FireBrick Model: FB6000 | FB2500 | FB2700 | FB2900 | SoHo/Plus | FB105

Model Variant: FB2900   Change to: (default is FB2900)

Software Versions: Older versions | Factory releases | Factory and Beta | Factory, Beta & Alpha

Current factory release
1.50.000 (Culbertson)
Config:XSD Doc

Release notes from Factory release 1.49.000 to Factory release 1.50.000


  • Minor improvements to ACME - handling some extra order status responses


  • Additional debug for ignored updates


  • Added more stats (total bytes/packet/drops) to CQM XML


  • PKCS#8 formats now fully accepted and served for RSA and DSA keys


  • Fix TCP download test (was always saying 0 bytes loaded)


  • Changed DNS logic so not simply fallback="true" but fallback-table defined. This means multiple table DNS will default not to fall back now.


  • Slight performance improvements


  • Fix duplicate connection problem after roadwarrior client switches from wifi to 3G
  • Fix Roadwarrior problems - IPv4 NAT not working and IPv6 routing failing on Apple clients


  • Changed ICMPv6 (ND/NA) source address in some cases to match scope


  • Allow L2TP matched incoming sessions to set payload-table
  • Added colours to tunnel and session status


  • Improved pcap "self exclude" to only exclude the actual TCP session traffic of the dump, not all traffic to/from the IP of the browser as before


  • Minor change to PPPoE timeout logic - could be disrupted by frequent profile changes


  • Platform RADIUS server ERX parameters now tagged if part of tagged response


  • Impove some logic where table 0 has no routes and totally mapped via rule-sets (e.g s/w upgrades, etc)


  • Fix possible syslog buffer overrun


  • Option to configure custom telnet prompt


  • Fix lockup at end of stream on TLS connections


  • Separate carrier controls for P-Asserted-Identity, Remote-Party-Id, and Privacy on VoIP carriers. Change of defaults to send PAID and Privacy not RPID
  • Added ACR (Anonymous Call reject) feature on telephone config
  • Included User-Name in RADIUS auth for VoIP (from From header before @) if not otherwise set (based on config user/carrier)


  • VRRP low-priority mode (e.g. for profile off) caused flapping

Web control pages

  • User setting to hide "save" button in config edit (i.e. has to do "test" first).
  • Added Content-Language to avoid some browsers offering to translate control pages
  • CSS update
  • Adjust initial timeout to allow for slow TLS handshake
Older factory release
1.49.000 (Belladonna)
Config:XSD Doc

Release notes from Factory release 1.48.101 to Factory release 1.49.000


  • Added startup delay for sending BGP announcements to make for cleaner reboots when used as part of a part


  • Tweaked factory default LAN firewall rule to allow from FireBrick to LAN (needed for VoIP)
  • Removing Ethernet port config now sets port back to default settings


  • Tweak graph logic - was not working if only selecting ave or max latency to show on SVG


  • Fix internal-ip on fb105 tunnels routing


  • Changed HTTP redirect logic to better handle cases where some port mapping is used in front of the web control pages


  • Added DNSSL (search list) to RA settings on subnet


  • Minor change to handle low buffer scenarios better


  • Slight improvement to LED fault reporting


  • Fixed UTC timestamp on logs (was local time with Z suffix, sorry)


  • PPPoE can now be linked to physical port for direct connection to modem - resetting the port when PPPoE goes down (fixes bug in some modems)


  • Various SNMP updates
  • bgp and l2tp now support SNMP treewalk
  • Vendor-specific SNMP for BGP and L2TP reorganized to follow standard table construction. ***NOTE*** this will affect customers using SNMP with BGP/L2TP
  • Add CPU buffer free counts to SNMP statistics


  • Add TCP throughput diagnostic


  • Tweak for REFER logic, allow refer to match user details with no password (i.e. check IP)


  • Corrected VRRP v3 checksum - UPGRADE BACKUP ROUTERS FIRST

Web control pages

  • New css for mobile use
  • Fix wizard when email specified as it caused save error
  • New control of whether logs on web/cli include system logs or not (default not, except for "default" log after factory reset)
  • Config edit not working when clock not set, fixed.
  • Recovery config edit now prompts to save even when no changes as it is not the "live" config
  • Minor improvements to web control pages (extra classes, etc)
Older factory release
1.48.101 (Avarelli)
Config:XSD Doc

Release notes from Factory release 1.47.100 to Factory release 1.48.101


  • Install root certificates for use with Let's Encrypt and ACME
  • Better error logging
  • Full ACME system to work with Let's Encrypt


  • Updates BGP refresh options including sending refresh request
  • Additional BGP shutdown subcodes added
  • Some additional debug for BGP


  • Config top level attributes now include username and ip of last update
  • Config top level attributes now include serial number and version, but normal edit screen no longer has xmlns and xsi
  • IP groups can now reference subnets by name (including DHCP client subnets)


  • New key generation logic in place for ACME and related functions
  • Avoid crash soon after startup following auto key generation


  • Fix crash on packet reception when collecting entropy


  • Added a block/prefix mapping feature to firewall logic


  • Self signed certificates as fallback for initial set up via https


  • Increase pending ARP cache and drop if overloaded rather than sending spurious ICMP errors


  • Change some logic to reduce use of 2002:: 6over4 address usage as source addresses where possible


  • Tweaks to expected timeouts on RADIUS (e.g. for L2TP or session steering) and change default to min timeout 2 seconds total
  • More control of RADIUS timeouts for ad-hoc RADIUS from RADIUS response for L2TP session steering
  • Improve outgoing L2TP handling where target is hostname


  • Change to outgoing email timeout (spam scans and the like can take a while) RFC5321
  • Colour on web log not always correct


  • LED faults (open/short-circuit) are now reported in UI/CLI monitoring section and logged to flash


  • Fix occasional lockup/crash during stream processing


  • Send NAK asking for MD5 on receipt of non MD5 CHAP request


  • RADIUS client allowing fixed source-ip, and for ad-hoc L2TP steering uses L2TP source IP if set
  • Fix L2TP relay steering RADIUS min/max timeouts (5/20 not 20/5)


  • Additional stats for entropy collection

UI monitoring

  • Fix incorrect display of negative temperature


  • Fix nc to 1 as we don't store/re-use nonce values. Some systems don't just look for duplicates but actually expect a 1
  • Not picking up media started until something that is not perfect silence is sent as some systems do that!
  • Better handling of overlapping INVITE replies where server is very slow or over long latency links


  • Config check for duplicate VRRP MAC in use on different interfaces

Web control pages

  • Change layout of rule-set
  • Changed logic for self signed certificates, and made more transient in certificate store
  • Limit number of self signed certificates to reduce clutter, and avoid possible "make millions of certificates" attacks
Older factory release
1.47.100 (Zander)
Config:XSD Doc

Release notes from Factory release 1.47.010 to Factory release 1.47.100


  • Edge case where radius relay of tunnel could cause crash when using BRAS mode

Web control pages

  • TLS: Added AEAD-GCM cipher suites - now get an "A" rating with Qualys SSL Labs test.
  • Can now specify a list of possible certificates to be used for https in http config
Older factory release
1.47.010 (Zander)
Config:XSD Doc
  • Factory release
  • Increased memory buffer to allow larger code to be uploaded - breakpoint release needed to ensure existing units can load later code
  • Factory release needed for chipset variant at factory
  • Work around on new ND validation, another fix
  • Possible startup / crash issue fixed.
  • Issue for testing DHCP server.
  • DHCP server fixes
  • Possible crash on pcap dump of heavy traffic, fixed
  • Last issue has problems, do not load
  • DNS relay fixes in place now
  • Fixed nat attribute on subnet, and dhcp server crash
  • Test build - testing build system changes
  • ET was phoning home too often - daily s/w check was being done every 2 minutes, doh
  • Crash in last couple of issues, doh
  • Improved ARP/ND timing
  • DHCP server was not quite right in last few releases, fixed
  • ARP issue, could get stuck in some cases
  • Some quirks with recent ARP handling code fixed
  • Serious issue with ARP responses in recent builds
  • Bug fixes. Crash some times on config save, and an obscure ARP/ND race condition
  • Test build
  • First factory release candidate - core functionality completeBug found in DNS resolver, so withdrawn
  • DNS resolver issue causing crash
  • Issue with handling of some reply packets fixed, e.g. DNS resolver function
  • Changes to IPv6 ND handling for FE80::/10 LL addresses, was affecting windows machines
  • Factory release candidate - new web config
  • Factory release candidate
  • Canditate factory release
  • Candidate factory release
  • Fixed DHCP issue which stopped reuse of expired allocations
  • New logging system now handling email, more work to do but should be a safe build to try
  • Various improvements since last beta
  • Added memory usage to one second stats
  • Possible obscure issue with DHCP server code fixed - probably only when default dhcp server user (i.e. ip not set)
  • Added new show status command on telnet, and reformatted web status page
  • Does not auto update and reboot if in factory reset recovery state
  • Auto upgrade software not done if new software already in flash, stops a crash causing a loop.
  • Updated documentation
  • Draft documentation included in releases
  • Release candidate for testing
  • Release candidate
  • URLs fetched from the FireBrick for any reason now handle IP literals.
  • Better error message on ip group name syntax check
  • Added link to upload new config on factory reset screen
  • Added link to upload new config on soft factory recovery screen
  • Change to persistent data storage logic and timing
  • Changed [not] to [inverted] in Profile logging text.
  • Option for URL to GET before a controlled reboot - mainly to warn nagios


  • Minor tweaks to ARP timing
  • Proxy ARP/ND logic was causing proxy ARP even when routing is to a next hop on same LAN, and so hijacking all IPs
  • Improvements to ARP handling - reduce chances of unexpected no route to host on first packet
  • Change to respond to requests that are normally considered an invalid/broken configuration (seen from sharedband bonding kit)


  • Timing improvements to prevent corner case of IP not getting allocated if recently unused


  • OATH/OTP login feature added
  • OATH/OTP update - lockout after failed attempts, etc
  • Users can now be restricted to a routing table.


  • Delay up to 15 mins to give FB a chance to get the time before performing an auto upgrade; Correct logic for checking if image already present in flash.


  • Adjusted RR logic on BGP to avoid incorrect messing with next hop decision
  • Changed BGP to silently ignore routes where we are already the next hop
  • BGP change to still process withdraw in same packet as silently ignored routes (typically if using route reflectors)
  • Added peer level export-med to set MED on exported routes (unless explicitly set in export filter) as this is commonly the only export filter
  • Made local routes (apart from dead-end) take priority over equivilant BGP originated routes
  • Changed ttl-security option to be 1 to 127, and use -ve as meaning force TTL sending and no checking
  • Added import-localpref at peer level as a common global setting on EBGP links
  • Correct BGP route tie break where one route has MED set and one does not. No MED set is now treated as MED 0 correctly
  • Colours on BGP status on web page
  • Corrected AS list in show routes to handle multiple sequences (was showing with no separator)
  • New filter option to check for community present in a route
  • Showing BGP route details shows additional community tags as well
  • Fix for BGP config where local IP is DHCP, meaning BGP did not start up unless a local-id was set
  • Fix BGP import/export filtering which only considered first match rule
  • Allow use of pad on BGP peer if add-own-as set, even on ibgp
  • new use-vrrp-as-self (default true) means the next hop used in BGP will use an appropriate VRRP address if possible
  • Corrected BGP ingress filtering to allow detagging the standard community tags
  • Made BGP next hop logic consider routes to dead end and to network as non feasible (previously they were feasible but could not route)
  • Fix race condition allowing BGP peer to vanish in rare conditions
  • Change to use-vrrp-as-self now correctly re-announces the changed next hop
  • Added reduce-recursion option to BGP
  • No fib option on Blackhole routes (EBGP only and non FIB)
  • New "grey hole"community tag for IBGP to pass blackhole routes that have no-fib set, so routes get to EBGP for external blackhole announcements
  • Obscure race condition on BGP shutdown could cause a crash
  • Fixed config to only allow one list of import and one list of export rules under bgp peer, as only first in list was checked anyway
  • Fix debug log of accepted prefixes on BGP, was showing garbage extra bits
  • More info on BGP peers


  • Minor change to bonding to minimize packet reordering on arrival


  • Startup sequence updated


  • Changes to image timestamp processing to avoid occasionally seen wild timestamps way in the future.


  • This release includes a boot loader update which incorporates a number of minor changes


  • Minor change to low buffer checks for TCP management interfaces and L2TP


  • The show flash log command is now available to admin users
  • Added new command line to clear data pages in flash
  • New show routes command not BGP specific
  • Changed show [bgp] route command to list where each route is directed.
  • Allow abort by pressing a key on the show routes command.
  • Tidied show dhcp command
  • Fix telnet timout on users setting timeout 0 to not logout.
  • Implement several readline-style line-editing sequences
  • Add two more control sequences - Ctrl-T and Alt-T
  • Fix obscure race condition which may cause panic when logging to command line (console).
  • Fix double line spacing on some command line output
  • Added a "show run" and "import config" in telnet/command line allowing dump and upload of raw XML.
  • ping and traceroute commands no longer need =true when specifying dontfrag or xml
  • Spacing of columnated output improved
  • Add command output filtering capability to CLI (telnet and serial link)
  • Fix crash in CLI when default logging is set to console
  • The "show route" and "show routes" commands have been combined to avoid ambiguity; If '?' is used to output command details the command help info is displayed, unless all commands are listed
  • Command line completion could complete keyword arguments incorrectly
  • Increase CLI regexp buffer to support lines up to 300 characters
  • Fix lockup problem when doing command completion
  • Debug command for DNS cache
  • Eth/Switch stats display layout improved
  • Command completion was not working correctly
  • Show dhcp command layout fix
  • show tasks allows stack trace information for debug


  • Fixed factory default config for dns host name - this means a new factory release of code.
  • Subnet mtu states default based on interface.
  • Increase internal storage for config by 33%
  • Password now mandatory on user field, and error if blank and not using OTP
  • Added extra notes on localpref to explain highest value wins
  • Minor change to wording on web config
  • Added <blackhole.../> and <nowhere.../> as explicit routing objects rather than using <route.../> with no gateway.
  • as-path only on network object as was not in fact functional on route object
  • Changed default config - using LAN and WAN as interface and port group names and added more comments
  • Documented that a login timeout of 0 means no timeout but not in ip-group users
  • Mandatory port on interface. Missing port on interface picks first port else creates a fatal error
  • New option on subnet controls if DNS is accepted when acting as DHCP client (default true, obviously)
  • Corrected parsing of an IP using final :: in place of :0 (i.e. seemed to have too many colons)
  • Not generating initial or trailing :: on IPv6 addresses where only one block replaced
  • Removed redundant fast-reboot options
  • Correct detection of which features are enabled in UI config edit
  • Added field length restriction checks on graph names
  • Allow colon, dot or hyphen inter byte punctuation in HEX in config
  • Replaced shutdown with profile on ethernet control settings
  • Added "Test" option to config save to automatically revert if not properly saved within 5 minutes.
  • Fix profile "traffic lights" in config edit (did not change state on some browsers)
  • Check each interface has a unique port/vlan setting. Invalid configs will still load on bootup but must be corrected before resaving.
  • Storage and management of certificates and keys added (cannot be used effectively yet).
  • Default user password generation now salted SHA256
  • Minor change to factory reset config (WAN port name changes)
  • Port LED config option "Cycling" removed. [May be reinstated in the future.]
  • Profile control of LED colour
  • Config edit was reporting that someone else had changed config, on save...
  • Improved ethernet port LED config settings
  • Clarify profile test for dongle state is 3G PPP state
  • IPv6 addresses use lower case when output as a config view.
  • Change of attribute name in dns local records
  • Corrected cqm share-interface on web config to only list ethernet interfaces
  • Made local-only optional again and default true for http services
  • Minor change to way simultaneous config changes are reported on web pages

Config editor

  • Config editor did not show advanced selected option entries that are blank if without Show all


  • Bug if graphs trying to scale to just under 4Gb/s, showed scaled at bottom end in error. Fixed.
  • Not including old (off screen) rate changes in max scale on graphs
  • CQM graphs now in alphabetic order
  • Shaper sharing system
  • Hourly rate line on CQM graphs
  • Correct for rare race condition leading to multiple graphs of same name
  • Adjusted handling for mismatched speed shared shapers when all reaching limits to balance dropped packets in ratio to share of speed
  • Added Y scale fixing on CQM graphs (Y option)
  • Corrected URL processing for CQM where using x=value/x=value type syntax
  • Change to ping scan and cqm polling functions to be more aligned to real time seconds, ready for when we do NTP fully
  • Fix for long term shapers which only worked if sharing of shaper was set
  • Graphs show min and max rate limit per hour now
  • More corrections on long term shaper logic
  • Long term shapers were not actually applying the shaper limit, it seems, even if worked out correctly
  • Changed min line on graph to be dotted
  • Configurable latency Y axis
  • Ping only graphs (i.e. no throughput) now have standard deviation on ping timings
  • Minor change to default colours
  • Corrected showing of "off line" on graphs
  • Minor tweak on graphs
  • Setting Y axis latency in ms on graphs as part of URL
  • Removed standard deviation from CQM graphs
  • Added reject count on ping grpahs (ICMP error response) - new CQM xml definition
  • Changed fail on graph (dripping blood / red), and reject, to be percentage based
  • Off line detect on graphs with no timing (e.g. FB105 tunnels) was wrong, causing yellow traffic light
  • Added CQM logging of when graphs start and stop responding
  • Fixed use of = on numeric arguments for CQM graph URLs
  • Refinded when keys show on graphs
  • Added additional stats to CQM XML
  • Long graph names are now mapped to a hash to fit within size of graph name internally
  • Removed some debug log for pings/DNS
  • Changed to hash used for extra long graph names
  • Updated graph names to 40 characters max, and allow colon in graph name
  • Tweak URLs for images of graphs to allow for graphs that look like a URL and break some browsers
  • SVG for CQM graphs
  • More slight tweaks - edge case of SVG for unknown CQM graph (i.e. blank graph) with title text enabled caused a crash...
  • Slight changes to SVG (slightly bigger) to add id to some fields and include off image (cropped) data to allow some post processing (e.g. merging graphs)
  • CQM SVG now includes option for markers on the tx/rx lines like the old PNGs did - by popular demand, CSSable.
  • SVG CQM graphs did not show "damping"
  • Added additional checkings on CQM shaper sharing to allow for erroneous negative traffic counts
  • Change logic for adjusting shared shapers when hitting limits to favour unit dropping most packets more


  • Some additional logging for impossible packet headers requiring split for MTU


  • Additional options in DHCP client
  • Changed DHCP server to serve bricks IP as DNS server allowing it to relay, unless explicit servers set in config
  • DHCP client sets /32 routes for DNS servers provided
  • Clear DHCP command now allows range/prefix to clear multiple entries
  • Option to kill a DHCP allocation from web interface (DHCP status) now
  • Change handling of BOOTP to operate as a REQUEST not DISCOVER so causing allocation of lease
  • Added new lock and unlock feature on DHCP allocations
  • Added ability to manually set the name of DHCP allocations
  • Added interface name on DHCP server logging
  • Corrected tool tips on Kill/Unlock
  • Fix for possible lock up causing watchdogs in some cases
  • DHCP address allocation for new devices changed to be more reliable
  • Finally found issue with "no IP available" on DHCP serving.
  • Fix DHCP allocation error when using with multiple subnets available
  • Allow allocated IP on one interface to move to another valid interface for that IP for same device if no other IPs available
  • Simpler DHCP options for vendor specific (43) options
  • Subnet list shows pending DHCP client subnets
  • DHCP server now does not send default router, subnet, lease, renew, syslog, timed, ntpd, domain, domain-search, if there are manually configured response attributes for these
  • DHCP server no longer no longer sends "name" attribute as host-name (12). Configure as an extra string attribute if required
  • Improved DHCP clear command and added link to clear all old DHCP
  • Tweak DHCP server to use chaddr field not source MAC
  • Tweak to DHCP to allow renew of IP where ARP shows MAC as matching either chaddr or source MAC of request
  • Improved algorithm for selecting which restricted IP pools apply
  • Added a bit of sanity check on DHCP renew/expiry values received
  • Change DHCP retry to restart back off at expiry
  • DHCP relay/remote server logic
  • Tidy up DHCP logging messages
  • Additional DHCP logging, and (debug) logging if seems to be another DHCP server present
  • Improved logging when no IP is avaliable to help with diagnosis
  • Fix problem where wrong restricted dhcp entry could be used
  • DHCP client Class and Client-Identifier now configurable
  • Internal change to handling of DHCP server when searching for a suitable IP
  • Internal change to try and resolve issue where DHCP has been seen to cause a lock up and watchdog on some systems
  • Added domain-search attribute, as it is specially coded
  • Typo in DHCP logs
  • DHCP log of moving IPs between interfaces was crashing, fixed
  • Extra debug counters for DHCP client
  • Tweak for FireBrick as a DHCP client working via DHCP Relay Agents
  • Minor tweaks to DHCP server as per RFC6842 (correctly returning client ID)

DHCP Server

  • Minor tweaks to make NAK meet later RFCs


  • Rebind handling corrected (was being ignored)
  • Tested on Zen IPv6 PPPoE/DHCPv6 - addressed a number of issues, now working


  • Tidy up the traceroute command to allow more than one attempt per hop, and some bug fixes
  • Access list check (command and web UI)
  • Ping and Traceroute diagnostics now have a "Don't fragment" option (for IPv4)
  • Max ping payload adjusted to ensure reply from ethernet will be accepted
  • Temporary diagnostics added for tracking down odd problems
  • Ping and Traceroute no accessible using GET as well as POST. GET assumes XML output
  • Fixed crash when more than one ping or traceroute diagnostic was run concurrently
  • Showing routes was truncating if too many routes - buffer size increased


  • Bug in DNS caching that could have caused other side effects in other systems - fixed
  • Added new feature under services/dns to allow local DNS responses including based on DHCP
  • Local DNS not working for EDNS0 queries including internal lookups, fixed
  • DNS resolver negative caching handling and tweaks to handle VoIP DNS lookups where CNAME used
  • Corrected negative caching timings
  • DNS resolver no longer caching SOA as it was not expanding the MNAME/RNAME fields correctly
  • DNS server now ignores expired DHCP allocations
  • Malformed DNS packets could cause crash, fix
  • Added sanity check on TTL (1 sec to 3600) for internal caching
  • Change to DNS server load balancing and timeout logic
  • Status of DNS servers now on web config pages
  • Min nxdomain of 10 seconds now
  • DNS resolution and caching is now routing table specific
  • DNS fallback option - for incoming requests if no server in required routing table relay to any DNS available - default true
  • DNS fallback (default on) allows use of other tables for local lookups within the firebrick
  • Random DNS source port for additional security
  • Timeout of long-latency replies from DNS servers was flawed.
  • Custom DNS responses can now be restricted to specific interfaces
  • More aggressive DNS cache expiry where multiple entries have different TTL
  • Better cache handling when being flooded with requests to cache limit
  • Option to turn off local caching of relayed DNS lookups
  • DNS response times made a bit more adaptive to handle cruise ship levels of internet latency
  • DNS config allows resolvers table to be specified without restricting access to DNS caching function
  • Incorrect ARCOUNT in cached responses when EDNS0 request used
  • Possible race condition in DNS tracking
  • Slightly more aggressive clean up of domains with expired cache or caching limits reached
  • Possible rare quirk that could cause a DNS resolver to be ignored/blocked
  • Tweaks to DNS handling capacity for high load
  • Some aspects of local DNS were case sensitive, fixed
  • Fix for local IP (e.g. not returning A record when IPv6 DNS used, and other way around.


  • Alphabetic order for documentation of config.
  • Corrected description of interface object
  • Started work on addition information on config documenation


  • Colour on dongle status
  • Default if no route= set to also set /32s to DNS servers as well as default route
  • Dongle reporting negotiated DNS servers in status
  • Fixed buffer leak and resulting watchdog panic caused by dongle negotiation repeatedly failing.


  • Fixed a problem in TCP processing which could cause a hand-crafted poison TCP packet to crash the FB


  • Changed autoneg setting on ethernet ports to default to false if manually setting speed or duplex and not 1G
  • Added layer 2 interface mapping function (map port/VLAN to port/VLAN directly no session track or firewall)
  • Ethernet MTU/MRU max increased to 2000 bytes (default is still 1500).
  • Add new Ethernet DoS-detection parameters to config
  • Don't log transmit queue full errors (txqfull) caused by physical port being down
  • LACP send and receive/status
  • LLDP send and receive/status
  • Port trunking options (with or without LACP)
  • Improve ethernet receive processing and CPU load monitoring
  • Support 1500-byte VLAN-tagged packets
  • Increased MTU to around 4k

Factory default

  • Made factory default have local-only set true on http access
  • Changed factory reset to have as local DNS for the firebrick itself
  • Factory default no longer does RA for 2001:DB8:: subnet. Quickstart guide being changed to match

Factory Reset

  • Changed so factory reset is DHCP client on WAN and DHCP server on LAN

Factory reset

  • Default timeserver set to rather than

Factory Reset

  • Removed nonexistent LAN4 from factory reset config

Factory reset config

  • Added PPPoE client in factory reset config on LAN as well as WAN
  • Changed factory reset to be consistent with separate LAN ports

FB105 tunnel

  • Log (rather than crash) if a badly fragmented 105 tunnel packet is received


  • Timezone fixes on config convertor
  • Various corrections to config convertor for latest releases
  • Improved fb105 config conversion for VLAN handling
  • Convertor making more sensible names for things like "24-7"


  • Improved traceroute through mapped IPs
  • Tweak for firewall logic where target interface is a 6 to 4 tunnel to resolve final interface
  • Fix to NAT64 logic where target is nowhere/network
  • Session tracking timeouts for native IPsec (ESP/AH) increased (was 5 seconds)
  • NAT-PMP and PCP handling (experimental)


  • Avoid flash fragmentation by deleting old images if necessary before saving new image.
  • Image priority tagging removed. Flash contents display shows penalty but no longer priority.
  • Change to flash block allocation strategy to spread block usage.
  • Avoid watchdog during flash write when CPU is busy
  • Improve flash scheduling; should fix occasional "Bad end read" crashes.
  • Fix another flash scheduling problem causing occasional crashes


  • Various additional debugging code added
  • Better logging to flash of source of s/w load or reboot commands
  • Several minor internal changes that should improve stability


  • Added lightweight source filter option on interface: "blackhole" that checks source address is routeable to anything sensible, allowing blackhole routes to block source traffic


  • Increase stack sizes and make route loop counter an error counter
  • Adjust buffer pool sizes and thresholds to avoid buffer depletion
  • More buffer count stats added to TCP


  • Changed broadcast restriction on subnet to only effect externally sourced packets
  • Added ARP/ND link state test to work at subnet level
  • Made Wake on LAN a separate diagnostic and linked to DHCP
  • Better handling of UDP port allocation clashes
  • Internal change to avoid possibility of recursive tunnelling overrunning buffer space
  • UDP/TCP port binding counters added to one second stats
  • Allow UDP to VRRP address - used for DNS, and RADIUS, etc.


  • Peer IP added to log messages
  • Add debug logging of IP allocations
  • Fix crash when certificate named in connection is missing


  • Adjust handling of RA client to cope when more than one RA has same SLLA (e.g. VRRP) from different hosts
  • Fix default arp timeout on RA client and PD subnets
  • Fix for ND responses for FE80::/10 LL addresses matching our MAC prefix (we answered all requests even if specific MAC not in use)
  • Adjusted routing for FE80::/10 so all interfaces are equal metric to locate LL endpoints
  • When turning off RA we were sending an RA making prefixes valid for infinity rather than 0
  • Adjusted IPv6 neighbour announce to set O flag on link local addresses


  • Tidy the logic for CQM on slow LCP echo to show actual sent count.
  • Added require-radius-acct option to L2TP, clearing connection if RADIUS accounting fails
  • L2TP clearing of dead tunnels improved (some edge cases left tunnels never clearing)
  • New L2TP config option to allow both LAC and LNS as NAS IP and port in RADIUS
  • Added additional SNMP L2TP for session negotiation slots that are free: iso.
  • PPP LCP restart if not negotiated after 30 seconds and an LCP restart has not been tried already
  • Added RADIUS Framed-IPv6-Prefix
  • Option to mark an L2TP session as isolated, i.e. not allowed to pass directly from another L2TP session
  • Added relay-local-ip config for L2TP to control the IP used for relaying connections, and extra debug info
  • Odd case of tunnels/sessions clearing with negative timers, logic changed to avoid this
  • Change to way hashes are handled for session steering
  • Using web page to kill L2TP session bypassed normal RADIUS accounting for closing session
  • Tweak behaviour if all RADIUS servers not responding
  • Malformed L2TP packet could cause crash


  • Option to control the hashing used for trunking
  • Default LACP mode is passive for non trunked ports as some switches are strange


  • LED driver restructuring and timing improvemens.
  • Ensure LEDs start up in cycling (knightrider) mode


  • Adjusted email log sending to use CR+LF on all contents lines as per RFC2821, rather than just LF as is convention on linux system
  • Fix for rare case causing crash after emailing a log.
  • Email has boot date/time in text at top now
  • Emailed logs were re-sent on every config change, fixed
  • Changed syslog to use UDP non encrypted RFC5424 logging with microsecond precision. Affects all log lines as module name added
  • Added option to specify source IP for syslog messages
  • Documentation updated, and console log off/on commands now TROFF and TRON
  • log-starts logs start and stop of stats logging
  • Occasional crash in logging when lots of information is logged.
  • Possible fix to issue causing occasional unexplained crashes
  • Bug where viewing logs on web pages could cause crash, fixed
  • Removed hex dump debug log of DHCPv6 - as cluttred interface debug logs and better done using pcap
  • Log email sending retry logic changed
  • Added much more debug for log-debug for logging email sending
  • Improved formatting of replay from previous run flash log on boot up
  • Removed unused log types for SNMP trap (will move to profiles) and SMS (may be added later)
  • Minor changes to default settings for system log messages
  • Log target UI extended to enable setting of colour to be used in web log view. Critical system error counters are now logged to the system error log target every second, and by default displayed in red.
  • Additional one second stats and change to the way counters are shown on them
  • Improve flash log replay at system startup. Should fix problem with non-detection and emailing of panic logs.
  • New log-config setting in system to specifically log config changes
  • Avoid crash when displaying logging using CLI
  • Fix crash when displaying logs using colours
  • Fixed issue with logging causing occasional bad buffer address panics
  • Improve logging efficiency and avoid dropped log messages
  • Fixed http logging of graph URLs
  • Detect closed browser window, and close TCP session, when displaying log
  • Logging of panic message was not working correctly - fixed.


  • Logging of config changes was not working correctly if system log-config was set


  • Rework of web logging to use web sockets and better layout, and allow download
  • Better wording for missed log entries
  • Tweak to delayed logging (email) so it may send on controlled shutdown


  • Added the config field and data type descriptions as an appendix to the manual
  • Updated command line reference in manuals
  • Added some more IPsec doc and corrected some other minor typos in manual
  • Corrected explanation of trusted, local-only, and allow controls in manual
  • Document LED config settings
  • Updates to manual covering scripted access and special URLs


  • Some updates to manuals - reworking CLI references
  • Additional work on manual - note several sections removed from FireBrick web site as they are now in the manuals with each s/w release


  • Fix leak in TCP port allocation when sending log emails or downloading URLs
  • Improve error message if auto s/w or capability upload fails


  • Changed NAT logic to have longer session timeout after TCP closes to avoid accidental re-use of ports in FIN WAIT


  • NTP server field name now changed name and set to default which is Please configure any preferred ntp servers
  • Added option to set ntp poll rate, will be removed/changed when we do NTP fully.
  • Better error logs for NTP / clock setting
  • Better NTP back off logic
  • Option for fast-retry for NTP until clock first set


  • Change to improve shutdown / reboot sequencing and timing


  • Fix to ethernet drivers port up/down handling
  • More details in thread statistics report
  • Improved watchdog error reporting
  • Further improvement to watchdog panic diagnostic
  • Some thread priorities adjusted.
  • Minor performance enhancements.
  • Introduce new flash driver - currently for alpha builds only
  • OS Stream and TCP restructure
  • Improve scheduling control when CPU is busy
  • Improve OS interrupt scheduling to reduce possibility of panic under heavy load
  • Change of default value in new ethernet interrupt code config to address possible latency issue under load
  • Another modification to interrupt management to help with overload
  • Fix incorrect flash log replay output at system startup


  • Area ID was not set from config
  • Started work on OSPF


  • Allow more than one OTP with same key if different serial number
  • Made web & telnet login prompt for OTP authenticator code so can be entered separately from password
  • Added advice on printing and storing QR code in case phone fails


  • Not upgrading passwords to SHA256+15, but to SHA1+3 so backwards compatible if code revertse


  • Added more useful error messages for malformed pcap requests
  • PCAP giving better error messages
  • pcap web interface allowing multiple select interfaces to match underlying capabilities


  • Ping setting on interface was not always starting the pings, and not stopped when config removed. Fixed
  • Ping graphs can now use a host name
  • Allow payload size to be specified in ping config and when setting up a ping graph dynamically
  • Allow routing table to be specified in UI graph ping setup
  • Prevent dynamic ping start/stop affecting a configured ping
  • Not trying to print reverse DNS on ping command while waiting DNS response
  • Allow configuration of larger ping packets
  • Slow setting on ping now defaults to auto, i.e. when no proper replies for 2 minutes, but can be set true or false
  • Logging for ping graphs (e.g. DNS lookups, etc) now to CQM logging target
  • Added ping stats on ping command line and web (was already in XML)
  • Ping diagnostics "loss" stats were including ICMP errors as well as correct responses
  • Show ping/traceroute response coming back on wrong table
  • Added ping stats to XML for ping/traceroute
  • Web/command line ping stats showed wrong average


  • Knightrider pattern (displayed when no ports connected) was running too slowly


  • Avoid spurious port down messages at startup.


  • IP over LCP rx handling added. I.e. LCP with code 4X or 6X assumed to be IP.
  • PPP LCP restart on unexpected IPCP, IPV6CP, CHAP or PAP
  • Improvements to checking and timing in PPP processes
  • Slight change in PPP sequence numbering
  • Minor tweaks, including new accept-dns in dongle config
  • Improved debug / logging for PPP connections
  • Support PAP as client login on PPP
  • Adjusted retry timeouts on PAP/CHAP requests
  • Corrected PPP client PAP continuing to IPCP
  • PPP challenge response resend on no accept/reject response
  • Better timing of PPP LCP when using dummy auth (no authentication)
  • Ignoring unknown PPP/LCP protocol reject now
  • Closing PPP if IPv4 and IPv6 terminated or rejected
  • Fix minor discrepancy in NAK and REJ logic on PPP
  • Tweak to avoid resend of CHAP response to challenge if LCP restarted
  • Checking proxy LCP now accepts stupid LACs that claim to neg longer PAP/CHAP LCP messages if they otherwise look OK


  • Did not do multiple PPP sessions on different ports if same session ID was being used, fixed
  • LCP negotiation now logged as log-debug
  • Default if no route= set to also set /32s to DNS servers as well as default route
  • Added return of Relay-Session-Id received in PADO to PADR sent
  • Adjusted PPPoE logging so as not to fill logs with requests that are not for us
  • ip-over-lcp on PPPoE now defaults to "auto" which means it is set if it receives IP over LCP
  • Fixed BRAS L2TP/PPPoE mode to correctly cope with ip-over-lcp setting
  • Added MAC address to PPPoE logging
  • Fixed debug logging of PPP negotiation in PPPoE BRAS mode
  • Faster PPP negotiation PPPoE
  • Better error reporting on PADT messages
  • Cleaner PPPoE shutdown in BRAS mode on reboot (not accepting PADI after shutdown starts)
  • Fixed bug in L2TP/PPPoE/BRAS mode when session ID exceeded 255
  • Added first stages of PPPoE prefix delegation for IPv6 for testing (not yet doing IA or DNS, just PD)
  • Changed pd-interface on PPPoE to default to "auto" meaning interfaces without existing RA serving prefixes
  • Fixed PPPoE/DHCPv6 to handle more than one prefix delegation correctly
  • Handling local IPv6 by DHCPv6 on PPPoE
  • Handling IPv6 DNS by DHCPv6 on PPPoE
  • IPv6 DNS by DHCPv6 on PPPoE now addig /128 route consistent with IPv4 DNS
  • PPPoE/DHCPv6 PD times requested now more sensible, not infinite
  • Further PPPoE timing improvements
  • Corrected lifetime on router announcement from prefix delegation - was sending infinite
  • Better handling where no IA returned in DHCPv6 but PD is returned
  • Corrected log and log debug operation for PPPoE
  • Additional security checking on DHCPv6 client used in PPPoE
  • PPPoE not working if no IPv6, doh, fixed
  • Config change losing external PPPoE IPv6 address from routing
  • Fixed IPv6 prefix delegation timeout issue
  • Issue with IPv6 DNS servers not working on a second PPPoE client connection if same as previous
  • Tweak to handle multiple service responses in PADO
  • Was incorrectly adding far end IP as a DNS server
  • Added some level of backoff on PADI, longer if never seen PADS
  • Fast-retry option on PPPoE
  • Tweak to PPPoE startup sequence
  • Tweak PPPoE client to change Host-Uniq as some systems misbehave if always the same
  • PPPoE was not authenticating, Fixed
  • Added explicit control of RFC4638 PPPoE tagging (default for >1492 MTU)
  • PPPoE was not handling priority tagged VLAN packets well
  • Tweak to PPPoE client back-off when connections start but don't complete
  • IPv4 local end would "stick" if changed from having IPv4 to not (i.e. IPv6 only)
  • Tweak PPPoE Host-Uniq


  • Improved logging after non state change profile
  • Date/time profile tests when not clock set assume initial state
  • Date/time profile tests now have comment field in config
  • Change to profiles use of and/or/not so these are tested on the "interval" rather than being immediate in some cases


  • Tidy wording on profile changes for new invert feature
  • Did not work checking vrrp state
  • Ping via explicit gateway now bypasses session tracking
  • Selecting fb105, ppp, route, and, or, vrrp, that have no entries now gives an error
  • Changed logic so "or" profile with no other settings and none of the "or" profiles match will fail not pass.
  • Corrected timeout/recovery logic
  • Added initial-state option on profiles
  • Profiles tracking ppp did not spot if a PPP went off because it was itself turned off by profile config
  • Changed logging for profiles so "still active" and "still inactive" logs are log-debug now
  • Changed wording on logs for inverted profiles
  • initial state of profile with set="..." now uses that setting not initial="..." value
  • Fixed bug - a ping profile with no routing to send the ping was causing buffer loss
  • Possible problem in ping profiles could result in a watchdog failure
  • Clarified wording for and, or, and not, tests in profiles
  • Clarified meaning of timeout and recover as times not number of tests
  • Option for profiles based on a simple switch on home page
  • Converting a profile to a control-switch now sets control-switch to previous profile state when config loaded
  • Profiles can now test an ethernet port status
  • Slight change to control switch graphic
  • A new control switch profile will now start with the initial value.
  • Control switches can now use and/or/not logic to enable them to be set or reset by other profile changes.
  • Added setting for expected (good) state of a profile, showing as green in status if expected, and listed unexpected on home page
  • Added profile to fixed ping graph config, and made ping on interface subject to interface profile
  • Control switches no long show by default on NOBODY level users or those without full config access unless specifically listed in the control switch users
  • Forcing a config load which has a reference to non existent profile could cause a crash
  • Profiles now allow checking of outgoing L2TP tunnel state
  • A profile with "expect" set now shows the LED (if set) when not in expected state. If "expect" is not set it shows when profile is active.
  • Changed control-switches to use comment on screen not name


  • Fix buffer leakage if RADIUS servers time out
  • Platform RADIUS allows configurable secret based on matching rules
  • Platform RADIUS has option to require authenticator in request
  • Platform RADIUS supports RADIUS-Status-Server message
  • Platform RADIUS now logs the requesting IP and target IP
  • Sanity check on timing stats on RADIUS server
  • Added RADIUS timeout scaling factor
  • Fix race condition
  • Platform RADIUS nas-ip match was not right


  • Factory reset using ports 1 and 4 was not working


  • Diagnostics for routes shows reason for ordering


  • Correctly sending ICMP errors for dead end routes
  • Routing loop detection improvements
  • Possible issue with watchdog failure being addressed
  • Network statement was not using profile, fixed
  • Added gateway feasibility testing to static routes in the same way as BGP routes,
  • Changed logic for next hop checks where gateway is on multiple subnets, where at least one of which does not answer ARPs causing route to be suppressed
  • Source filter option on interface to help with BCP38
  • New source-filter-table setting on interfaces to allow separate source filtering lists to be managed using routing tables
  • Path/community fixed settings in routing config with multiple IPs listed caused error on memory allocation
  • Improved checking for route loops
  • Avoid route updates hogging all CPU
  • Next hop feasibility checking failed to spot when an Ethernet next hop stopped answering ARPs
  • Next hop logging is now separate system log target
  • Improve route caching update on deep recursive routes changing
  • L2TP source routing check could, in some cases, cause a crash if routing for IP is primarily via different route (e.g. BGP) with L2TP as fallback
  • Changed linked routes display, e.g. for L2TP sessions, to be more logical
  • Minor change to internal routing/ARP cache functions to test a specific bug report.
  • Better next hop change detect logic (less trigger happy on config changes)
  • Adjust hash logic slightly
  • Changed internal routing logic for "next hop" based routes to be more efficient

s/w upgrade

  • Longer backoff on s/w upgrade checks where no DNS available


  • Introduce packet sampling (IPFIX/sFlow) [not yet documented]


  • Added manual section on OTP
  • Interface can be marked "wan" to consider it not local for "local-only" access controls


  • Added new access check for local-only on services. IMPORTANT - defaults to true for telnet, dns, timed, so you will need to set to false if you want remote access to these

Session Tracking

  • Possible very rare case of lock up at start-up fixed now


  • Fix incorrect handling of (legacy) tx-interval on shaper


  • snmp was not access locked to routing table, fixed
  • SNMP now has extra logical interfaces which are all named shapers in order, including relevant stats for a shaper.
  • Fix BGP and L2TP SNMP stats where values 128 to 255 and 32768 to 65535 reported as negative
  • Added some IfXEntry SNMP values
  • Added iso. sysObjectID
  • Updated manual to include FireBrick specific SNMP in appendix
  • iso. (ifName) corrected as was a Counter64 not a String
  • Corrected counters for broadcast and multicast packets to 32 bit
  • Fix return ordering in bulk get requests; inprove encoding of integer values
  • Added some missing stats; Implemented Admin/Oper status reporting for ports; Improved port and interface naming.
  • Named shapers were not returning actual stats
  • SNMP was not working
  • Correct SNMP port stats
  • SNMP was not respecting profile setting


  • One-second CPU stats output is now synchronized to UTC time


  • When changing a subnet, a new MAC is allocated - it now picks from subnets in same port/vlan first
  • Subnet test can report one second false positive every 3 minutes, fixed
  • Config load causes a subpressed subnet (test failed) to have false positive for one second
  • Subnets with a test would start assumed active, now changed to start assumed inactive


  • Minor SVG tweaks to save space
  • Extra info in SVG to aid post processing


  • Added additional information to emailed logs
  • Fixed buffer overrun issue when very long syslog messages
  • Detect failure to connect to mailserver
  • External syslog now only includes general system log messages if specifically configured to do so
  • Added email address to config - used as Reply-To on email logs


  • Syslog missing NILVALUE for structured data


  • Improved route check for syslog targets to allow for NOWHERE and other silly targets to be skipped, also improved logging


  • Add settings for port and mirror LED brightness
  • Stop LACP/LLDP packets crossing between ports in a group


  • TCP test port (4242) removed
  • Reset TCP connection on seeing badly formatted options
  • TCP timeout improvements. Now less aggressive when recovering from packet drops, and in particular when faced with spoofed source TCP SYNs
  • Fixed problem with generating reset packets
  • Add debug logging for aborted TCP sessions; avoid tcp timeout control upsetting TIMED_WAIT state.
  • Ongoing TCP improvements. Minor functional changes - mod to initial MSS calculation; TIME-WAIT time reduced.
  • TCP restructuring to prepare for enhancements. Includes fix for failure to resend lost SYN introduced recently.
  • Fix failure to send MSS option with SYN
  • Tidy TCP MSS handling. Allow minimum MSS to be as low as 200.
  • Further TCP stack enhancements
  • Fix windowing problem - possibly causing slow transfers
  • Send window updates more often - improves BGP performance
  • Improved congestion control and loss recovery
  • Fix problem with TCP window calculation causing buffer overload
  • Add status display for TCP sessions (debug level users)
  • Correct connection timeout detection for rare corner cases. Improve TCP status display.
  • Add buffered data counts to TCP status display
  • Add window sizes to TCP status display
  • Fix TCP session hangs caused by packet drops in uncommon situations
  • Add TCP SYN cookie handling to mitigate SYN flooding
  • Fix TCP session stalling on large fast transfers
  • Do not perform TCP MSS fixups on MD5-authenticated sessions


  • Avoid BGP sessions being aborted by TCP if buffers run out


  • Fix instructions on telnet config import. It is end with ^D or line with just a dot on it.


  • Added very simple sanity check to SNTP clock setting, and logging to right place
  • Logging IP from which clock was set


  • Added warning on home page when a reboot is necessary to activate new features
  • Fix broken XML links in system status pages
  • Add memory block usage to system status memory page (alpha releases only)
  • Show current stack usage as well as HWM in thread stats
  • Ticking the check box for an optional multiple select input (set) with one member pre-sets the only member as selected
  • Improve diagnostic if s/w upgrade fails
  • Kill link on web view of L2TP sessions/tunnels
  • Subnets status page now shows portgroup name in Port column

UI config

  • Fix UI config edit layout of a normally hidden item when it has been set.


  • USB working for directly-connected devices.
  • Fix problem with modeswitch
  • Fix hub operation
  • USB shutdown bug fixed
  • Remove unnecessary logging


  • Ignoring silly almost empty SIP packets from gigaset (some NAT thing)
  • Fix leak in UDP port allocation used, causing VoIP to eventually stop working after around 31000 calls
  • Minor tweak to NAT keep alive on VoIP to reduce logging
  • Tweak to VoIP (Via/branch tag) to improve compatibility
  • Even though RFC 3261 requires UACs to handle 100 responses, some get upset, so as per we only send for INVITE now
  • Changed port numbers to be prefixed : not # in logs.


  • New VRRP3 (IPv4/IPv6) and some bug fixes
  • Some more bug fixes, new web UI in place now, and VRRP3 working.
  • VRRP now has a default ID (42)
  • Now accepts DNS requests to VRRP address
  • DHCP now giving VRRP address as default DNS server not specified and not resolvers defined and VRRP is in use.
  • VRRP now has default VRID and the field is now optional
  • VRRP use-vmac default changed to true
  • Deleting an interface which VRRP master caused a crash
  • Fix issue if two separate VRRP configs used with same VRID one for IPv4 and one for IPv6
  • Changed default startup delay to 60 seconds as usually more sensible and should not cause any harm
  • VRRP status shows the MAC in use
  • Delay VRRP startup while route updates pending
  • Longer startup (uses configured delay when routes are updating)
  • Correct issue with VRRP ARP replies in some cases
  • Fix bug in vrrp shutdown that was slowing down other shutdown processes

Web and CLI control

  • Added hard reboot option

Web config

  • Tweak class for cqm images in css
  • Moved css-url to http services config, will need editing as not automatically moved
  • Adjusted some of the help text on config edit
  • Traffic lights for profiles in config edit (on profile list and lists which reference profiles)
  • Tidy some help text on web config
  • Better handling of messages when test saving config with errors
  • Turn off autocomplete on config editor as causing issues
  • Adjust timing on config edit as firefox keeps saying edited by someone else
  • Added "(b/s)" on description for rates in config
  • Minor typos in config edit

Web control

  • New power monitoring

Web control pages

  • Changed "Subnet" icon to "Interface"
  • Using web interface diagnostics/routing could cause a crash
  • Changed http access controls so that trusted IPs are allowed even when not on local subnet
  • https support introduced. Should now support most modern browsers. Limited certificate management.
  • Major UI edit changes and re-styling
  • Major improvements to web based config edit, and various minor enhancements
  • Timeout while editing config on web pages now fixed
  • Updated the link/message for s/w upgrades on status pages
  • Minor typos/changes on upgrade web page
  • Explains that routes with no gateway are blackhole routes.
  • Layout of share on rules tidied and comment field added.
  • route-override layout tidied.
  • List headings tidied.
  • Layout of DHCP server settings improved.
  • Platform RADIUS config tidied.
  • Subnet ttl now a hidden field.
  • Added some colour to lists of things in UI to make columns clearer.
  • Some help text improved.
  • Help link on config edit.
  • Tool tip on protocol says 1=ICMP, 6=TCP, 17=UDP
  • Add and Edit only on lists where order matters, else just Add at end.
  • Confirmed help link working in Web config edit
  • Profile link was not showing on status
  • Removed column headings when lists empty.
  • Web config: Save and Cancel buttons.
  • Lots of tweaks, mosting UI web config improvements and IE9 support
  • Fix profile layout - was not showing all fields
  • Fix profile layout - was not showing all fields.
  • Static route tidy
  • Not showing bgp attribute by default as not usually relevant
  • Moved PPPoE settings under "Interface" and titled "PPPoE settings"
  • Move Ethernet and Port groups under "Interface"
  • Tidy up of config fields and web config edit
  • Changed headings on config edit boxes
  • Changed the sequence when downloading new code
  • Automatically redirects to status page after a short delay when new s/w loaded
  • Less margins on web pages
  • Heading on web logs saying which log report shown
  • Subnets listed in order
  • Icons redrawn
  • Changed page title to list name before serial
  • Manual s/w upgrade looks nicer now
  • Graph names as text on graphs list to allow searching in browser
  • Corrected icons for rule-set
  • Tweak factory reset menu
  • Removed WebSite link as caused confusion, and made footer have link to FB website
  • Added configurable links on home page and fb105 conversion
  • Added optional CSS URL allowing customisation of control pages
  • Added ping/traceroute on web interface
  • Ping and traceroute now separate diagnostics
  • Show route now on web diagnostics menu
  • Web config edit has more information shown now, and change to some spacing.
  • Missing titles on lists of blackhole and nowhere routes
  • Improved lists of objects with sub objects present in config editor
  • General change to css, layout and menus, and new options for menu/banner controls
  • Extra information on DHCP client status page (subnets)
  • Change to allow you to stay logged in when clock first sets
  • Showing associated routes on subnets, dongles, PPPoE, etc.
  • Added reboot link to web pages, in "status" section for ADMIN level or higher
  • Added VRRP masters count to pre-shutdown message for reboot and s/w updates
  • Added new form for pcap dumping to file from browser (/pcap/)
  • Fix issue with some links on Chrome viewing BGP peers
  • Typos fixed in config
  • Incorrect HTML typo fixed in some tables
  • Tidy layout of platform radius controls
  • Tidy help on rule log settings
  • Correct various typos
  • Changed filenames for XML save to be more sensible
  • Clearer warning of active sessions on reboot and s/w upgrade pages
  • Fixed case where showing tables of information not right if a list of routes also shown
  • "Up to date" may have been erroneously displayed on Software Upgrade page - fixed.
  • First config save from factory reset was not working, fixed
  • Some more colours on tables
  • Fix links for ND entries that upset some browsers
  • Added payload size to ping command
  • Corrected copyright date now we are in 2012
  • Added Wake-on-LAN option to Ping and link from DHCP web pages
  • Much more description and instructions on OTP/OATH settings page
  • Added kill and refresh to PPPoE status page
  • Changed to allow an interface to be defined with no subnets (now that PD could be the source of a subnet)
  • Improve error message on null image file upload
  • Improve layout of Graph PNG page
  • Changed graphics for rule lists in firewall - more flowchart like
  • Fixed incorrect showing of "New" when a list of objects is full
  • Session list copes better if you stop the browser while displaying
  • Typo in web config for dns-host/block
  • Format of manual image upload UI page changed in line with auto update.
  • Avoid unnecessary invocation of bootloader when system reboot is requested
  • New CSS - especially on config edit pages
  • autocomplete off on entry for OTP data
  • Moved Log to separate main menu entry
  • New layout for ping and traceroute allowing XML export
  • traceroute and ping no reporting a "firewalled" response if seen, rather than just unreachable
  • Web interface showing system name on title if trusted IP
  • Username on web footer
  • Added port/VLAN to subnet list
  • Added option to set Access-Control-Allow-Origin response to allow cross site javascript access to FireBrick. USE WITH CARE as could compromise your brick by remote hosted javascript re-using a login session.
  • Some menu items only shown if debug level user or if menu has some contents, specifically aimed at Status menu items for unused features
  • Changed web status pages to not show unused menus even in debug level user
  • Web diagnostics such as ping and traceroute would block access to graphs and some other functions, fixed
  • Fix possible lock up under constant TCP port 80 attack, now recovers quickly
  • Fix firewall check web interface when long strings of IPv6 addresses used
  • Changed URLs for .js and .css to be version specific to avoid cached old files showing wrongly
  • Added handling of a user set at "nobody" level, to allow access to profile switches
  • Added uptime to login screen when viewed from a trusted Ip
  • Colour coded state on web list for PPPoE and RADIUS
  • Config edit better handling cases where option in pull down is no longer valid (e.g. deleted profile still referenced)
  • Fixed DHCP status name setting feature
  • Latest safari adds xmlns attributes on every element for no apparent reason, was breaking web config edit. Worked around
  • New live port status page
  • Change of monospace font
  • Show port status on home page (option to turn that off in config)
  • Live port LEDs on status (can be configured off)
  • Added a tx/rx speed bar to status (based on percent of port speed)
  • Started work on initial config wizard
  • Status page for DC options
  • Warning for config edited by someone else now advises IP and name of other user(s)
  • Tidy layout of config edit for system settings
  • Option to skip the setup wizard
  • DHCP clear all unused now operates per interface
  • Colour picker was not working for named colours (also, added "orange")
  • Additional security related http headers added with sensible defaults
  • Change ajax sync logic on config edit to be neater
  • Typo in PPPoE status corrected
  • Changed breadcrumbs in UI to use :: not : as spacing, consistent with website
  • Slight changes to layout of software upgrade pages
  • Made breadcrumbs larger and easier to read
  • Additional per second stats for http access counts
  • Adjust timing on status check to try and ensure we see new s/w first time
  • Home page shows if system name is not set is this really should always be set, but is not actually a mandatory field
  • Improved help text on dhcp server settings
  • Login page shows your IP
  • Diagnostics access check default to using your IP that is accessing the web pages
  • Set larger input box size on web diagnostic tools
  • No longer shows Wholesaler on status page (unless enabled for alpha builds)
  • Improve error message on s/w upload page
  • Minor layout improvements on login, home and status pages
  • Link to see DNS server details on IPv6 was broken URL on some browsers
  • Minor change to control switch profile images to help colour blind users
  • Added "add" to home page links list as order matters
  • Changed list of radius steering settings to show "ip" in list as important field
  • Save button appearing on key press in a field, and not just when leaving field - so more obvious
  • Slight re-order of the config to be a little easier to follow

Web interface

  • Factory reset state not working due to new security measures means factory reset bricks cannot be configured via web interface, only telnet
  • Did not show new bootloader as available on status upgrades page
  • New password change menu to simplify password change and to allow users without config save access to update their password
  • Added QR code and suggested key to OTP set up
  • New simpler OTP set up
  • Removed OTP check on config recovery mode - given physical access needed and likely clock not set
  • Cross site scripting checks on web forms
  • Fix individual DHCP kill button which was not allowing unexpired or locked entries to be killed, and correct typo!
  • Packet dump was blocking other forms on web interface whilst running (error 409), fixed
  • Allow certificate download if read access to config, and only show cert actions if available to user
  • Removing 2FA could result in a crash, fixed
  • Logging for http does not log every web page access on normal logging now, that is on debug logging
  • Sometimes the login page could show a corrupt hostname for connecting host (reverse DNS)
  • Changed to use svg for images because of higher res screens and scalable mobile screens
  • More compact SVG for CQM and QR codes
  • Status shows currently ntp status, i.e. reports if no time server set, DNS not working, etc.
  • DHCP status now lists interfaces and shows per interface rather than all in one table
  • Port group names shown on port status
  • Change form entry timeout to match login timeout (if set, else 5 minutes as now)

Web pages

  • Hovering on a link now underlines it
  • Improved and simplified use of html and css in basic page layout
  • UI min page size changes with size of side menu
  • Improve system thread stats page
  • The logs page was not working when you only had one log target. Given system defaults to two to start, this is rare!

Web status

  • Minor tweaks to status pages
  • Status/Subnets now shows the interface headings

Web status pages

  • Added new System submenu
  • Web status pages can now be seen by users with access level >= USER
  • Button to clear thread tick counts added to thread statistics page (for users with ADMIN access)


  • XML checking recognises that an empty list is not valid on a mandatory attribute
  • XML checking no longer reports issues with schemaLocation - they are now ignored

XML Config

  • Changed services/platform-radius service to be services/radius as plans to expand config for other types of RADIUS

XML config

  • Changed some names to be xsd type NMTOKEN not string, so removing spaces - it is possible some configs with names only differentiated by spaces may not load correctly

XML Config

  • Final XSD validation tidy
  • Fix factory reset config

XML config

  • Changed XSD duration to an FB type that uses saner syntax [[HH:]MM:]SS

XML Config

  • Changed error messages on config load to provide more context - shows XML around the error point
  • Corrected syntax check on XML duration with spurious letters
  • Added new restrict-mac field to interface definition - NOTE: USING THIS MAY CHANGE MAC OF SUBNETS IN USE
  • Typo in help text

Older versions | Factory releases | Factory and Beta | Factory, Beta & Alpha