Release notes from version 2.03.017 to 2.04.017

BGP

• Fix buffer leak when very busy
• Don't crash on shutdown if already removing a peer

CLI

• Reject incorrect keywords

Config

• Add show diff functionality for checking changes are as expected
• Prevent spaces in IPNameAddr fields
• Fix crash loading configs with route-override entries
• Prevent empty strings and spaces in IpNameAddr fields

FB105

• Avoid unneeded routing table updates on profile changes
• Improve performance under load

IKE

• Silently drop unacceptable pre-auth IKE packets (configurable)

IPv6

• Fix potential RA crash when out of buffers

L2TP

• Show rx/tx statistics for relayed outgoing L2TP sessions
• Rename HA stats logging config item
• Ping tunnel peers to gather CQM info
• Allow setting of arbitrary L2TP AVPs during relaying via a vendor-specific RADIUS AVP

LACP

• Fix bug with clock drift that could cause port flapping

Logging

• Separate TLS log target

OS

• Recognise software builds with multiple signatures

PPPoE

• Don't override PPP DNS settings with incoming if unset
• Respect delegate-framed option

RADIUS

• Fix internal race that could stop FireBrick connecting to RADIUS
• Allow framed routes to override the preference of delegated
• Don't deduplicate framed-routes excessively
• Rotate IPs within a <server> entry
• Add per request type option to limit the total time for a request (thus avoiding retries if the pool is responding slowly)

SNMP

• Fix reporting of BGP shutdown state over SNMP

TCP

• More efficient use of internal memory

USB

• Fix crash if we can't get control endpoint for a device

VRRP

• Fix rare bug which could cause backups to become master in error

VoIP

• Fix ! behaviour in bulk carrier loading

Web UI

• Fix problem where websockets (eg live logging) could close unexpectedly
• Add molly guard to factory reset UI
• Add link for debug users to manage flash contents from Software Upload page

Release notes from version 2.02.009 to 2.03.017

Network

• Rework packet receive code to improve DoS resilience

BGP

• Send graceful shutdown community if clean-shutdown-wait is set

Config

• Fix issues with config auto-backup-url and pre-reboot-url
• Fix anomalies in reverting and testing config changes

DNS

• Attempt to use a relevant address when inserting self as DNS target

L2TP

• Allow prefix delegation to L2TP RAs
• Correct MTU when session has HDLC but tunnel doesn't
• Don't create new outgoing connections during shutdown
• Add config option for delegating framed routes (older versions would always delegate)
• Set default to always delegate framed routes (set for compatability, but this default will change in future)

Logging

• Fix crash when changing some log email targets

MQTT

• Fix bug with inverted profiles and home assistant switches
• Avoid crash with unusual TCP activity during connect processing

OS

• Update zlib

PPPoE

• Don't override PPP DNS settings with incoming if unset

Ping

• Fix possible crash when using ping diagnostic tool

RADIUS

• Fix internal race that could stop FireBrick connecting to RADIUS
• Fix deadlock between L2TP and RADIUS
• Fix crash on receiving disconnect message

Routing

• Allow an ICMP source IP to be configured
• Fix rare situations where subnet routing can break and/or use high CPU

VRRP

• Start VRRP after BGP and stop it before

Release notes from version 2.02.007 to 2.02.009

BGP

• Send correct end-of-RIB to IPv6 peers
• Change default so we don't advertise IPv4 capability to IPv6-only peers

CQM

• Make default graphs work when clock isn't set
• Correctly report latency of localhost ping graphs

Certificates

• Only verify ECDSA certificates on ingress

Config

• Fix issue causing rare config upload fails

Shutdown

• Fix occasional flash-save timeouts on shutdown

Software upgrade

• Fix issue where a failure in checking upgrades could cause a crash

Web UI

• Allow sorting of the Flash Contents page

Release notes from version 2.01.101 to 2.02.007

ACME

• Allow letsencrypt without specifying an email address (assuming agreed elsewhere)

ARP

• Make queued packets be more likely to be recent (and thus useful)
• Clear out stale entries more efficiently

BGP

• Don't wait for shutdown time if sessions are not established
• Fix rare crash on ignored BGP updates

CQM

• Slightly faster bulk ping loading
• Don't keep updating layout whilst loading many graphs

DHCP

• Fix crash when repeatedly exercising certain paths through DHCPv6

Ethernet

• Turn off ports that aren't in any port group

Firewall

• Add options for using TTL as part of firewalling decisions
• Fix errors around session timer rollover
• Bugfix for display of PCP sessions

HTTP

• Support chunked transfer encoding in client

IP

• Don't report incorrect source address when sending ICMP messages

IPsec

• Fix rare crash on disconnection

Internal

• Improved checking when freeing internal memory

LACP

• Disable LACP on ports not in a portgroup
• Improve layout of LACP diagnostic

Logging

• Prevent syslog-email holding up config changes under certain circumstances

MQTT

• Clean up after closures in a more timely manner
• Fix session counting issue when TCP fails to accept
• Support for large packets

NTP

• Respect table default source IP

OS

• Improve diagnostics for certain classes of deadlock
• Delay automatic upgrades until at least 10 mins after boot
• Don't clear image penalties on successful shutdown
• Fix rare watchdog
• Force hard reboot when booting block 0 (bootloader)

OSPF

• Try to remove some potential races

PPPoE

• Show MAC address for server and client
• Correctly remember our own PPPoE IP when configured from RADIUS

Ping

• Only accept correct ping replies as valid responses to a ping

Profile

• Initialise state when profile becomes (or ceases being) a control switch
• HomeAssistant auto config for switch and binary sensor
• Fix potential race when saving profile switch state
• Add option to allow any reply (not just ping response) to count for ping profiles

Routing

• Fix rare crash when changing routes for subnets
• Improve layout for routing diagnostic tool

SIP

• Improve response handling

Strack

• Fix total active sessions count

TCP

• Improvements
• Avoid rare deadlock in internal TCP code

TLS

• ECDSA support
• Fix incorrect object identifier for SHA224

Telnet

• Fix crash in telnet

VoIP

• Improve preauth opt out settings
• Improve handling of NATted signalling
• Improved diagnostics and potential fixes for watchdog

Web UI

• Add tab completion to XML editor
• Show larger traffic graphs on ports page
• More reliable HTTP POST handling in some error circumstances
• Report last port up/down time
• Fix IPv6 peer address in BGP compare
• Add filtering to firewall
• Fix possible crash looking at ethernet statistics
• Show free buffer count in buffer statistics report
• Improve display of bonded routes
• Fix display of bootloader upgrades
• Fix uploading of small images (e.g. 9000 AUX builds)
• Improve wording and display of reboot delay time and countdowns
• Improve error reporting when config upload fails in editor
• Fix QR display when creating OTP
• Add LACP status for debug users
• Filtering on L2TP sessions page
• Update FireBrick website link
• Avoid truncating long routing diagnostic output

Release notes from version 2.00.100 to 2.01.101

ARP

• Better handling when sending many messages to non-existant locally connected targets

BGP

• Shutdown more cleanly on profile disabling
• Log which AS we are rejecting if it doesn't match
• Fix incorrectly reported exports with multiple tables in play
• Remove inaccurate/confusing status text
• Fix potential crash with flappy routes and multiple peers
• Avoid some potential crashes with repeated config updates

CLI

• Add filtering by table to "show bgp peer/summary" and "show route nexthop"

CQM

• Treat graph names consistently case sensitively
• Allow automatic ping graphs to be configured for DHCP entries
• Correct UDP checksum for shared shapers and add status page

Config

• Disable legacy time server (port 37) by default
• Make it easier to find banner background option
• Some improvements to demo mode

DHCP

• Improve handling of locked entries
• Fix crash when serving certain requests
• Add support for the "rebinding" state in client
• Send server ID when in "selecting" state
• Allow DHCP6 client to be configured directly (not via RA)

DNS

• Fix race that could (very rarely) result in mangled packets whilst relaying

Diagnostics

• Add config option to dump some of the stack on certain classes of crash
• Improve mutex acquisition timeout diagnostic

Ethernet

• Don't report spurious SFP diagnostic values

FB105

• Improve speed of obfuscation
• Fix rare crash

Firewall

• Improve efficiency of firewall timeouts
• Add obfuscation options
• Fix crash due to code optimisation
• Fix race on one sided session reuse

HA

• Fix for handling special packets and other tunnels within HA L2TP tunnels

IPv6

• Fix issue with duff broadcast address in some RAs

Internal

• Tweak scheduler to try and avoid rare thread starvation conditions

L2TP

• Add speed settings to L2TP local authentication
• Config option for L2TP IPv6 tunnels without a checksum
• Avoid rare crash fetching status
• Add option to send Operator-Name on a per <incoming> basis
• Support specifying the source IP for payload traffic

LACP

• Hot standby mode selection for wider switch compatibility

Logging

• Log L2TP RADIUS errors to the RADIUS debug log (instead of the system one)
• Add a log for a user's events (currently logins)
• Report hardware watchdogs to support
• Log slow config load functions to sys debug
• Log bootloader upgrades
• Improve detail in some logs
• Shorten TCP connection timeout for email logs
• Change VRRP not found to debug

MQTT

• Fix retained message handling timeouts
• Fix a couple of rare crashes
• Drop oversize QOS0 messages
• Global option to send retain flag to clients (default on).
• Correct sending retain to clients only for old retained messages not new ones after subscription established
• Fix where subscriptions could get overwritten in some cases
• Fix CPU spikes that can grow with uptime

Manual

• Explain the 2 types of defaulting in the XSD
• Improve layout slightly
• Remove some out of date screenshots
• Improve LACP standby explanation

NTP

• Use MD5 hash for reference ID of IPv6 time sources

OS

• Use cached memory in more situations
• Handle devices that don't respond to unicast ARP (Starlink) more gracefully
• Additional type of watchdog for catching rogue high priority threads

PPPoE

• Add an additional profile to prevent responding to PADI messages
• Allow omitting of automatic caller-id end
• Show the acname correctly in status
• Report PPPoE info more reliably on L2TP sessions page

Ping

• Don't crash when we cannot create ping from config (because too many have already been bulk loaded)

Profiles

• Allow control switches to be set from the menu (and allow them to be locked for sensitive ones)

RADIUS

• Drop legacy AOR AVP number
• Fix issue with RX shapers and CoA
• Make status mechanism more in line with other services

Routing

• Fix loop detection in source IP determination
• Add debug user command for dumping internal state of routing
• Fix bug that could cause routes to transiently appear as NULL in the forwarding table

SNMP

• Fixes for L2TP SNMP
• Fix bug which can occur when encoding zero values

Sampling

• Fix rare crash when changing interface config as a sample is taken

Software upgrade

• Add button for downloading latest software without rebooting

TCP

• Add option for TCP stealth mode for the FireBrick itself (without using the firewall)

Telnet

• Fix rare crash when quickly creating multiple telnet sessions
• Add task stat clear command

VOIP

• Tweak wording of security-replies registration warning and add context to manual
• Improve logging

VRRP

• Show time in a given state

VoIP

• Handle NAT RTP more cleanly when far end is silent and not sending RTP packets
• Add additional ways to detect anonymous calls for telephony operators
• Fix rare issue with RTP packets from 0.0.0.0

Watchdog

• Additional context for rare watchdog

Web UI

• Add DNS cache state status (for debug users)
• Make the status page clearer during reboots
• Modify UI layout to avoid a couple of strange looking edge cases
• Allow an additional level of submenus
• Allow menus to be expanded and collapsed interactively
• Scroll tables horizontally if they don't fit in the page
• Reorganise the menu entries
• Add button for clearing flash penalties (debug user)
• CSS hinting tweaks
• Add a page for unit info
• Put intro text in page header
• Ensure profile switches show up to date status over config change
• Fix issue where test/save buttons could appear twice after repeated config test edits
• Reword software upgrade page
• Optionally group control switches in menu
• Accept connections from "trusted" (but not "allowed") hosts during ACME renewal
• Group profile buttons on home page
• Fix issue that could cause live logging to use CPU excessively
• UI tweaks

Firewall

• Increase priority of firewall event processing task

Internal

• Use interrupts to change LED state

Release notes from version 1.61.010 to 2.00.100

• Rework apps to run efficiently on the FB9000 platform - this is a major rework that may impact all platforms
• Internal code changes to slightly improve performance

ARP

• Recover faster from certain subnet changes
• Slightly improve ARP queue timeout handling for entries that do not resolve but are in constant use.

BGP

• Shutdown timeout - be tolerant of negative NTP adjustments
• Add profile to peer list in config editor
• Check that peers define unique connections
• Improvements to graceful restart
• Improve connection handling
• Fix issue with GET method for new SNMP OIDs
• Additional states for shutdown and preshutdown in new OIDs
• Add prefix limit info to SNMP
• Include held routes in the count of imported prefixes
• Improvements and bugfixes
• Intersperse connection handling better

CQM

• Calculate times for XML output the same way as for images
• Handle extremely low ping latencies better

Config

• Added auto-backup-url to config to POST changed config
• Improve config patch mechanism
• Fix "*" parsing for port ranges

DNS

• Prevent forwarding of other types for overridden DNS entries

Ethernet

• Allow assignment of specific MAC addresses to subnets and interfaces

Firewall

• Only ARP targets in overlapping subnets if we would allow traffic to them
• Improve source IP selection when NAT is targetting overlapping subnets
• Add more detail to firewall diagnostic

IPsec

• Remove path by which eap-user restrictions could be evaded by some clients

IPv6

• Advertise a /64 for PD SLAAC (even if the delegated prefix is larger)
• Introduce a list of ra-subnet-template on interfaces to allow setting of options for RA generated subnets (replaces ra-client)
• Prevent prefix delegation on linked interfaces (including by implicit defaults)
• Fix issue with RA and ignore_dns that can cause subnets to be recreated

Internal

• Improve resource utilisation of streams

L2TP

• Corrected handling of Framed-IPv6-Address as interface address in RADIUS
• Add calling/called station IDs to L2TP session status
• Fix crash with packets claiming different lengths in different ways
• Allow IPv6 DNS to be overridden via RADIUS
• Don't kill tunnels immediately when profiling off incoming
• Report the correct number of packets for TX and RX

LACP

• Advertise additional links as standby when it makes sense to do so
• Put secondary links in hot standby when speed limited by hardware
• Handle badly behaved link partner better

LEDs

• Remove fast blink mode for efficiency
• Avoid rare race updating activity LEDs
• Fix rare stuck on LED when ports are disconnected/disabled

Logging

• Increase internal logging capacity

MQTT

• Reconnect faster on "external" config changes and improve status
• Fix issue where tx is available late

Manual

• Add more commands to the manual
• Improve MIB appendix

OSPF

• Fix crash when config changed repeatedly very rapidly

PPPoE

• Fix typo on PPP status page
• Don't accept PPPoE inbound connections if the matching incoming is profiled off
• Log sending the PADR

Pcap

• Make labels on pcap form slightly better
• Support multiple IPs and ranges in the filtering

Profiles

• Add uptime test to allow staggered starting of services
• Evaluate conditions when adding (to avoid flapping without careful choice of initial)

Routing

• Remove 6to4 (2002:) IP mapping
• Add tunnel IDs to routing diagnostic summary
• Avoid sending packets with potentially inappropriate source IPs (applies to overlapping subnets mainly)
• Force immediate reconsideration routes when related gateways have expired

SNMP

• Add system memory utilisation to SNMP
• Make buffer statistics reflect new reality (that most buffers are in a global pool)

TCP

• Improve preempting of TCP connections in the timewait state
• Limit accept queues more consistently
• Reduce resource usage when in TIME-WAIT

TLS

• Add connection count to 1 second stats

VRRP

• Take notice of the profile on the parent interface

VoIP

• Improve how VOIP logging reads

Web UI

• Improve profile switch behaviour when clicked fast repeatedly
• Show dBm in addition to uW for SFPs when possible
• Config option to change colours of user interface
• Add buttons to config editor for reordering items in ordered lists
• Darker background for select multiple selections
• Avoid underflow when showing number of seconds remaining for config test (cosmetic)
• Added warning that config save is recommended
• Tidy up config edit page
• Improve layout of BGP buttons
• Show reboot now option when shutting down
• Wrap lines in XML editor on first load
• Buttons to delete flash blocks as a DEBUG user
• Click on headings to sort status tables
• Provide load indicator on Status page
• Suppress iphone phone number autodetection (so it doesn't pick up the serial number)
• Add arrows (ascending and descending) to sorting
• Record txnodesc more like other ethernet stats
• Add ability to view old configurations and boot alternative images to flash contents (as DEBUG)
• Reorder ping form
• Tweak upload styling
• Show route diagnostic in prefix order

Config

• Small improvements to the auto backup feature to make it nicer

Release notes from version 1.60.010 to 1.61.010

CQM

• Small change to SVG to make loss/latency squared off like png

Certificates

• Avoid panic on reboot if FB private key gets deleted

Config

• Enforce list max occurrences limits for all config items

DHCP

• Treat a profile on a DHCP config entry with a restriction consistently with other config profile usage.

DHCPv6

• Various improvements (especially in the client)
• Make DHCPv6 work better with larger prefixes
• Allow larger server DUIDs

Ethernet

• Share MAC address on VLAN 0 between bootloader and app for each port

IKE

• Send out of band error when INIT request negotiation fails

IPv6

• Improved reliability of RA handling

MQTT

• Bigger MQTT messages
• Additional options on MQTT external

PPP

• Bug fix for issues with PPP client corrupting subnets

PPPoE

• Increase number of allowed PPP sessions (and fix crash loading configs with more than 20)

RADIUS

• Juniper ERX ingress/egress policy name in RADIUS server
• Correct defaulting of RADIUS server settings

VoIP

• Subtle change to message handling in VoIP (getting actual 408 response to INVITE)
• CLI settings not always passing through

Web UI

• Improve layout on XML edit page
• Improve button placement on system info pages
• Explanation added regarding TCP stress test blob output
• Further improve XML edit and reduce vertical height of top bar
• Make XML download links look like links
• Add line numbers to XML editor
• Reject paths with extraneous middle segments
• Various UI improvements
• Add a config option to prevent refreshing the CQM image lists
• Make graphs on the image list page clickable
• Editor - fix colour picker with 3 digit hex colours
• Force text colour in buttons to black (apparently ipads can default it to white)
• Warn on most pages when config is no longer valid

MQTT

• MQTT crash fix
• Sending cleaner CONNACK for error cases

Release notes from version 1.59.000 to 1.60.010

CLI

• Show thread stats for longer sample period

DHCP

• Improved controls over DHCP logging

DHCP/DNS

• Additional "latest IP allocated" DNS name for DHCP - see auto-dhcp-new in DNS settings

DHCPv6

• Simple DHCPv6 client mode (experimental)

Diagnostics

• Provide info about HTTP connections for debug users on web and telnet

HA

• Fix HA groups D-G
• Improve handling of HA bonded tunnels with extremely mismatched latency (seconds)

HTTP

• Be more tolerant of lack of Content-length in HTTP client

IP

• Use the table's default source IP in more places

IPv6

• Interface setting ra-client now default if wan set, else not default
• Interface setting now define PD (prefix delegation), default if wan/ra-client/ra not set

L2TP

• Respect table setting for MTU calculation for outgoing and relayed L2TP connections
• Put serial number in calling station ID if unset (temporary change)
• Add mechanism for advising LAC of tx speed when needed
• Put serial number in calling station ID if explicitly set to ''

Logging

• Fix issue with emailed logs - were sending to last MX not first, and leaving TCP open causing issues if too many emails sent

MQTT

• Added MQTT console

RADIUS

• Added allow list for RADIUS CoA requests as alternative to host IP match
• Add logging on RADIUS match
• Added top level IP allow check on RADIUS
• Faster RADIUS failover (and updated documentation)

VoIP

• Limit email addresses for recording to 2000 chars

Web UI

• Add details of L2TP states session states on tunnel status pages
• Show which tables session tracking is active on in UI
• Fix looping causing loss of UI if TCP stress test fails

DHCPv6

• Updated IPv6 SLAAC/RA logic to allow control of extra flags and simple ethernet side DHCPv6 server

PPP

• Handle missed PAP reply on PPP

Release notes from version 1.58.111 to 1.59.000

ACME

• ACME error reporting could get garbled message in some error cases

FB105

• Fix rare crash with FB105 tunnel bonding during configuration change

IPsec

• Fixed a problem with validation of peer certificate
• Fixed handling of out-of-order IKE fragments
• There is a new attribute peer-eaplist available on an IKE connection config item which enables the allowed EAP usernames to be specified.
• Improve EAP diagnostic logging and fix minor problem with message ID number checking
• Further improvements to EAP processing and error logging

L2TP

• Configured outgoing L2TP sessions now respect the bgp setting in the config

MQTT

• Added listener for FireBricks/# topic

RADIUS

• Some additional RADIUS server settings, matching, added mqtt logging and changed log format to JSON, for working with some WiFi kit

TLS

• Improved stream handling in TLS to avoid occasional race conditions causing crashes

VoIP

• Improve logging when bulk carrier import fails

Web UI

• Fix speed bars on status pages
• Provide option for detailed ethernet stats on port status web page

DHCP

• Changed some DHCP server logging to be JSON format (same as used for MQTT)

MQTT

• Changed MQTT mapping field names and fixed incorrect help text

OSPF

• OSPF marked experimental as it has some minor issues.

Release notes from version 1.57.010 to 1.58.111

CLI

• Added CLI command to view port status

Certificates

• Removed expired DST Root CA X3 certificate

Config

• Allow numeric value with 0x prefix in config

DHCP

• DHCP client will now attempt to renew leases when ports go down and come back up. This will automatically reconfigure the subnet if plugged into a different network.
• Added mac-local test in DHCP pool

Diagnostics

• Add diagnostic command and status page for buffer usage
• Include uptime information in automatic crash reports
• Log highest buffer users in case of exhaustion

Ethernet

• Allow link forcing the SFP port
• Improved SFP alarm/warning reporting
• Bug fix for recovery from ethernet stalling conditions
• Improve setting of default port config on startup (may be faster startup in some cases)

Firewall

• Added option to set DSCP

IPsec

• Increase max number of simultaneous IKE/IPsec connections
• Fixed problem with IKE message fragmentation causing connection failures with some clients
• Fixed occasional "Response not pending" panic.

Logging

• Additional debug in this alpha, as some people have seen 409 errors on web interface

MQTT

• Simple MQTT message mapping option
• Improvements to MQTT broker (better error reports and sanity checks)
• MQTT payload pattern match
• Correct mapped MQTT messages erroneously setting retain
• Made IP a link on mqtt status
• MQTT mapping connection linking (e.g. for retained)
• Fix outgoing mqtt bug

OSPF

• Correct OSPF checksum issue for certain auth types

Profiles

• Added profile test for "DHCP allocated"
• Nicer web socket based profile control switches.

TLS

• Improve server authentication security and work around problems with some servers by using the signature algorithm extension.
• Fix TLS connection failover
• Added TLS stateless session resumption - without this newer versions of some browsers were very slow to load FB web pages

VoIP

• Double VOIP capacity limits
• Double number of simultaneous call recordings
• Tweak outgoing registrations for SIP servers that mash up the registered Contact rather than just using it as is.
• Fixed issue with very long SIP registrations using IPv6 addresses

Web UI

• Provide port status information on the web interface

DHCP

• Improved DHCP allocation logging and MQTT logging

L2TP

• Added session-timeout to L2TP incoming

MQTT

• Started some MQTT v5 handling (a config option, experimental, not recommend yet)

Profiles

• MQTT profile control fixed
• Minor change, only sending MQTT if corresponding payload set (even if empty)

TLS

• Issue with TLS resume keys used over a s/w upgrade fixed

VoIP

• Added a simple BLF report state via MQTT

Release notes from version 1.56.010 to 1.57.010

ACME

• Allow specifying of the source IP for ACME requests

BGP

• BGP tags for static routes

Certificates

• Fix problem with cross-signed certificates causing IPsec connection issues with Windows clients

Config

• Allow delayed automatic upgrades

Ethernet

• Fix over zealous ether damping
• Show connector type of plugged in SFP

HTTP

• Fixed issue where http client (e.g. ping graph download, etc) gets non 2XX response causing later problems

IPsec

• Increase internal packet buffer size to help with IKE certificates
• Fixed IP pool leakage
• An IKE session was sometimes shown in waiting state as well as connected.
• Further IPsec tweak to avoid losing connection in some circumstances
• Add workaround to avoid repeated reauthentications when peer is StrongSwan and mode is immediate
• Fix bad config status entry after deleting a live connection
• Implemented IKE fragmentation to improve authentication with long certificate chains

L2TP

• Slightly faster outgoing L2TP connect (proxy auth sent)

MQTT

• Experimental MQTT broker function added
• Added profile switch control over MQTT (config will change in next alpha)
• Fix crash in configurations where will topic is set, but not will message

PPPoE

• Issue with some PPPoE sessions restarting on config change

Routing

• Default source IP per routing table

Shaping

• Additional control on shapers (burst limit in ms)

TLS

• Added support for simple TLS clients with limited storage
• Minor memory leak in TLS client fixed

VoIP

• Fix error handling unusual SIP packets
• Allow IPv6 addresses in "recording-server" configuration

Web UI

• Add ethernet counters to web
• Show which type of app upgrade would be initiated
• Show some context lines in live logging view

DHCP

• DHCP option to force broadcast offer/ack to address edge case with some APs and devices

L2TP

• Handle incoming local match password check for PAP

VRRP

• Make VRRP clearer when used with profiles (status page and manuals)

Web control pages

• Configurable intro text and links on login page
• Web access security update

Release notes from version 1.55.111 to 1.56.010

• Fix a bug in the flash logging, which could cause logging to stop working after a while
• Fix bug in ASN.1 length encoding
• Fix for FB2900 flash driver, which could occasionally reboot when replaying the flash log

DHCP

• Added "circuit" to the matching rules for DHCP server IP pool (circuit being Agent Info option 82 circuit sub option 1)

ETUN

• Add tx/rx packet stats

IPsec

• Additional logging and status information for roaming pools
• Add manually triggerable IKE clearing

L2TP

• Issue with DOS limit on outgoing L2TP fixed

PPPoE

• New option to pick up speed from connect message to set egress rate on PPP (ideal for bonding)

Web control pages

• Setup wizard bug when IPv6 defined

CQM

• Graphs used to show a damping level even when damping not in use (i.e. l2tp damping not set), removed

VoIP

• Additional debug

Release notes from version 1.53.000 to 1.54.101

ACME

• Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
• Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
• Tweak to ACME to allow for additional challenges for a few seconds
• ACME status for certificates shows when last error happened.
• Make ACME status clear at start up if clock not set yet
• Fix ACME error status to show time of error

BGP

• Add Refresh buttons to BGP UI status page

Certificates

• Make certificate domain name checking case-insensitive

DHCP

• Lease expiry times were incorrect when lease acquired before time had been set
• Improve lease expiry when the FireBrick does not know the correct time

Ethernet

• Improve DoS detection and logging of ethernet damping

Firewall

• Minor change to handling of clashing UDP sessions for better VoIP NAT logic

HTTP

• HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

IPsec

• Provide SNMP status info for IPsec
• Fix crash when [id] is used in graph name of a waiting connection
• Show EAP identity (username) in log messages and UI status, and allow it in graph names
• Hardware encryption option for testing [EXPERIMENTAL]
• Show hardware acceleration status
• Add hw crypto timeout detection

IPv6

• Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

Internal

• Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
• In some circumstances Watchdog panics may report incorrect thread - fixed.

L2TP

• High availability L2TP (HAL) for testing - still needs work - see 1.54.102 or later

LACP

• Prevent unnecessary continuous packet exchange

PPP

• New PPP debug log/dump format options

PPPoE

• PPPoE did not install IPv4 DNS if explicit routes set, fixed
• PPPoE Calling ID prefix appended with VLAN and/or MAC

SNMP

• Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

Session tracking

• Change to default UDP timeout for UDP ports 80 and 443 to help QUIC

TCP/UI

• Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

• Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).
• Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
• Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
• Improve TLS session end - avoid occasional crashes/lockups.
• Fix a couple of TLS issues causing problems with ACME and downloading large pages
• Finally fixed TLS issue

USB

• Fix CLI "clear dongle" command
• Fix dongle lockup on some config changes
• Send packet filter setting when opening 4G dongle.
• Further 4G USB improvements - ensure DHCP-obtained IP address is refreshed on dongle insertion.
• Fix problems with multiple 4G dongles (when using a hub)
• Fix problem with dongle status not always showing correctly

VoIP

• RADIUS setting to explicitly set P-Asserted-Id needed for VoIP carriers

Web UI

• Improve UI status reporting for bgp, including ability to filter routes list

CLI

• show configuration now allowed (redacted) at "view" level

Config

• Improved syntax checking of numeric fields
• Separate logging for http client accesses
• Added new config access level (demo) allowing test but not commit/save config.

Config editor

• Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).
• Tweak to config edit to make default values more obvious

DNS

• DNS relay limit check

IPv6

• Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

Internal

• Internal changes that should not have any impact on operation

L2TP

• Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!
• Additional logging on config change
• Fix payload table logic on local auth incoming L2TP sessions
• Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

Manual

• Additional documentation on IPv6 prefix delegation and SLAAC

Profiles

• Profile ping of local gateway by ping 0.0.0.0

TLS

• Extra diagnostics added to help with occasional TLS crashes

VRRP

• Incorrect error message for ID clash in VRRP, fixed

Release notes for version 1.53.000

ACME

• Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
• Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
• Tweak to ACME to allow for additional challenges for a few seconds
• ACME status for certificates shows when last error happened.

Certificates

• Make certificate domain name checking case-insensitive

DHCP

• Lease expiry times were incorrect when lease acquired before time had been set
• Improve lease expiry when the FireBrick does not know the correct time

IPsec

• Provide SNMP status info for IPsec
• Fix crash when [id] is used in graph name of a waiting connection
• Show EAP identity (username) in log messages and UI status, and allow it in graph names
• Hardware encryption option for testing [EXPERIMENTAL]
• Show hardware acceleration status
• Add hw crypto timeout detection

IPv6

• Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

Internal

• Scheduling changes to improve performance under heavy CPU load (eg crypto processing)

PPP

• New PPP debug log/dump format options

PPPoE

• PPPoE did not install IPv4 DNS if explicit routes set, fixed
• PPPoE Calling ID prefix appended with VLAN and/or MAC

TCP/UI

• Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

• Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).
• Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate

USB

• Fix CLI "clear dongle" command
• Fix dongle lockup on some config changes
• Send packet filter setting when opening 4G dongle.
• Further 4G USB improvements - ensure DHCP-obtained IP address is refreshed on dongle insertion.
• Fix problems with multiple 4G dongles (when using a hub)
• Fix problem with dongle status not always showing correctly

Web UI

• Improve UI status reporting for bgp, including ability to filter routes list

Config

• Improved syntax checking of numeric fields

Config editor

• Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).
• Tweak to config edit to make default values more obvious

DNS

• DNS relay limit check

L2TP

• Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!
• Additional logging on config change
• Fix payload table logic on local auth incoming L2TP sessions
• Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

Profiles

• Profile ping of local gateway by ping 0.0.0.0