FireBrick Model: FB6000 | FB2500 | FB2700 | FB2900 | FB9000 | SoHo/Plus | FB105

Model Variant: FB2900   Change to: (default is FB2900)

Software Versions: Older versions | Factory releases | Factory and Beta | Factory, Beta & Alpha

Released 2024-11-11
Built 2024-10-29
Current factory release
2.01.101 (Balcombe)
Config:XSD Doc

Release notes from Factory release 2.00.100 to Factory release 2.01.101

ARP

  • Better handling when sending many messages to non-existant locally connected targets

BGP

  • Shutdown more cleanly on profile disabling
  • Log which AS we are rejecting if it doesn't match
  • Fix incorrectly reported exports with multiple tables in play
  • Remove inaccurate/confusing status text
  • Fix potential crash with flappy routes and multiple peers
  • Avoid some potential crashes with repeated config updates

CLI

  • Add filtering by table to "show bgp peer/summary" and "show route nexthop"

Config

  • Disable legacy time server (port 37) by default
  • Make it easier to find banner background option
  • Some improvements to demo mode

CQM

  • Treat graph names consistently case sensitively
  • Allow automatic ping graphs to be configured for DHCP entries
  • Correct UDP checksum for shared shapers and add status page

DHCP

  • Improve handling of locked entries
  • Fix crash when serving certain requests
  • Add support for the "rebinding" state in client
  • Send server ID when in SELECTING state
  • Allow DHCP6 client to be configured directly (not via RA)

Diagnostics

  • Add config option to dump some of the stack on certain classes of crash
  • Improve mutex acquisition timeout diagnostic

DNS

  • Fix race that could (very rarely) result in mangled packets whilst relaying

Ethernet

  • Don't report spurious SFP diagnostic values

FB105

  • Improve speed of obfuscation
  • Fix rare crash

Firewall

  • Improve efficiency of firewall timeouts
  • Add obfuscation options
  • Fix race on one sided session reuse
  • Increase priority of firewall event processing task

HA

  • Fix for handling special packets and other tunnels within HA L2TP tunnels

Internal

  • Tweak scheduler to try and avoid rare thread starvation conditions on single core platforms
  • Use interrupts to change LED state

IPv6

  • Fix issue with duff broadcast address in some RAs

L2TP

  • Add speed settings to L2TP local authentication
  • Config option for L2TP IPv6 tunnels without a checksum
  • Avoid rare crash fetching status
  • Add option to send Operator-Name on a per <incoming> basis
  • Support specifying the source IP for payload traffic

LACP

  • Hot standby mode selection for wider switch compatibility

Logging

  • Log L2TP RADIUS errors to the RADIUS debug log (instead of the system one)
  • Add a log for a user's events (currently logins)
  • Report hardware watchdogs to support
  • Log slow config load functions to sys debug
  • Log bootloader upgrades
  • Improve detail in some logs
  • Shorten TCP connection timeout for email logs
  • Change VRRP not found to debug

Manual

  • Explain the 2 types of defaulting in the XSD
  • Improve layout slightly
  • Remove some out of date screenshots
  • Improve LACP standby explanation

MQTT

  • Fix retained message handling timeouts
  • Fix a couple of rare crashes
  • Drop oversize QOS0 messages
  • Correct sending retain to clients only for old retained messages not new ones after subscription established
  • Fix where subscriptions could get overwritten in some cases
  • Fix CPU spikes that can grow with uptime

NTP

  • Use MD5 hash for refid for IPv6 time sources

OS

  • Use cached memory in more situations
  • Handle devices that don't respond to unicast ARP (Starlink) more gracefully
  • Additional type of watchdog for catching rogue high priority threads

Ping

  • Don't crash when we cannot create ping from config (because too many have already been bulk loaded)

PPPoE

  • Add an additional profile to prevent responding to PADI messages
  • Allow omitting of automatic caller-id end
  • Show the acname correctly in status
  • Report PPPoE info more reliably on L2TP sessions page

Profiles

  • Allow control switches to be set from the menu (and allow them to be locked for sensitive ones)

RADIUS

  • Drop legacy AOR AVP number
  • Fix issue with RX shapers and CoA
  • Make status mechanism more in line with other services

Routing

  • Fix loop detection in source IP determination
  • Add debug user command for dumping internal state of routing
  • Fix bug that could cause routes to transiently appear as NULL in the forwarding table

Sampling

  • Fix rare crash when changing interface config as a sample is taken

SNMP

  • Fixes for L2TP SNMP

Software upgrade

  • Add button for downloading latest software without rebooting

Strack

  • Fix crash due to wraparound optimisation

TCP

  • Add option for TCP stealth mode for the FireBrick itself (without using the firewall)

Telnet

  • Fix rare crash when quickly creating multiple telnet sessions
  • Add task stat clear command

VOIP

  • Tweak wording of security-replies registration warning and add context to manual
  • Improve logging
  • Handle NAT RTP more cleanly when far end is silent and not sending RTP packets
  • Add additional ways to detect anonymous calls for telephony operators
  • Fix rare issue with RTP packets from 0.0.0.0

VRRP

  • Show time in a given state

Watchdog

  • Additional context for rare watchdog

Web UI

  • Add DNS cache state status (DEBUG only)
  • Make the status page clearer during reboots
  • Modify layout approach to avoid a couple of strange looking edge cases
  • Allow an additional level of submenus
  • Allow menus to be expanded and collapsed via JS
  • Scroll tables in x if they don't fit in the page
  • Reorganise the menu entries
  • Add button for clearing flash penalties (debug user)
  • CSS hinting tweaks
  • Add a page for unit info
  • Put intro text in page header
  • Ensure profile switches show up to date status over config change
  • Fix issue where test/save buttons could appear twice after repeated config test edits
  • Reword software upgrade page
  • Optionally group control switches in menu
  • Accept connections from "trusted" (but not "allowed") hosts during ACME renewal
  • Group profile buttons on home page
  • Fix issue that could cause live logging to use CPU excessively
  • UI tweaks
Released 2023-10-16
Built 2023-10-09
Older factory release
2.00.100 (Abbotscliffe)
Config:XSD Doc

Release notes from Factory release 1.61.010 to Factory release 2.00.100

  • Rework apps to run efficiently on the FB9000 platform - this is a major rework that may impact all platforms

ARP

  • Recover faster from certain subnet changes
  • Slightly improve ARP queue timeout handling for entries that do not resolve but are in constant use.

BGP

  • Shutdown timeout - be tolerant of negative NTP adjustments
  • Add profile to peer list in config editor
  • Check that peers define unique connections
  • Improvements to graceful restart
  • Improve connection handling
  • Fix issue with GET method for new SNMP OIDs
  • Additional states for shutdown and preshutdown in new OIDs
  • Add prefix limit info to SNMP
  • Include held routes in the count of imported prefixes
  • Improvements and bugfixes
  • Intersperse connection handling better

Config

  • Added auto-backup-url to config to POST changed config
  • Improve config patch mechanism
  • Fix "*" parsing for port ranges
  • Small improvements to the auto backup feature to make it nicer

CQM

  • Calculate times for XML output the same way as for images
  • Handle extremely low ping latencies better

DNS

  • Prevent forwarding of other types for overridden DNS entries

Ethernet

  • Allow assignment of specific MAC addresses to subnets and interfaces

Firewall

  • Only ARP targets in overlapping subnets if we would allow traffic to them
  • Improve source IP selection when NAT is targetting overlapping subnets
  • Add more detail to firewall diagnostic

Internal

  • Improve resource utilisation of streams

IPsec

  • Remove path by which eap-user restrictions could be evaded by some clients

IPv6

  • Advertise a /64 for PD SLAAC (even if the delegated prefix is larger)
  • Introduce a list of ra-subnet-template on interfaces to allow setting of options for RA generated subnets (replaces ra-client)
  • Prevent prefix delegation on linked interfaces (including by implicit defaults)
  • Fix issue with RA and ignore_dns that can cause subnets to be recreated

L2TP

  • Corrected handling of Framed-IPv6-Address as interface address in RADIUS
  • Add calling/called station IDs to L2TP session status
  • Fix crash with packets claiming different lengths in different ways
  • Allow IPv6 DNS to be overridden via RADIUS
  • Don't kill tunnels immediately when profiling off incoming
  • Report the correct number of packets for TX and RX

LACP

  • Advertise additional links as standby when it makes sense to do so
  • Put secondary links in hot standby when speed limited by hardware
  • Handle badly behaved link partner better

LEDs

  • Remove fast blink mode for efficiency
  • Avoid rare race updating activity LEDs
  • Fix rare stuck on LED when ports are disconnected/disabled

Logging

  • Increase internal logging capacity

Manual

  • Add more commands to the manual
  • Improve MIB appendix

MQTT

  • Reconnect faster on "external" config changes and improve status
  • Fix issue where tx is available late

OSPF

  • Fix crash when config changed repeatedly very rapidly

Pcap

  • Make labels on pcap form slightly better
  • Support multiple IPs and ranges in the filtering

PPPoE

  • Fix typo on PPP status page
  • Don't accept PPPoE inbound connections if the matching incoming is profiled off
  • Log sending the PADR

Profiles

  • Add uptime test to allow staggered starting of services
  • Evaluate conditions when adding (to avoid flapping without careful choice of initial)

Routing

  • Remove 6to4 (2002:) IP mapping
  • Add tunnel IDs to routing diagnostic summary
  • Avoid sending packets with potentially inappropriate source IPs (applies to overlapping subnets mainly)
  • Force immediate reconsideration routes when related gateways have expired

SNMP

  • Add system memory utilisation to SNMP
  • Make buffer statistics reflect new reality (that most buffers are in a global pool)

TCP

  • Improve preempting of TCP connections in the timewait state
  • Limit accept queues more consistently
  • Reduce resource usage when in TIME-WAIT

TLS

  • Add connection count to 1 second stats

VoIP

  • Improve how VOIP logging reads

VRRP

  • Take notice of the profile on the parent interface

Web UI

  • Improve profile switch behaviour when clicked fast repeatedly
  • Show dBm in addition to uW for SFPs when possible
  • Config option to change colours of user interface
  • Add buttons to config editor for reordering items in ordered lists
  • Darker background for select multiple selections
  • Avoid underflow when showing number of seconds remaining for config test (cosmetic)
  • Added warning that config save is recommended
  • Tidy up config edit page
  • Improve layout of BGP buttons
  • Show reboot now option when shutting down
  • Wrap lines in XML editor on first load
  • Buttons to delete flash blocks as a DEBUG user
  • Click on headings to sort status tables
  • Provide load indicator on Status page
  • Suppress iphone phone number autodetection (so it doesn't pick up the serial number)
  • Add arrows (ascending and descending) to sorting
  • Record txnodesc more like other ethernet stats
  • Add ability to view old configurations and boot alternative images to flash contents (as DEBUG)
  • Reorder ping form
  • Tweak upload styling
  • Show route diagnostic in prefix order
Released 2022-11-16
Built 2022-11-07
Older factory release
1.61.010 (Ogust)
Config:XSD Doc

Release notes from Factory release 1.60.010 to Factory release 1.61.010

Certificates

  • Avoid panic on reboot if FB private key gets deleted

Config

  • Enforce list max occurrences limits for all config items

CQM

  • Small change to SVG to make loss/latency squared off like png

DHCP

  • Treat a profile on a DHCP config entry with a restriction consistently with other config profile usage.

DHCPv6

  • Various improvements (especially in the client)
  • Make DHCPv6 work better with larger prefixes
  • Allow larger server DUIDs

Ethernet

  • Share MAC address on VLAN 0 between bootloader and app for each port

IKE

  • Send out of band error when INIT request negotiation fails

IPv6

  • Improved reliability of RA handling

MQTT

  • Bigger MQTT messages
  • Additional options on MQTT external
  • MQTT crash fix
  • Sending cleaner CONNACK for error cases

PPP

  • Bug fix for issues with PPP client corrupting subnets

PPPoE

  • Increase number of allowed PPP sessions (and fix crash loading configs with more than 20)

RADIUS

  • Juniper ERX ingress/egress policy name in RADIUS server
  • Correct defaulting of RADIUS server settings

VoIP

  • Subtle change to message handling in VoIP (getting actual 408 response to INVITE)
  • CLI settings not always passing through

Web UI

  • Improve layout on XML edit page
  • Improve button placement on system info pages
  • Explanation added regarding TCP stress test blob output
  • Further improve XML edit and reduce vertical height of top bar
  • Make XML download links look like links
  • Add line numbers to XML editor
  • Reject paths with extraneous middle segments
  • Various UI improvements
  • Add a config option to prevent refreshing the CQM image lists
  • Make graphs on the image list page clickable
  • Editor - fix colour picker with 3 digit hex colours
  • Force text colour in buttons to black (apparently ipads can default it to white)
  • Warn on most pages when config is no longer valid
Released 2022-07-20
Built 2022-07-11
Older factory release
1.60.010 (Nickell)
Config:XSD Doc

Release notes from Factory release 1.59.000 to Factory release 1.60.010

CLI

  • Show thread stats for longer sample period

DHCP

  • Improved controls over DHCP logging

DHCP/DNS

  • Additional "latest IP allocated" DNS name for DHCP - see auto-dhcp-new in DNS settings

DHCPv6

  • Simple DHCPv6 client mode (experimental)
  • Updated IPv6 SLAAC/RA logic to allow control of extra flags and simple ethernet side DHCPv6 server

Diagnostics

  • Provide info about HTTP connections for debug users on web and telnet

HA

  • Fix HA groups D-G
  • Improve handling of HA bonded tunnels with extremely mismatched latency (seconds)

HTTP

  • Be more tolerant of lack of Content-length in HTTP client

IP

  • Use the table's default source IP in more places

IPv6

  • Interface setting ra-client now default if wan set, else not default
  • Interface setting now define PD (prefix delegation), default if wan/ra-client/ra not set

L2TP

  • Respect table setting for MTU calculation for outgoing and relayed L2TP connections
  • Add mechanism for advising LAC of tx speed when needed
  • Put serial number in calling station ID if explicitly set to ''

Logging

  • Fix issue with emailed logs - were sending to last MX not first, and leaving TCP open causing issues if too many emails sent

MQTT

  • Added MQTT console

PPP

  • Handle missed PAP reply on PPP

RADIUS

  • Added allow list for RADIUS CoA requests as alternative to host IP match
  • Add logging on RADIUS match
  • Added top level IP allow check on RADIUS
  • Faster RADIUS failover (and updated documentation)

VoIP

  • Limit email addresses for recording to 2000 chars

Web UI

  • Add details of L2TP states session states on tunnel status pages
  • Show which tables session tracking is active on in UI
  • Fix looping causing loss of UI if TCP stress test fails
Released 2022-04-20
Built 2022-04-13
Older factory release
1.59.000 (Macleod)
Config:XSD Doc

Release notes from Factory release 1.58.111 to Factory release 1.59.000

ACME

  • ACME error reporting could get garbled message in some error cases

DHCP

  • Changed some DHCP server logging to be JSON format (same as used for MQTT)

FB105

  • Fix rare crash with FB105 tunnel bonding during configuration change

IPsec

  • Fixed a problem with validation of peer certificate
  • Fixed handling of out-of-order IKE fragments
  • There is a new attribute peer-eaplist available on an IKE connection config item which enables the allowed EAP usernames to be specified.
  • Improve EAP diagnostic logging and fix minor problem with message ID number checking
  • Further improvements to EAP processing and error logging

L2TP

  • Configured outgoing L2TP sessions now respect the bgp setting in the config

MQTT

  • Added listener for FireBricks/# topic
  • Changed MQTT mapping field names and fixed incorrect help text

OSPF

  • OSPF marked experimental as it has some minor issues.

RADIUS

  • Some additional RADIUS server settings, matching, added mqtt logging and changed log format to JSON, for working with some WiFi kit

TLS

  • Improved stream handling in TLS to avoid occasional race conditions causing crashes

VoIP

  • Improve logging when bulk carrier import fails

Web UI

  • Fix speed bars on status pages
  • Provide option for detailed ethernet stats on port status web page
Released 2022-01-05
Built 2021-12-21
Older factory release
1.58.111 (Landy)
Config:XSD Doc

Release notes from Factory release 1.57.010 to Factory release 1.58.111

Certificates

  • Removed expired DST Root CA X3 certificate

CLI

  • Added CLI command to view port status

Config

  • Allow numeric value with 0x prefix in config

DHCP

  • DHCP client will now attempt to renew leases when ports go down and come back up. This will automatically reconfigure the subnet if plugged into a different network.
  • Added mac-local test in DHCP pool
  • Improved DHCP allocation logging and MQTT logging

Diagnostics

  • Add diagnostic command and status page for buffer usage
  • Include uptime information in automatic crash reports
  • Log highest buffer users in case of exhaustion

Ethernet

  • Allow link forcing the SFP port
  • Improved SFP alarm/warning reporting
  • Bug fix for recovery from ethernet stalling conditions
  • Improve setting of default port config on startup (may be faster startup in some cases)

Firewall

  • Added option to set DSCP

IPsec

  • Increase max number of simultaneous IKE/IPsec connections
  • Fixed problem with IKE message fragmentation causing connection failures with some clients
  • Fixed occasional "Response not pending" panic.

L2TP

  • Added session-timeout to L2TP incoming

MQTT

  • Simple MQTT message mapping option
  • Improvements to MQTT broker (better error reports and sanity checks)
  • MQTT payload pattern match
  • Correct mapped MQTT messages erroneously setting retain
  • Made IP a link on mqtt status
  • MQTT mapping connection linking (e.g. for retained)
  • Fix outgoing mqtt bug
  • Started some MQTT v5 handling (a config option, experimental, not recommend yet)

OSPF

  • Correct OSPF checksum issue for certain auth types

Profiles

  • Added profile test for "DHCP allocated"
  • Nicer web socket based profile control switches.
  • MQTT profile control fixed
  • Minor change, only sending MQTT if corresponding payload set (even if empty)

TLS

  • Improve server authentication security and work around problems with some servers by using the signature algorithm extension.
  • Fix TLS connection failover
  • Added TLS stateless session resumption - without this newer versions of some browsers were very slow to load FB web pages
  • Issue with TLS resume keys used over a s/w upgrade fixed

VoIP

  • Double VOIP capacity limits
  • Double number of simultaneous call recordings
  • Tweak outgoing registrations for SIP servers that mash up the registered Contact rather than just using it as is.
  • Fixed issue with very long SIP registrations using IPv6 addresses
  • Added a simple BLF report state via MQTT

Web UI

  • Provide port status information on the web interface
Released 2021-09-29
Built 2021-09-15
Older factory release
1.57.010 (Kaplan)
Config:XSD Doc

Release notes from Factory release 1.56.010 to Factory release 1.57.010

ACME

  • Allow specifying of the source IP for ACME requests

BGP

  • BGP tags for static routes

Certificates

  • Fix problem with cross-signed certificates causing IPsec connection issues with Windows clients

Config

  • Allow delayed automatic upgrades

DHCP

  • DHCP option to force broadcast offer/ack to address edge case with some APs and devices

Ethernet

  • Fix over zealous ether damping
  • Show connector type of plugged in SFP

HTTP

  • Fixed issue where http client (e.g. ping graph download, etc) gets non 2XX response causing later problems

IPsec

  • Increase internal packet buffer size to help with IKE certificates
  • Fixed IP pool leakage
  • An IKE session was sometimes shown in waiting state as well as connected.
  • Further IPsec tweak to avoid losing connection in some circumstances
  • Add workaround to avoid repeated reauthentications when peer is StrongSwan and mode is immediate
  • Fix bad config status entry after deleting a live connection
  • Implemented IKE fragmentation to improve authentication with long certificate chains

L2TP

  • Slightly faster outgoing L2TP connect (proxy auth sent)
  • Handle incoming local match password check for PAP

MQTT

  • Experimental MQTT broker function added
  • Fix crash in configurations where will topic is set, but not will message

PPPoE

  • Issue with some PPPoE sessions restarting on config change

Routing

  • Default source IP per routing table

Shaping

  • Additional control on shapers (burst limit in ms)

TLS

  • Added support for simple TLS clients with limited storage
  • Minor memory leak in TLS client fixed

VoIP

  • Fix error handling unusual SIP packets
  • Allow IPv6 addresses in "recording-server" configuration

VRRP

  • Make VRRP clearer when used with profiles (status page and manuals)

Web control pages

  • Configurable intro text and links on login page
  • Web access security update

Web UI

  • Add ethernet counters to web
  • Show which type of app upgrade would be initiated
  • Show some context lines in live logging view
Released 2021-04-16
Built 2021-03-24
Older factory release
1.56.010 (Jacoby)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.54.101 to Factory release 1.56.010

  • Fix bug in ASN.1 length encoding
  • Fix for FB2900 flash driver, which could occasionally reboot when replaying the flash log

Config

  • Additional options for finer control of source filtering setting
  • Additional help text for L2TP

CQM

  • Graphs used to show a damping level even when damping not in use (i.e. l2tp damping not set), removed

DHCP

  • Added "circuit" to the matching rules for DHCP server IP pool (circuit being Agent Info option 82 circuit sub option 1)

Ethernet

  • Improve performance when ports have a mixture of speeds (eg 1G and 100M)

ETUN

  • Add tx/rx packet stats

FB105

  • Change internal IP config for FB105 to allow IPv6 internal IPv6 to be set

HA

  • Some issues with invalid tunnel packets logging when using L2TP HAL
  • HAL did not work well if one of the links was rate limited
  • Increased number of HA sets to 7
  • Added additional hal-log for debug logging of HAL

IPsec

  • Additional logging and status information for roaming pools
  • Add manually triggerable IKE clearing
  • Change internal IP config in IPSec to use single IP46Addr field

IPv6

  • Slight change to SLAAC RA client default localpref so global addresses preferred

L2TP

  • Fix performance issue in L2TP HAL, especially where wrapped packets coming out of order.
  • Improved logging for incoming L2TP sessions so more obvious which config used
  • Minor changes to some L2TP config attribute names, and updates to manual
  • Correct logic on L2TP point to point speed controls on outgoing tunnel
  • Don't override manual shaper speeds on point to point L2TP where no speed is received from calling end
  • OSPF issues with incoming L2TP config fixed
  • L2TP tx/rx speed of -1 recognised and ignored
  • Issue with DOS limit on outgoing L2TP fixed

Manual

  • Updated manual for details of L2TP usage
  • Clarifed that config access on web interface also needs user "admin" level

PPP

  • Tweaked PPP handling when far end wants to talk IPV6CP and we were not planning to. We now negotiate.

PPPoE

  • New option to pick up speed from connect message to set egress rate on PPP (ideal for bonding)
  • L2TP PPPoE BRAS mode now picks up payload-table from L2TP config.

Routing

  • Fix startup issue when using source-filter.

SNMP

  • Integer values were sometimes misreported

USB

  • Support USB dongles which don't have a mass bulk interface

VoIP

  • Change to source_ip and auth_source_ip so one field for the IPv4 and/or IPv6
  • VoIP caller directory with call screening controls
  • Added display name to call recording leg (because useful to have now we have directory)
  • Added config for how long before expiry we re-register to a carrier, and changed default to 30 seconds
  • Fix issue with incoming CLI not set correctly in some cases
  • Change incoming CLI processing to be transparent if not configured
  • Minor tweak to allow REFER to authenticate on from matching user target URI
  • Correct sending of P-Asserted-Id where configured to send to carrier and set explicitly (ie by RADIUS)
  • Allow carrier to have specified IP and port as target regardless of proxy name
  • Minor change to CLI logic on connecting calls
  • Change to withheld CLI passing to recording server
  • Additional debug

Web control pages

  • Setup wizard bug when IPv6 defined

Web UI

  • Minor changes, allowing some javascript to be embedded
  • Experimental feature added to allow js-url in config (for when logged in, trusted IP, non password entry pages)
  • Tweak XML edit so that a zero login timeout does not fail if XML config edit is longer than 5 minutes

XML

  • New IP46Addr field allowing one IPv4 and/or one IPv6
Built 2021-01-06
Older factory release
1.55.111 (Hamman)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.54.101 to Factory release 1.55.111

Config

  • Additional options for finer control of source filtering setting
  • Additional help text for L2TP

Ethernet

  • Improve performance when ports have a mixture of speeds (eg 1G and 100M)

FB105

  • Change internal IP config for FB105 to allow IPv6 internal IPv6 to be set

HA

  • Some issues with invalid tunnel packets logging when using L2TP HAL
  • HAL did not work well if one of the links was rate limited
  • Increased number of HA sets to 7
  • Added additional hal-log for debug logging of HAL

IPsec

  • Change internal IP config in IPSec to use single IP46Addr field

IPv6

  • Slight change to SLAAC RA client default localpref so global addresses preferred

L2TP

  • Fix performance issue in L2TP HAL, especially where wrapped packets coming out of order.
  • Improved logging for incoming L2TP sessions so more obvious which config used
  • Minor changes to some L2TP config attribute names, and updates to manual
  • Correct logic on L2TP point to point speed controls on outgoing tunnel
  • Don't override manual shaper speeds on point to point L2TP where no speed is received from calling end
  • OSPF issues with incoming L2TP config fixed
  • L2TP tx/rx speed of -1 recognised and ignored

Manual

  • Updated manual for details of L2TP usage
  • Clarifed that config access on web interface also needs user "admin" level

PPP

  • Tweaked PPP handling when far end wants to talk IPV6CP and we were not planning to. We now negotiate.

PPPoE

  • L2TP PPPoE BRAS mode now picks up payload-table from L2TP config.

Routing

  • Fix startup issue when using source-filter.

SNMP

  • Integer values were sometimes misreported

USB

  • Support USB dongles which don't have a mass bulk interface

VoIP

  • Change to source_ip and auth_source_ip so one field for the IPv4 and/or IPv6
  • VoIP caller directory with call screening controls
  • Added display name to call recording leg (because useful to have now we have directory)
  • Added config for how long before expiry we re-register to a carrier, and changed default to 30 seconds
  • Fix issue with incoming CLI not set correctly in some cases
  • Change incoming CLI processing to be transparent if not configured
  • Minor tweak to allow REFER to authenticate on from matching user target URI
  • Correct sending of P-Asserted-Id where configured to send to carrier and set explicitly (ie by RADIUS)
  • Allow carrier to have specified IP and port as target regardless of proxy name
  • Minor change to CLI logic on connecting calls
  • Change to withheld CLI passing to recording server

Web UI

  • Minor changes, allowing some javascript to be embedded
  • Experimental feature added to allow js-url in config (for when logged in, trusted IP, non password entry pages)
  • Tweak XML edit so that a zero login timeout does not fail if XML config edit is longer than 5 minutes

XML

  • New IP46Addr field allowing one IPv4 and/or one IPv6
Built 2020-05-26
Older factory release
1.54.101 (Garozzo)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.53.000 to Factory release 1.54.101

ACME

  • ACME status for certificates shows when last error happened.
  • Make ACME status clear at start up if clock not set yet
  • Fix ACME error status to show time of error

BGP

  • Add Refresh buttons to BGP UI status page

CLI

  • show configuration now allowed (redacted) at "view" level

Config

  • Improved syntax checking of numeric fields
  • Separate logging for http client accesses
  • Added new config access level (demo) allowing test but not commit/save config.

Config editor

  • Tweak to config edit to make default values more obvious

DHCP

  • Improve lease expiry when the FireBrick does not know the correct time

Ethernet

  • Improve DoS detection and logging of ethernet damping

Firewall

  • Minor change to handling of clashing UDP sessions for better VoIP NAT logic

HTTP

  • HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

Internal

  • Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
  • In some circumstances Watchdog panics may report incorrect thread - fixed.

IPsec

  • Hardware encryption option for testing [EXPERIMENTAL]
  • Show hardware acceleration status
  • Add hw crypto timeout detection

IPv6

  • Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

L2TP

  • High availability L2TP (HAL) for testing - still needs work - see 1.54.102 or later
  • Additional logging on config change
  • Fix payload table logic on local auth incoming L2TP sessions
  • Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

LACP

  • Prevent unnecessary continuous packet exchange

Manual

  • Additional documentation on IPv6 prefix delegation and SLAAC

Profiles

  • Profile ping of local gateway by ping 0.0.0.0

Session tracking

  • Change to default UDP timeout for UDP ports 80 and 443 to help QUIC

SNMP

  • Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

TLS

  • Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
  • Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
  • Improve TLS session end - avoid occasional crashes/lockups.
  • Fix a couple of TLS issues causing problems with ACME and downloading large pages
  • Finally fixed TLS issue
  • Extra diagnostics added to help with occasional TLS crashes

USB

  • Send packet filter setting when opening 4G dongle.
  • Further 4G USB improvements - ensure DHCP-obtained IP address is refreshed on dongle insertion.
  • Fix problems with multiple 4G dongles (when using a hub)
  • Fix problem with dongle status not always showing correctly

VoIP

  • RADIUS setting to explicitly set P-Asserted-Id needed for VoIP carriers

VRRP

  • Incorrect error message for ID clash in VRRP, fixed

Web UI

  • Improve UI status reporting for bgp, including ability to filter routes list
Built 2019-08-29
Older factory release
1.53.000 (Flint)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.52.010 to Factory release 1.53.000

ACME

  • Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
  • Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
  • Tweak to ACME to allow for additional challenges for a few seconds

Certificates

  • Make certificate domain name checking case-insensitive

Config editor

  • Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).

DHCP

  • Lease expiry times were incorrect when lease acquired before time had been set

DNS

  • DNS relay limit check

IPsec

  • Provide SNMP status info for IPsec
  • Fix crash when [id] is used in graph name of a waiting connection
  • Show EAP identity (username) in log messages and UI status, and allow it in graph names

IPv6

  • Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

L2TP

  • Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!

PPP

  • New PPP debug log/dump format options

PPPoE

  • PPPoE did not install IPv4 DNS if explicit routes set, fixed
  • PPPoE Calling ID prefix appended with VLAN and/or MAC

TCP/UI

  • Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

  • Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).

USB

  • Fix CLI "clear dongle" command
  • Fix dongle lockup on some config changes
Built 2019-06-01
Older factory release
1.52.010 (Eisenberg)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.51.010 to Factory release 1.52.010

DNS

  • Added option to allow logging of DNS queries based on interface requesting the DNS

Factory reset

  • Changed factory default to allow set up from WAN as per quick start guide

IPsec

  • Fix problem with IPsec tunnels using IPv6 outer addresses

IPv6

  • Changed source IP of ND to link local in all cases - RFC allows any assigned address but some devices get upset

L2TP

  • Added Framed-IP-Address to accounting

LACP

  • Improvements to increase stability and reduce trunk downtime during status changes

Logging

  • Add Replay tag to panic/replay log lines displayed at startup

UI/CLI

  • Power monitoring improvements

USB

  • Avoid buffer loss when USB 4G transfers fail
  • Avoid race conditions and crashes after obscure 4G device errors
  • 4G dongles were not starting up correctly
  • Cancelling of transfers after device detach/disable was not working correctly
  • Fixed a problem causing USB to not always start up properly

Web UI

  • Power monitoring shows min/max of 12v rail (since previous view)
Built 2019-05-17
Older factory release
1.52.000 (Eisenberg)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.51.010 to Factory release 1.52.000

DNS

  • Added option to allow logging of DNS queries based on interface requesting the DNS

Factory reset

  • Changed factory default to allow set up from WAN as per quick start guide

IPsec

  • Fix problem with IPsec tunnels using IPv6 outer addresses

IPv6

  • Changed source IP of ND to link local in all cases - RFC allows any assigned address but some devices get upset

L2TP

  • Added Framed-IP-Address to accounting

LACP

  • Improvements to increase stability and reduce trunk downtime during status changes

Logging

  • Add Replay tag to panic/replay log lines displayed at startup

UI/CLI

  • Power monitoring improvements

USB

  • Avoid buffer loss when USB 4G transfers fail
  • Avoid race conditions and crashes after obscure 4G device errors

Web UI

  • Power monitoring shows min/max of 12v rail (since previous view)
Built 2019-04-01
Older factory release
1.51.010 (Davies)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.50.000 to Factory release 1.51.010

BGP

  • BGP memory usage adjustments, means FB2900 can take full table now.
  • Added AS-Path checks to BGP route filtering

Config

  • Renamed log-panic to log-support, as we may log other unusual events to fb-support and not just stack trace / panics

Config editor

  • Profile page layout tweaked

DHCP

  • Revert minor change in DHCP/DNS which was causing problems

General

  • Some final tweaks before being ready for next release
  • Some minor optimisations

Internal

  • Minor changes to boot time calculation
  • Avoid boot time appearing negative when time is adjusted

L2TP

  • Adjustments to ICMP logic for trace route though L2TP
  • Various performance enhancements
  • Local config for L2TP relay now allows relay via another table (payload-table)
  • Fix missing TID in L2TP tunnel status page
  • L2TP session xml url checking number is only number

Logging

  • Additional direct log-panic logging to try and find specific issue in recent code.

NTP

  • Restructure client with minor improvements prior to introduction of full NTP server
  • NTP server introduced. Early release - may not be stable.
  • Support clients using older versions of NTP protocol
  • DHCP serves FireBrick IP for NTP now (unless otherwise set in DHCP config)
  • Minor fixes, and a change to maxpoll and minpoll to use duration in config.
  • Various minor updates on NTP
  • Further NTP bugfixes, including earlier setting of system time.
  • Further improvement to NTP system clock conditioning
  • Improve NTP status message on main status page
  • Added UI status page and CLI status; other minor improvements
  • Improved status output
  • Fix crash when adding/removing time service in config
  • Yet more UI status improvements
  • NTP time adjustments are now applied smoothly by OS time conditioning
  • Improved access checking
  • NTP control (ntpq) access now defaults to true. UI diagnostic access check page was not displaying correct details for NTP.
  • Fixed possible crash after peer drop
  • Fix problem with time quickstep (mainly showing on 2700)
  • Fix NTP status erroneously reported as Acquiring after config change. Improve NTP server stateup/shutdown.

Ping

  • Added ping size option to bulk ping logic (+size after IP and #table)

PPPoE

  • pd-interface default on PPPoE excludes interfaces marked wan

RADIUS

  • ERX-Tunnel-Switch-Profile untagged even in tagged responses (for Talk Talk working)

Session tracking

  • Change to logic for set-graph-dynamic which was not setting speeds based on set-graph but on set-reverse-graph.
  • Edge case in use of NAT-PMP/PCP causing crash, fixed

Shaping

  • Shared shaper changed to allow > 4Gb/s total (new version, so all sharing systems need update at same time)
  • Catch some edge cases in session tracking shaper set up that seem to cause a crash

USB

  • Fix problem with USB reuse

Web control pages

  • Live update of uptime, time, and RAM usage in status page
  • Minor change to way status web page shows

Web UI

  • Minor tweaks to UI colouring. Ping/Traceroute display is banded for better visibility.
  • Fix typo in UI on TCP stress test page.
  • Fixed NTP status submenu highlighting
  • Improve page layout when left-hand menu pane is tall
Built 2019-03-24
Older factory release
1.51.001 (Davies)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.50.000 to Factory release 1.51.001

BGP

  • BGP memory usage adjustments, means FB2900 can take full table now.
  • Added AS-Path checks to BGP route filtering

Config

  • Renamed log-panic to log-support, as we may log other unusual events to fb-support and not just stack trace / panics

Config editor

  • Profile page layout tweaked

General

  • Some final tweaks before being ready for next release
  • Some minor optimisations

Internal

  • Minor changes to boot time calculation
  • Avoid boot time appearing negative when time is adjusted

L2TP

  • Adjustments to ICMP logic for trace route though L2TP
  • Various performance enhancements
  • Local config for L2TP relay now allows relay via another table (payload-table)
  • Fix missing TID in L2TP tunnel status page
  • L2TP session xml url checking number is only number

Logging

  • Additional direct log-panic logging to try and find specific issue in recent code.

NTP

  • Restructure client with minor improvements prior to introduction of full NTP server
  • NTP server introduced. Early release - may not be stable.
  • Support clients using older versions of NTP protocol
  • DHCP serves FireBrick IP for NTP now (unless otherwise set in DHCP config)
  • Minor fixes, and a change to maxpoll and minpoll to use duration in config.
  • Various minor updates on NTP
  • Further NTP bugfixes, including earlier setting of system time.
  • Further improvement to NTP system clock conditioning
  • Improve NTP status message on main status page
  • Added UI status page and CLI status; other minor improvements
  • Improved status output
  • Fix crash when adding/removing time service in config
  • Yet more UI status improvements
  • NTP time adjustments are now applied smoothly by OS time conditioning
  • Improved access checking
  • NTP control (ntpq) access now defaults to true. UI diagnostic access check page was not displaying correct details for NTP.
  • Fixed possible crash after peer drop
  • Fix problem with time quickstep (mainly showing on 2700)
  • Fix NTP status erroneously reported as Acquiring after config change. Improve NTP server stateup/shutdown.

Ping

  • Added ping size option to bulk ping logic (+size after IP and #table)

PPPoE

  • pd-interface default on PPPoE excludes interfaces marked wan

Session tracking

  • Change to logic for set-graph-dynamic which was not setting speeds based on set-graph but on set-reverse-graph.
  • Edge case in use of NAT-PMP/PCP causing crash, fixed

Shaping

  • Shared shaper changed to allow > 4Gb/s total (new version, so all sharing systems need update at same time)

USB

  • Fix problem with USB reuse

Web control pages

  • Live update of uptime, time, and RAM usage in status page
  • Minor change to way status web page shows

Web UI

  • Minor tweaks to UI colouring. Ping/Traceroute display is banded for better visibility.
  • Fix typo in UI on TCP stress test page.
  • Fixed NTP status submenu highlighting
  • Improve page layout when left-hand menu pane is tall
Built 2018-11-21
Older factory release
1.50.000 (Culbertson)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.49.000 to Factory release 1.50.000

ACME

  • Minor improvements to ACME - handling some extra order status responses

BGP

  • Additional debug for ignored updates

CQM

  • Added more stats (total bytes/packet/drops) to CQM XML

Crypto

  • PKCS#8 formats now fully accepted and served for RSA and DSA keys

Diagnostics

  • Fix TCP download test (was always saying 0 bytes loaded)

DNS

  • Changed DNS logic so not simply fallback="true" but fallback-table defined. This means multiple table DNS will default not to fall back now.

General

  • Slight performance improvements

IPsec

  • Fix duplicate connection problem after roadwarrior client switches from wifi to 3G
  • Fix Roadwarrior problems - IPv4 NAT not working and IPv6 routing failing on Apple clients

IPv6

  • Changed ICMPv6 (ND/NA) source address in some cases to match scope

L2TP

  • Allow L2TP matched incoming sessions to set payload-table
  • Added colours to tunnel and session status

Logging

  • Fix possible syslog buffer overrun

Pcap

  • Improved pcap "self exclude" to only exclude the actual TCP session traffic of the dump, not all traffic to/from the IP of the browser as before

PPPoE

  • Minor change to PPPoE timeout logic - could be disrupted by frequent profile changes

RADIUS

  • Platform RADIUS server ERX parameters now tagged if part of tagged response

Routing

  • Impove some logic where table 0 has no routes and totally mapped via rule-sets (e.g s/w upgrades, etc)

Telnet

  • Option to configure custom telnet prompt

TLS

  • Fix lockup at end of stream on TLS connections

VoIP

  • Separate carrier controls for P-Asserted-Identity, Remote-Party-Id, and Privacy on VoIP carriers. Change of defaults to send PAID and Privacy not RPID
  • Added ACR (Anonymous Call reject) feature on telephone config
  • Included User-Name in RADIUS auth for VoIP (from From header before @) if not otherwise set (based on config user/carrier)

VRRP

  • VRRP low-priority mode (e.g. for profile off) caused flapping

Web control pages

  • User setting to hide "save" button in config edit (i.e. has to do "test" first).
  • Added Content-Language to avoid some browsers offering to translate control pages
  • CSS update
  • Adjust initial timeout to allow for slow TLS handshake
Built 2018-08-22
Older factory release
1.49.000 (Belladonna)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.48.101 to Factory release 1.49.000

BGP

  • Added startup delay for sending BGP announcements to make for cleaner reboots when used as part of a part

Config

  • Tweaked factory default LAN firewall rule to allow from FireBrick to LAN (needed for VoIP)
  • Removing Ethernet port config now sets port back to default settings

CQM

  • Tweak graph logic - was not working if only selecting ave or max latency to show on SVG

FB105

  • Fix internal-ip on fb105 tunnels routing

HTTP

  • Changed HTTP redirect logic to better handle cases where some port mapping is used in front of the web control pages

IPv6

  • Added DNSSL (search list) to RA settings on subnet

L2TP

  • Minor change to handle low buffer scenarios better

LEDs

  • Slight improvement to LED fault reporting

Logging

  • Fixed UTC timestamp on logs (was local time with Z suffix, sorry)

PPPoE

  • PPPoE can now be linked to physical port for direct connection to modem - resetting the port when PPPoE goes down (fixes bug in some modems)

SNMP

  • Various SNMP updates
  • bgp and l2tp now support SNMP treewalk
  • Vendor-specific SNMP for BGP and L2TP reorganized to follow standard table construction. ***NOTE*** this will affect customers using SNMP with BGP/L2TP
  • Add CPU buffer free counts to SNMP statistics

VoIP

  • Tweak for REFER logic, allow refer to match user details with no password (i.e. check IP)

VRRP

  • Corrected VRRP v3 checksum - UPGRADE BACKUP ROUTERS FIRST

Web control pages

  • New css for mobile use
  • Fix wizard when email specified as it caused save error
  • New control of whether logs on web/cli include system logs or not (default not, except for "default" log after factory reset)
  • Config edit not working when clock not set, fixed.
  • Recovery config edit now prompts to save even when no changes as it is not the "live" config
  • Minor improvements to web control pages (extra classes, etc)

Web UI

  • Add TCP throughput diagnostic
Built 2018-06-22
Older factory release
1.48.101 (Avarelli)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.47.100 to Factory release 1.48.101

ACME

  • Install root certificates for use with Let's Encrypt and ACME
  • Better error logging
  • Full ACME system to work with Let's Encrypt

BGP

  • Updates BGP refresh options including sending refresh request
  • Additional BGP shutdown subcodes added
  • Some additional debug for BGP

Config

  • Config top level attributes now include username and ip of last update
  • Config top level attributes now include serial number and version, but normal edit screen no longer has xmlns and xsi
  • IP groups can now reference subnets by name (including DHCP client subnets)

Crypto

  • New key generation logic in place for ACME and related functions
  • Avoid crash soon after startup following auto key generation

Ethernet

  • Fix crash on packet reception when collecting entropy

Firewall

  • Added a block/prefix mapping feature to firewall logic

https

  • Self signed certificates as fallback for initial set up via https

Internal

  • Fix occasional lockup/crash during stream processing
  • Additional stats for entropy collection

IP

  • Increase pending ARP cache and drop if overloaded rather than sending spurious ICMP errors

IPv6

  • Change some logic to reduce use of 2002:: 6over4 address usage as source addresses where possible

L2TP/RADIUS

  • Tweaks to expected timeouts on RADIUS (e.g. for L2TP or session steering) and change default to min timeout 2 seconds total
  • More control of RADIUS timeouts for ad-hoc RADIUS from RADIUS response for L2TP session steering
  • Improve outgoing L2TP handling where target is hostname

Logging

  • Change to outgoing email timeout (spam scans and the like can take a while) RFC5321 4.5.3.2
  • Colour on web log not always correct

Monitoring

  • LED faults (open/short-circuit) are now reported in UI/CLI monitoring section and logged to flash

PPP

  • Send NAK asking for MD5 on receipt of non MD5 CHAP request

RADIUS

  • RADIUS client allowing fixed source-ip, and for ad-hoc L2TP steering uses L2TP source IP if set
  • Fix L2TP relay steering RADIUS min/max timeouts (5/20 not 20/5)

VoIP

  • Fix nc to 1 as we don't store/re-use nonce values. Some systems don't just look for duplicates but actually expect a 1
  • Not picking up media started until something that is not perfect silence is sent as some systems do that!
  • Better handling of overlapping INVITE replies where server is very slow or over long latency links

VRRP

  • Config check for duplicate VRRP MAC in use on different interfaces

Web control pages

  • Change layout of rule-set
  • Changed logic for self signed certificates, and made more transient in certificate store
  • Limit number of self signed certificates to reduce clutter, and avoid possible "make millions of certificates" attacks

Web UI

  • Fix incorrect display of negative temperature
Built 2018-04-19
Older factory release
1.47.100 (Zander)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.47.010 to Factory release 1.47.100

L2TP

  • Edge case where radius relay of tunnel could cause crash when using BRAS mode

Web control pages

  • TLS: Added AEAD-GCM cipher suites - now get an "A" rating with Qualys SSL Labs test.
  • Can now specify a list of possible certificates to be used for https in http config
Built 2018-04-11
Older factory release
1.47.010 (Zander)
Config:XSD Doc
Manual:PDF HTML
This is the first release for this platform.

Older versions | Factory releases | Factory and Beta | Factory, Beta & Alpha