Reply
New Member
Posts: 17
Registered: ‎03-09-2018
Kudos: 1

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

My password is now invalid after the update. To be fair, it was a several hundred character password with high ANSI characters.

Emerging Member
Posts: 88
Registered: ‎12-21-2018
Kudos: 49

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

My cron scheduler job is gone from config after an upgrade. Not a big deal, but something to watch out for.

New Member
Posts: 45
Registered: ‎11-22-2017
Kudos: 37
Solutions: 1

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

I have a ER-X SFP running merrily on 1.10.8, I normally wait a couple of weeks whenever a upgrade comes through before doing the update just in case a glitch or 2 shows up, I think I'll avoid the 2.0 upgrade altogether until I see a good reason to do the upgrade. 

Established Member
Posts: 781
Registered: ‎01-29-2014
Kudos: 315
Solutions: 35

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

I have an ERPoE  - just upgraded to 2.0.0.  I have been running beta-3 for about a week prior.  No problems with my setup with either the beta-3 or the 2.0.0 release.

 

My setup includes two IPSec VPNs, one of which is configured with VTI and OSPF.  Both came up without any problems.

 

I am using dnsMasq - all good.  

IPv6 using SIT - all good.  

 

I am using offloading, including IPSec offload, without any issues (**NB Offloading on the ERX models is different and broken). 

show ubnt offload

IP offload module   : loaded
IPv4
  forwarding: enabled
  vlan      : disabled
  pppoe     : disabled
  gre       : disabled
  bonding   : disabled
IPv6
  forwarding: enabled
  vlan      : disabled
  pppoe     : disabled
  bonding   : disabled

IPSec offload module: loaded

Traffic Analysis    :
  export    : enabled
  dpi       : enabled
    version       : 1.422

 

No errors in logs - everything working well so far. 

 

Emerging Member
Posts: 53
Registered: ‎10-10-2017
Kudos: 19

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Looks like they pulled the 2.0.0 firmware for the ER-X. Thank you UBNT.

Emerging Member
Posts: 55
Registered: ‎11-17-2017
Kudos: 4

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Unfortunately this seems to have broken the router. ER-X-SFP went from 1.10.8 to 2.0.0 and after the upgrade it doesn't seem to route packet on switch0. Additionally, when connected to non-switch0 port (say eth0 is non-switch0 and eth1 is internet), eth0 has full access to internet resources, for about 2 minutes. Then the router seems to stop routing. after 3-4 minutes from that point the router resets and reboots itself. I rolled back to 1.10.8 for now. If UBNT wants my config file for testing let me know.

Member
Posts: 183
Registered: ‎06-13-2018
Kudos: 26
Solutions: 4

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!


@Hypnosis4U2NV wrote:

Looks like they pulled the 2.0.0 firmware for the ER-X. Thank you UBNT.


I still see a working link to a v2.0 build for the ER-X.  It is a different build number than the rest and can't say if this has changed. It is newer than the beta3 build.

2019-01-09_09-34-46.jpg

 

Is it worth noting what build the ER-X folk were able to successfully/unsuccessfully update?

Veteran Member
Posts: 5,861
Registered: ‎07-03-2008
Kudos: 1852
Solutions: 138

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

The build number has not changed since the original announcement.  We have it running on a number of non-critical e50 routers without incident (doing basic routing, firewall, and VLANs).

Emerging Member
Posts: 53
Registered: ‎10-10-2017
Kudos: 19

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

[ Edited ]

@andybgrant

 

I'm not seeing it on their downloads under the ER-X specifically.

 

Also can't pull it up on Unms. Screenshot_20190109-102354~01.pngScreenshot_20190109-104134~2.png

Veteran Member
Posts: 5,861
Registered: ‎07-03-2008
Kudos: 1852
Solutions: 138

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Ubiquiti Employee
Posts: 1,228
Registered: ‎07-20-2015
Kudos: 1444
Solutions: 81

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

@ildicoeu
> Lighthttpd will not come up when upgrading to 2.0
> 2019-01-08 01:01:34: (plugin.c.229) dlopen() failed for: /usr/lib/lighttpd/mod_websocket.so /usr/lib/lighttpd/mod_websocket.so: cannot open shared object file: No such file or directory
The mod_websocket.so was substituted with mod_wstunnel.so in lighttpd v1.4.46 as described here
There should be no reference of "mod_websocket" in /etc/lighttpd/lighttpd.conf. Please show output of following shell command:

 

sudo cat /etc/lighttpd/lighttpd.conf

 

 

@jasonfeig
> ER-X ... Dashboard tab of the GUI it now shows 0bps constantly for eth1, eth2, eth3 and eth4
> Correct, they do belong to switch0, however this issue didn't exist with prior firmwares.
In v2.0.1 we shall restore old functionality where counters of `ethX` are incremented together with `switch0`


@tomharristech
> I'm using an ER4 and my GUI isn't working after the upgrade
Please show output of "sudo cat /etc/lighttpd/lighttpd.conf"

 

@drixter
> IPv6 directly works via ethernet but SIT tunnels doesn't.
SIT tests successfully pass on my test environment. Please post your SIT configiration

 

@prewestnl
> broke my IPSEC VPN.

  1. Please post your IPSec configuration
  2. Please post output of `sudo swanctl --log` when IPSec fails

@krl
> My ER-X in switch mode with Vlans was no longer accessible via GUI or SSH after the update to Edge OS 2.0.
Please post your interface configuration so I will reproduce it on my lab router

 

@quielb
> Was https://community.ubnt.com/t5/EdgeRouter/BUG-BFD-not-signaling-RIBd/m-p/2414586 addressed in this update?
No, we have ticket describing similar symptoms, but this issue has not been fixed yet. I rescheduled this issue to v2.0.2

 

@bgh
> startup still took a hideous amount of time (5+ minutes),
@Hank
> I have reported the same startup slowness after upgrade
We are aware of this issue, for instance one of my ER-lite test environments (Firewall, DHCP client, L2TP VPN) boots in 123 seconds in v2.0.0, but in v1.10.8 it boots in 91 second. We shall improve startup time in furture v2.0.x releases

 

@sas_119
> I did notice that the ping and bandwidth tests under the toolbox tab are not working in 2.0.0.
I acknowledge that ping test reports "Invalid ping data" and we shall fix it. But bandwidth test works fine on my test environment. Please make a screenshot that shows bandwidth test failure.

 

@fontaaaaaa
> On a ER-Lite3 here ... Also the PPPoE adapter disconnected.
Please clarify this

a) Do you mean that PPPoE connected, work for some time and then disconnected forever?

b) Or do you mean that PPPoE never connected?

 

@jdrom
> ERX-SFP ... woke up this morning to have one of my G3 cameras showing as disconnected, it's plugged into eth2 with PoE enabled
> Decided to reboot the ERX just now and that fixed it

  1. Was the LED light no camera blinking?
  2. If it will ever happen again then please show output of "show interfaces ethernet poe" and "dmesg|grep link"

@DeviceLocksmith

> 2.0 post-config.d starts after radvd has started through systemd, which is a bit too late
> The solution was backporting Debian Buster wpa_supplicant to Stretch
Thank you for investigating this radvd issue issue and providing workaround.

 

@Harman20
> My password is now invalid after the update. To be fair, it was a several hundred character password with high ANSI characters.
I created a user with 400 char long password and still was able to successfully login.

Which password are you referring too? Is it a login system login password? Or maybe PPPoE password? Or maybe IPSec password?

 

@DeviceLocksmith
> My cron scheduler job is gone from config after an upgrade.
I'm not able to reproduce it - I configured cron via "set system task-scheduler" and it survived upgrade. Please post your "task-scheduler" configuration

Emerging Member
Posts: 88
Registered: ‎12-21-2018
Kudos: 49

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!


@UBNT-afomins wrote:

@DeviceLocksmith
> My cron scheduler job is gone from config after an upgrade.
I'm not able to reproduce it - I configured cron via "set system task-scheduler" and it survived upgrade. Please post your "task-scheduler" configuration


Spoiler
    task-scheduler {
        task eap-tls {
            crontab-spec "* * * * *"
            executable {
                path /config/scripts/restart-eap-tls
            }
        }
    }

With workaround for radvd start time, I no longer need this task, but it was present before upgrade to 2.0 and is no longer in config after upgrade.

Regular Member
Posts: 484
Registered: ‎10-16-2016
Kudos: 60
Solutions: 13

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

The files in the image are changed at 03.01.2019 so this isnt a "newer" version ...
Emerging Member
Posts: 88
Registered: ‎12-21-2018
Kudos: 49

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

[ Edited ]

EDIT: Executive summary. It appears that current kernel in 2.0 in at least Cavium builds is vulnerable to DoS FragmentSmack vulnerability. Please fix. Original text below.

 

 

Around 4.9.134 kernel timeframe a fix for FragmentSmack (CVE-2018-5390/CVE-2018-5391) was introduced into kernel - ip: discard IPv4 datagrams with overlapping segments
There is a patch in upstream kernel for Cavium 2.x kernel train that may be beneficial to include in Edgerouter kernel builds, if they do include fixes for FragmentSmack.

Given the fact that a lot of UBNT hardware is used in wireless environments with a lot of potential for duplicate fragments if UBNT kernel builds include the fix for Fragment Smack (and without looking at sources, it is difficult to tell if they do), this specific patch may be worth looking into.

 

Spoiler

 

commit 122aeb4a1990e9d15641cf54db4f812aeaa52ed0
Author: Michal Kubecek <mkubecek@suse.cz>
Date:   Thu Dec 13 17:23:32 2018 +0100

    net: ipv4: do not handle duplicate fragments as overlapping
    
    [ Upstream commit ade446403bfb79d3528d56071a84b15351a139ad ]
    
    Since commit 7969e5c40dfd ("ip: discard IPv4 datagrams with overlapping
    segments.") IPv4 reassembly code drops the whole queue whenever an
    overlapping fragment is received. However, the test is written in a way
    which detects duplicate fragments as overlapping so that in environments
    with many duplicate packets, fragmented packets may be undeliverable.
    
    Add an extra test and for (potentially) duplicate fragment, only drop the
    new fragment rather than the whole queue. Only starting offset and length
    are checked, not the contents of the fragments as that would be too
    expensive. For similar reason, linear list ("run") of a rbtree node is not
    iterated, we only check if the new fragment is a subset of the interval
    covered by existing consecutive fragments.
    
    v2: instead of an exact check iterating through linear list of an rbtree
    node, only check if the new fragment is subset of the "run" (suggested
    by Eric Dumazet)
    
    Fixes: 7969e5c40dfd ("ip: discard IPv4 datagrams with overlapping segments.")
    Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 

 The same patch is also in upstream for Mediatek kernel train

 

Upstream patch is here.

 

 

There is a kernel test that tests for both the CVE-2018-5390 vulnerability and a bug in original vulnerability fix

 

I've compiled the test for Cavium and it currently fails, which as far as I understand, means that 2.0 on Cavium is vulnerable to CVE-2018-5390/CVE-2018-5391. I've attached the compiled test.

 

Spoiler
root@router:/home/ubnt/bug# chmod +x ./*
root@router:/home/ubnt/bug# ./ip_defrag.sh ipv4 defrag seed = 1547058807 ./ip_defrag: recv: payload_len = 3899 max_frag_len = 8: Resource temporarily unavailable
root@router:/home/ubnt/bug# echo $?
1

 

 

Attachment
New Member
Posts: 17
Registered: ‎03-09-2018
Kudos: 1

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

@UBNT-afominsIt's the WebGUI login password. The password for my admin account gave me invalid login errors after I ran the update. I have since downgraded to the previous version.

 

Maybe I could have done a reset/wipe and uploaded a modified backup of a config with a cleartext and then changed the password to something complicated again.

New Member
Posts: 27
Registered: ‎02-18-2016
Kudos: 12

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!


@Harman20 wrote:

My password is now invalid after the update. To be fair, it was a several hundred character password with high ANSI characters.


To be honest, it would make me somewhat happy if your router got bricked from doing that...

New Member
Posts: 32
Registered: ‎03-29-2016
Kudos: 2

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

@krl
> My ER-X in switch mode with Vlans was no longer accessible via GUI or SSH after the update to Edge OS 2.0.
Please post your interface configuration so I will reproduce it on my lab router
Spoiler
interfaces {
    ethernet eth0 {
        description "Switch Port"
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description "Switch Port"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description "Switch Port"
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description "Switch Port"
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description "Switch Port"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    switch switch0 {
        address dhcp
        mtu 1500
        switch-port {
            interface eth0 {
                vlan {
                    vid 10
                    vid 20
                }
            }
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
                vlan {
                    pvid 10
                }
            }
            interface eth4 {
                vlan {
                    vid 10
                    vid 20
                }
            }
            vlan-aware enable
        }
    }
}
service {
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        connection wss://192.168.1.4:443*********************
+allowUntrustedCertificate
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt
    login {
        user ****** {
            authentication {
                encrypted-password ************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.8.5142457.181120.1809 */
New Member
Posts: 27
Registered: ‎02-18-2016
Kudos: 12

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!


@krl

Where are the IP addresses for vlans?  That could be a problem...

New Member
Posts: 9
Registered: ‎08-31-2017

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

[ Edited ]

@UBNT-afomins

Here are the contents of my lighttpd.conf file:

server.modules = (
        "mod_access",
        "mod_alias",
        "mod_redirect",
        "mod_fastcgi",
        "mod_rewrite",
        "mod_openssl",
        "mod_wstunnel",
)

server.document-root        = "/var/www/htdocs"
server.upload-dirs          = ( "/tmp" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.tag                  = "Server"

index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm",
                               " index.lighttpd.html" )

url.access-deny             = ( "~", ".inc" )

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".py" )

server.dir-listing          = "disable"

include "mime.conf"
include "conf-enabled/10-ssl.conf"
include "conf-enabled/15-fastcgi-python.conf"

wstunnel.ping-interval = 30

$HTTP["url"] =~ "^/ws/stats" {
        wstunnel.server = ( "" => ( ( "socket" => "/tmp/ubnt.socket.statsd" ) ) )
        wstunnel.frame-type = "text"
        server.max-read-idle = 600
        server.stream-request-body  = 2
        server.stream-response-body = 2
}

$HTTP["url"] =~ "^/ws/cli" {
        wstunnel.server = ( "" => ( ( "socket" => "/tmp/ubnt.socket.cli") ) )
        wstunnel.frame-type = "binary"
        server.max-read-idle = 600
        server.stream-request-body  = 2
        server.stream-response-body = 2
}

I noticed there was what looked like an additional trailing comma after "mod_wstunnel" at the top, so I removed it, which changed nothing at all. I've reverted it since.

 

I ran sudo service lighttpd status, to see if it would yield anything useful:

* lighttpd.service - Lighttpd Daemon
   Loaded: loaded (/lib/systemd/system/lighttpd.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-01-09 19:40:51 UTC; 2min 7s ago
  Process: 3682 ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf (code=exited, stat
  Process: 3679 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, s
 Main PID: 3682 (code=exited, status=255)

Jan 09 19:40:50 myroutername systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Jan 09 19:40:51 myroutername systemd[1]: lighttpd.service: Service hold-off time over, scheduling re
Jan 09 19:40:51 myroutername systemd[1]: Stopped Lighttpd Daemon.
Jan 09 19:40:51 myroutername systemd[1]: lighttpd.service: Start request repeated too quickly.
Jan 09 19:40:51 myroutername systemd[1]: Failed to start Lighttpd Daemon.
Jan 09 19:40:51 myroutername systemd[1]: lighttpd.service: Unit entered failed state.
Jan 09 19:40:51 myroutername systemd[1]: lighttpd.service: Failed with result 'exit-code'.

 

New Member
Posts: 4
Registered: ‎04-26-2017
Kudos: 2

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

[ Edited ]

Hi,

@drixter
> IPv6 directly works via ethernet but SIT tunnels doesn't.
SIT tests successfully pass on my test environment. Please post your SIT configiration

It's was due the VPN issue, now seems to be OK after debuging.

For these who have SIT or GRE over VPN tunnels this hint may help, because the configuration on old EdgeMax v1.x software works, but on new one v2.0 there is newer version of strongwan which may generate problems and require to define prefix for both sides.

What was needed on my side strictly define local and remote prefix even if this a PtP connection. This help to match SA and seems to be important in this version of software.

set vpn ipsec site-to-site peer REMOTE_IP authentication mode pre-shared-secret
set vpn ipsec site-to-site peer REMOTE_IP authentication pre-shared-secret ...
set vpn ipsec site-to-site peer REMOTE_IP connection-type initiate
set vpn ipsec site-to-site peer REMOTE_IP default-esp-group ...
set vpn ipsec site-to-site peer REMOTE_IP description '...'
set vpn ipsec site-to-site peer REMOTE_IP ike-group ...
set vpn ipsec site-to-site peer REMOTE_IP ikev2-reauth inherit
set vpn ipsec site-to-site peer REMOTE_IP local-address LOCAL_IP
set vpn ipsec site-to-site peer REMOTE_IP tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer REMOTE_IP tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer REMOTE_IP tunnel 1 protocol 41


This need to be added

set vpn ipsec site-to-site peer REMOTE_IP tunnel 1 local prefix LOCAL_IP/32
set vpn ipsec site-to-site peer REMOTE_IP tunnel 1 remote prefix REMOTE_IP/32

 

Thanks,

Reply