron" package contributed by @dmbaturin  here. This allows setting up scheduled tasks ("cron jobs") within the configuration.
  • [Cron] Fix several issues for task-scheduler feature (boot, validation, task deletion, etc.)
  • [Cron] Fix cron job specification of hourly/daily interval. Issue reported and patch contributed by @mjp here.


Updated software components

  • Port openssl 0.9.8o-4squeeze16 from Debian squeeze LTS: Fix CVE-2014-0076, CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470, CVE-2012-4929
  • Port gnutls26 2.8.6-1+squeeze4 from Debian squeeze LTS: Fix CVE-2014-3466
  • Update PHP to 5.4.29: Fix CVE-2014-1943, CVE-2014-2270, CVE-2013-7345, CVE-2014-0185, CVE-2014-0237, CVE-2014-0238
  • Update strongSwan to fix CVE-2014-2338 and CVE-2014-2891
  • Update curl to 7.21.0-2.1+squeeze8: Fix CVE-2014-0138 and CVE-2014-0139
  • Update dpkg to 1.15.10: Fix CVE-2014-0471
  • Update openssh to 1:5.5p1-6+squeeze5: Fix CVE-2014-2532 and CVE-2014-2653
  • Update dpkg to 1.15.11: Fix CVE-2014-3864, CVE-2014-3865