Release notes from version 2.05.018 to 2.05.019

ARP

• Fix bug that could sometimes cause the first packet to a new ARP target to be dropped

L2TP

• Allow different source IPs for the RADIUS server and L2TP relayed session host (unless using "S" or "R")

Pcap

• Log if packets are dropped during packet capture

Web UI

• Strip whitespace around arguments in forms on the "Tools" pages
• Add remote-host to L2TP sessions table view

Release notes from version 2.04.016 to 2.04.017

RADIUS

• Add per request type option to limit the total time for a request (thus avoiding retries if the pool is responding slowly)

Release notes from version 2.03.013 to 2.03.017

BGP

• Send graceful shutdown community if clean-shutdown-wait is set

RADIUS

• Fix deadlock between L2TP and RADIUS
• Fix crash on receiving disconnect message

Release notes from version 2.02.007 to 2.02.009

BGP

• Send correct end-of-RIB to IPv6 peers
• Change default so we don't advertise IPv4 capability to IPv6-only peers

CQM

• Make default graphs work when clock isn't set
• Correctly report latency of localhost ping graphs

Certificates

• Only verify ECDSA certificates on ingress

Config

• Fix issue causing rare config upload fails

Shutdown

• Fix occasional flash-save timeouts on shutdown

Software upgrade

• Fix issue where a failure in checking upgrades could cause a crash

Web UI

• Allow sorting of the Flash Contents page

Release notes from version 2.02.006 to 2.02.007

Web UI

• Avoid truncating long routing diagnostic output

Release notes from version 2.01.100 to 2.01.101

Web UI

• Fix crash when loading certain pages

Release notes from version 2.00.010 to 2.00.100

Web UI

• Show route diagnostic in prefix order

Release notes from version 1.61.000 to 1.61.010

DHCPv6

• Fix race between system intialisation and DHCP client sending

Release notes from version 1.60.000 to 1.60.010

Web UI

• Show which tables session tracking is active on in UI
• Fix looping causing loss of UI if TCP stress test fails

Release notes from version 1.58.111 to 1.59.000

ACME

• ACME error reporting could get garbled message in some error cases

FB105

• Fix rare crash with FB105 tunnel bonding during configuration change

IPsec

• Fixed a problem with validation of peer certificate
• Fixed handling of out-of-order IKE fragments
• There is a new attribute peer-eaplist available on an IKE connection config item which enables the allowed EAP usernames to be specified.
• Improve EAP diagnostic logging and fix minor problem with message ID number checking
• Further improvements to EAP processing and error logging

L2TP

• Configured outgoing L2TP sessions now respect the bgp setting in the config

MQTT

• Added listener for FireBricks/# topic

RADIUS

• Some additional RADIUS server settings, matching, added mqtt logging and changed log format to JSON, for working with some WiFi kit

TLS

• Improved stream handling in TLS to avoid occasional race conditions causing crashes

VoIP

• Improve logging when bulk carrier import fails

DHCP

• Changed some DHCP server logging to be JSON format (same as used for MQTT)

MQTT

• Changed MQTT mapping field names and fixed incorrect help text

OSPF

• OSPF marked experimental as it has some minor issues.

Release notes from version 1.58.100 to 1.58.111

TLS

• Issue with TLS resume keys used over a s/w upgrade fixed

Release notes from version 1.57.000 to 1.57.010

BGP

• BGP tags for static routes

MQTT

• Fix crash in configurations where will topic is set, but not will message

Routing

• Default source IP per routing table

TLS

• Minor memory leak in TLS client fixed

VoIP

• Allow IPv6 addresses in "recording-server" configuration

Web UI

• Show which type of app upgrade would be initiated
• Show some context lines in live logging view

Release notes from version 1.56.000 to 1.56.010

• Fix bug in ASN.1 length encoding

Release notes from version 1.54.100 to 1.54.101

TLS

• Finally fixed TLS issue

Release notes from version 1.52.010 to 1.53.000

ACME

• Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
• Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
• Tweak to ACME to allow for additional challenges for a few seconds
• ACME status for certificates shows when last error happened.

Certificates

• Make certificate domain name checking case-insensitive

DHCP

• Lease expiry times were incorrect when lease acquired before time had been set
• Improve lease expiry when the FireBrick does not know the correct time

IPsec

• Provide SNMP status info for IPsec
• Fix crash when [id] is used in graph name of a waiting connection
• Show EAP identity (username) in log messages and UI status, and allow it in graph names

IPv6

• Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

Internal

• Scheduling changes to improve performance under heavy CPU load (eg crypto processing)

PPP

• New PPP debug log/dump format options
• Tweak LCP restart timing for very slow latency links

PPPoE

• PPPoE did not install IPv4 DNS if explicit routes set, fixed
• PPPoE Calling ID prefix appended with VLAN and/or MAC

TCP/UI

• Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

• Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).
• Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate

Web UI

• Improve UI status reporting for bgp, including ability to filter routes list

Config

• Improved syntax checking of numeric fields

Config editor

• Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).
• Tweak to config edit to make default values more obvious

DNS

• DNS relay limit check

L2TP

• Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!
• Additional logging on config change
• Fix payload table logic on local auth incoming L2TP sessions
• Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

Profiles

• Profile ping of local gateway by ping 0.0.0.0

Release notes from version 1.52.000 to 1.52.010

No user-facing changes

Release notes from version 1.51.001 to 1.51.010

DHCP

• Revert minor change in DHCP/DNS which was causing problems

RADIUS

• ERX-Tunnel-Switch-Profile untagged even in tagged responses (for Talk Talk working)

Shaping

• Catch some edge cases in session tracking shaper set up that seem to cause a crash

Release notes from version 1.49.000 to 1.50.000

• Test build

BGP

• Additional debug for ignored updates

CQM

• Added more stats (total bytes/packet/drops) to CQM XML

Crypto

• PKCS#8 formats now fully accepted and served for RSA and DSA keys

DNS

• Changed DNS logic so not simply fallback="true" but fallback-table defined. This means multiple table DNS will default not to fall back now.

IPsec

• Fix duplicate connection problem after roadwarrior client switches from wifi to 3G
• Fix Roadwarrior problems - IPv4 NAT not working and IPv6 routing failing on Apple clients

IPv6

• Changed ICMPv6 (ND/NA) source address in some cases to match scope

L2TP

• Allow L2TP matched incoming sessions to set payload-table
• Added colours to tunnel and session status

PPPoE

• Minor change to PPPoE timeout logic - could be disrupted by frequent profile changes

Pcap

• Improved pcap "self exclude" to only exclude the actual TCP session traffic of the dump, not all traffic to/from the IP of the browser as before

RADIUS

• Platform RADIUS server ERX parameters now tagged if part of tagged response

Routing

• Impove some logic where table 0 has no routes and totally mapped via rule-sets (e.g s/w upgrades, etc)

TLS

• Fix lockup at end of stream on TLS connections

VRRP

• VRRP low-priority mode (e.g. for profile off) caused flapping

VoIP

• Separate carrier controls for P-Asserted-Identity, Remote-Party-Id, and Privacy on VoIP carriers. Change of defaults to send PAID and Privacy not RPID
• Added ACR (Anonymous Call reject) feature on telephone config
• Included User-Name in RADIUS auth for VoIP (from From header before @) if not otherwise set (based on config user/carrier)
• Interim release with correct AVP for SIP_AOR (122) as well as accepting incorrect one (121)

Web control pages

• User setting to hide "save" button in config edit (i.e. has to do "test" first).
• Added Content-Language to avoid some browsers offering to translate control pages
• CSS update
• Added kill on block/reject type sessions in session table

ACME

• Minor improvements to ACME - handling some extra order status responses

Diagnostics

• Fix TCP download test (was always saying 0 bytes loaded)

General

• Slight performance improvements

Logging

• Fix possible syslog buffer overrun

Telnet

• Option to configure custom telnet prompt

Web control pages

• Adjust initial timeout to allow for slow TLS handshake
• Added Content-Language to error page (meant to be all pages, fixed later)

Release notes from version 1.48.101 to 1.49.000

VRRP

• Corrected VRRP v3 checksum - UPGRADE BACKUP ROUTERS FIRST

BGP

• Added startup delay for sending BGP announcements to make for cleaner reboots when used as part of a part

HTTP

• Changed HTTP redirect logic to better handle cases where some port mapping is used in front of the web control pages

IPv6

• Added DNSSL (search list) to RA settings on subnet

PPPoE

• PPPoE can now be linked to physical port for direct connection to modem - resetting the port when PPPoE goes down (fixes bug in some modems)

SNMP

• Various SNMP updates
• bgp and l2tp now support SNMP treewalk
• Vendor-specific SNMP for BGP and L2TP reorganized to follow standard table construction. ***NOTE*** this will affect customers using SNMP with BGP/L2TP
• Add CPU buffer free counts to SNMP statistics

VoIP

• Tweak for REFER logic, allow refer to match user details with no password (i.e. check IP)

Web UI

• Add TCP throughput diagnostic

Web control pages

• New css for mobile use
• Fix wizard when email specified as it caused save error
• New control of whether logs on web/cli include system logs or not (default not, except for "default" log after factory reset)
• Config edit not working when clock not set, fixed.
• Recovery config edit now prompts to save even when no changes as it is not the "live" config

CQM

• Tweak graph logic - was not working if only selecting ave or max latency to show on SVG

Config

• Tweaked factory default LAN firewall rule to allow from FireBrick to LAN (needed for VoIP)
• Removing Ethernet port config now sets port back to default settings

FB105

• Fix internal-ip on fb105 tunnels routing

L2TP

• Minor change to handle low buffer scenarios better

Logging

• Fixed UTC timestamp on logs (was local time with Z suffix, sorry)

VoIP

• Tweak for REFER logic, allow refer to match carrier details as well as user credentials (reverted in next release)

Web control pages

• Minor improvements to web control pages (extra classes, etc)

Release notes from version 1.48.100 to 1.48.101

RADIUS

• Fix L2TP relay session steering default target port

IP

• Increase pending ARP cache and drop if overloaded rather than sending spurious ICMP errors

L2TP/RADIUS

• Improve outgoing L2TP handling where target is hostname

Release notes from version 1.47.010 to 1.47.100

Web control pages

• TLS: Added AEAD-GCM cipher suites - now get an "A" rating with Qualys SSL Labs test.
• Can now specify a list of possible certificates to be used for https in http config

L2TP

• Edge case where radius relay of tunnel could cause crash when using BRAS mode

Release notes from version 1.47.000 to 1.47.010

L2TP

• Added relay-local-ip config for L2TP to control the IP used for relaying connections, and extra debug info

L2TP

• Malformed L2TP packet could cause crash

Release notes from version 1.46.000 to 1.46.100

CQM

• SVG for CQM graphs

L2TP

• Added additional SNMP L2TP for session negotiation slots that are free: iso.3.6.1.4.1.24693.1701.2.10

Web UI

• Changed to use svg for images because of higher res screens and scalable mobile screens

Release notes from version 1.45.000 to 1.45.001

Internal

• Change of default value in new ethernet interrupt code config to address possible latency issue under load

Release notes from version 1.43.100 to 1.44.000

PPPoE

• Further tweaks for CPE that fail to send a Service Name in PADI
• Rework of service name matching and PADO/PADS response logic for PPPoE

Web UI

• Further testing on factory reset modes and extra security measures

Release notes from version 1.43.000 to 1.43.001

Firewall

• Load balancing issue for firewalling when not using hashing

Release notes from version 1.42.010 to 1.42.100

• Build on old toolchain

Release notes from version 1.40.000 to 1.41.000

BGP

• New dead-end-community used to propagate routes within IBGP that are dead ends (e.g. nowhere or network)

Firewall

• Fix to NAT64 logic where target is nowhere/network

IPsec

• Decision on whether to send INITIAL_CONTACT notification was inverted
• Allow traffic selectors to be specified in config
• Fix scheduling problem which could cause IKE to lock up after prolonged use

IPsec/IKE

• Add option to enable traffic selector sent to peer to be constructed from specified routing

L2TP

• If RADIUS overwrites the proxy auth logic to change auth type then change proxy last LCP tx
• Change logic for dummy auth on L2TP to wait for LCP negotiation to complete before RADIUS allowing proxy LCP details to pass to relayed connection

Routing

• Changed internal routing logic for "next hop" based routes to be more efficient

Release notes from version 1.39.000 to 1.40.000

ARP

• Minor tweaks to ARP timing

BGP

• Tweak next hop in some cases - review against RFC
• Show BGP sessions that are down by profile as shutdown in peers list
• Manual shutdown, albeit deprecated, was not working to close existing BGP sessions
• Simplified the XML for BGP status, all peers list as <peer.../> now.
• When originating routes from a 32 bit AS number via a 16 bit AS BGP session was not sending AS4_PATH

CLI

• Command line completion could complete keyword arguments incorrectly

IPsec

• Fix crash when certificate named in connection is missing

L2TP

• Incoming L2TP config allow any table if table attribute not set
• Allow outgoing source IP setting on outgoing L2TP tunnels
• RADIUS directed session steering for L2TP needs to use the specified table
• Speed sanity check - do not believe L2TP speeds at or below 10kb/s as valid
• Don't close tunnel on an out of order control packet showing backwards Nr sequence
• Some more options for RADIUS to overwrite password on L2TP relay

Routing

• Improve route caching update on deep recursive routes changing

SNMP

• iso.3.6.1.2.1.31.1.1.1.1. (ifName) corrected as was a Counter64 not a String
• Corrected counters for broadcast and multicast packets to 32 bit
• Fix return ordering in bulk get requests; improve encoding of integer values

TCP

• Do not perform TCP MSS fixups on MD5-authenticated sessions

Web control pages

• Minor tweaks to status pages

BGP

• BGP tweak, allow incoming BGP in IDLE state

IP

• Allow UDP to VRRP address - used for DNS, and RADIUS, etc.

L2TP

• Tunnels make use of wrapper and payload clearer on status pages

Release notes from version 1.38.001 to 1.39.000

CLI

• Add command output filtering capability to CLI (telnet and serial link)
• Fix crash in CLI when default logging is set to console
• The "show route" and "show routes" commands have been combined to avoid ambiguity; If '?' is used to output command details the command help info is displayed, unless all commands are listed

DHCP

• DHCP relay/remote server logic
• Tidy up DHCP logging messages

DNS

• Timeout of long-latency replies from DNS servers was flawed.

Ethernet

• LACP send and receive/status
• LLDP send and receive/status
• Port trunking options (with or without LACP)

IPsec

• Minor change to help with diagnosis of occasional IKE crash
• Avoid crash when clearing a NATed connection
• Fix IKE crash when moving incoming connection to a config with no peer_id set
• Fix occasional crash after prolonged use.

L2TP

• Uplink speed control per connection

LACP

• Option to control the hashing used for trunking
• Default LACP mode is passive for non trunked ports as some switches are strange

PPP

• Adjust PPP resend timing which was too aggressive to be sensible in some cases
• Better timing of PPP LCP when using dummy auth (no authentication)

Profiles

• Change to profiles use of and/or/not so these are tested on the "interval" rather than being immediate in some cases

Routing

• ECMP added
• Adjust ECMP slightly

Web UI

• Kill link on web view of L2TP sessions/tunnels

DHCP

• Tweak for FireBrick as a DHCP client working via DHCP Relay Agents

L2TP

• Change to way hashes are handled for session steering

NTP

• Better error logs for NTP / clock setting
• Better NTP back off logic
• Option for fast-retry for NTP until clock first set

PPPoE

• Tweak PPPoE Host-Uniq

Routing

• Adjust hash logic slightly

Release notes from version 1.38.000 to 1.38.001

IPsec

• Fix crashes caused by one-way packet drop when both peers have mode Immedaiate

Release notes from version 1.37.001 to 1.37.002

PPPoE

• PPPoE was not authenticating, Fixed

Release notes from version 1.36.001 to 1.36.002

IPsec

• Manually keyed IPsec config migrated to new config format on upgrade - logs upgrade has taken place to fb-support which normally emails FireBrick team as use of manual keying is not recommended

XML

• New passwords in SHA1 not SHA256 for easier roll back

Release notes from version 1.35.000 to 1.35.001

DHCP

• Showing DHCP status on web pages could, in rare cases, cause a crash. Fixed

Release notes from version 1.32.000 to 1.33.000

BGP

• Delay BGP announce until FIB update started for route in question to minimise black holes
• Further work deferring BGP announce until routes in FIB
• Faster BGP withdrawal
• BGP export stats to count "default" when send-default is set
• Change of send-default restarts BGP session
• Change of send-no-routes correctly withdraws routes, no session restart
• Change to use-vrrp-as-self now correctly re-announces the changed next hop
• Possibly trigger happy BGP keep alive check when lots of peers, fixed
• Balance load better on rx traffic between peers

DHCP

• DHCP server now does not send default router, subnet, lease, renew, syslog, timed, ntpd, domain, domain-search, if there are manually configured response attributes for these
• DHCP server no longer no longer sends "name" attribute as host-name (12). Configure as an extra string attribute if required

Diagnostics

• Showing routes was truncating if too many routes - buffer size increased

Firewall

• Longer default start-delay on firewall rules (1 min)

General

• Better logging to flash of source of s/w load or reboot commands

Internal

• Adjust buffer pool sizes and thresholds to avoid buffer depletion
• More buffer count stats added to TCP

Routing

• Avoid route updates hogging all CPU

TCP

• Improved congestion control and loss recovery
• Fix problem with TCP window calculation causing buffer overload
• TCP debug diagnostic added for window size. NOTE it is not advisable to enable TCP debug logging with this release unless advised by support.

TCP/BGP

• Avoid BGP sessions being aborted by TCP if buffers run out

VRRP

• Delay VRRP startup while route updates pending
• Longer startup (uses configured delay when routes are updating)

VoIP

• Handling inbound RFC based DTMF mixed with audio (non DTMF) at the same time (e.g. gigaset)

PPP

• Tweak to avoid resend of CHAP response to challenge if LCP restarted

Release notes from version 1.31.000 to 1.32.000

BGP

• Making BGP keep-alives higher priority, in case of really heavy BGP load
• Fix race condition allowing BGP peer to vanish in rare conditions
• Improved BGP shutdown sequence announces lower priority before withdrawing routes on shutdown
• Shortened the BGP shutdown so it does not send the clears after the low-priority
• Added configuration of BGP shutdown logic

Ethernet

• Add new Ethernet DoS-detection parameters to config

General

• 1.31.012 is built with additioned debug/checking
• 1.31.042/043 built without extra internal checking code (so more like a factory release)

IPsec

• Peer IP added to log messages

Internal

• OS Stream and TCP restructure

L2TP

• Fix for NAT via outgoing L2TP connection
• Crash if too many graphs created with L2TP
• RADIUS L2TP Relay for steering was sending zero length Proxy-State with is not value

Logging

• External syslog now only includes general system log messages if specifically configured to do so
• Fixed issue with logging causing occasional bad buffer address panics
• Improve logging efficiency and avoid dropped log messages
• Fixed http logging of graph URLs

Main

• Extended max shutdown for systems with large numbers of BGP peers doing clean shutdown

PPP

• PPP challenge response resend on no accept/reject response

Routing

• Path/community fixed settings in routing config with multiple IPs listed caused error on memory allocation
• Improved checking for route loops

TCP

• Tidy TCP MSS handling. Allow minimum MSS to be as low as 200.
• Further TCP stack enhancements
• Further TCP stack enhancements
• Fix windowing problem - possibly causing slow transfers
• Send window updates more often - improves BGP performance

VoIP

• Fix use of backup carrier which may have been calling in parallel
• Added routing table on Tx/Rx log lines
• Fix for working on routing tables other than zero
• Changed contact style in outbound registrations, uses IP literal now and no extra attributes on end

Web UI

• Show current stack usage as well as HWM in thread stats

General

• Several minor internal changes that should improve stability

L2TP

• Outgoing tunnel did not come up / go down on profile change
• Added experimental no-pre-empt option to L2TP - leaving pre-empted session live with no LCP

VRRP

• Fix bug in vrrp shutdown that was slowing down other shutdown processes

VoIP

• Add profile to list of carriers in config

Release notes from version 1.30.001 to 1.31.000

L2TP

• Fix for steering RADIUS response - was causing RADIUS to lock up totally

• URLs fetched from the FireBrick for any reason now handle IP literals.

DHCP

• Minor tweaks to make NAK meet later RFCs

DNS

• DNS fallback (default on) allows use of other tables for local lookups within the firebrick

Firewall

• Interface option to map IPv6 source address to one based on EUI64 from MAC

IPsec

• IPsec status display now shows algorithms in use

Internal

• Increase stack sizes and make route loop counter an error counter

L2TP

• RADIUS options to control long term shapers for L2TP sessions

Logging

• Avoid crash when displaying logging using CLI
• Fix crash when displaying logs using colours

TCP

• Ongoing TCP improvements. Minor functional changes - mod to initial MSS calculation; TIME-WAIT time reduced.
• TCP restructuring to prepare for enhancements. Includes fix for failure to resend lost SYN introduced recently.
• Fix failure to send MSS option with SYN

VoIP

• Tweak to handle possible overrun on SIP messages
• Audio recording has DTMF in audio even if it arrives and is relayed as telephone events.
• Allow wildcard contact in deregistration
• Now sending periodic invite responses when trying/ringing/progress.
• Send call progress 183 once we have started connecting a call and 3 seconds have passed even if far side still at trying stage
• Accept privacy=no as well as the standard privacy=off in Remote-Party-ID to interwork with splicecom
• Not sending ACK to contact found in 4xx response
• Logging for VoIP messages relating to "calls" now includes REFER
• Fix response to REFER (was 404 not 200) when non RADIUS working
• Early call progress (at 3 seconds) now a configurable setting (default on)
• Option to send SIP headers in long version rather than compact version

Web control pages

• Latest safari adds xmlns attributes on every element for no apparent reason, was breaking web config edit. Worked around

• Option for URL to GET before a controlled reboot - mainly to warn nagios

Ethernet

• Increased MTU to around 4k

VoIP

• Tweak to ACK sending when response via proxy with Record-Route
• Additional nonce checking for replay attacks
• Nonce check on response even when using RADIUS (unless RADIUS did challenge)
• Tweak to handling of expiry on registrations
• Tweak nonce check - if no nonce, allow RADIUS auth to decide if to allow. Still checks nonce valid if present.
• Tweak initial 100 Trying response when waiting for RADIUS
• Avoid resend of INVITE after cancelled at 100 Trying, and not received 487 (i.e. ignore lack of 487) to avoid phantom calls
• Internal change to handling of incomplete responses to VoIP requests
• Initial 100 Trying waiting on RADIUS no longer tries to tag To: line as not establishing a dialogue (so, as per RFC).
• Addition log to log-sip-call to record linkage of call-ids

Release notes from version 1.30.000 to 1.30.001

DNS

• DNS fallback option - for incoming requests if no server in required routing table relay to any DNS available - default true

PPPoE

• IPv4 local end would "stick" if changed from having IPv4 to not (i.e. IPv6 only)

Web control pages

• Link to see DNS server details on IPv6 was broken URL on some browsers
• Minor change to control switch profile images to help colour blind users

Release notes from version 1.28.000 to 1.29.000

• Release candidate for testing

Authentication

• Added manual section on OTP

DHCP

• Subnet list shows pending DHCP client subnets

DNS

• Min nxdomain of 10 seconds now

FB105

• Log (rather than crash) if a badly fragmented 105 tunnel packet is received

IPsec

• Support all crypto key lengths when using manual keying. Avoid crash when IPsec is under heavy load.

Internal

• Increase ethernet transmit max queue size to avoid packet drops during bursty transmissions.

L2TP

• Added Proxy-State on session steering RADIUS requests
• Added control of reply hostname on incoming L2TP connection
• Added default hostname (system name) on outgoing L2TP connections

NAT

• New chapter/section covering Network Address Translation

PPPoE

• PPPoE server (BRAS) handling of standard GEA Agent Remote ID and Circuit ID as called/calling and downstream speed setting
• PPPoE handling gerenal VLAN tagging
• Added text NAS-Port to RADIUS when using PPPoE "port{:vlan}/MAC"
• PPPoE did not handle VLAN priority tagging on inbound packets

Profiles

• Profiles can now test an ethernet port status

RADIUS

• New section of manual explaining RADIUS client settings and timeouts

Routing

• New source-filter-table setting on interfaces to allow separate source filtering lists to be managed using routing tables

SNMP

• Updated manual to include FireBrick specific SNMP in appendix

TCP

• Add debug logging for aborted TCP sessions; avoid tcp timeout control upsetting TIMED_WAIT state.

VoIP

• Additional beep option for where "Record" button is used on snom phones
• Extra debug on call states
• Dynamic carriers existing would lose some non dynamic carriers on config load, fixed
• Fix shutdown delay
• Added option for controlling CLI format to telephones
• Added distrust-ring to carrier settings to send progress not ring for a 180 status with no media (replaced by tone-ring setting)
• Added config for tones when no media for calls to a carrier
• Was sending invalid Via header for IPv6
• Picking up correct expiry when less than requested on outbound registrations but not sent Expires header (e.g. sipgate)
• Fixed possible crash on malformed SIP message
• Tweak to allow call steal from your own number, i.e. when multiple registered devices
• Adde option to re-map 404 error to a carrier
• Faster, and more concurrent outbound registrations - better handling of registration changes
• Fix for mixed sample size call recording (e.g. when 10ms one way and 20ms other)
• 415 unsuppported media response to reinvite with unknown media
• Possible stuck outgoing registrations fix
• Tweak to allow radius based SIP target to control domain on From header
• Tweak to allow radius based SIP target to control domain on From header

Web UI

• Fix broken XML links in system status pages
• Add memory block usage to system status memory page (alpha releases only)

Config

• Minor tweak to IP address parsing in configs

DHCP

• Typo in DHCP logs

Firewall

• Some cases of setting multiple aspects of a session in one go did not force a re-evaluation of target route for new IP so could affect other tests and NAt checks

PPPoE

• Some extra debug of unexpected PPPoE messages or fields

VoIP

• Changed retries on ACK wait
• Added available buffer check on call set up
• Added additional named tones to defaults
• Changed auto registrations to use same realm in From as in To
• Sending RADIUS response for CLI of "Allowed" was not unsetting withheld flag
• CLI handling tweak
• Loading new register URL list clears proxy (from redirect) on change of config

Release notes from version 1.27.001 to 1.28.000

Bonding

• Minor change to bonding to minimize packet reordering on arrival

Config

• Removed profile from port groups as not used
• Replaced shutdown with profile on ethernet control settings
• Added "Test" option to config save to automatically revert if not properly saved within 5 minutes.

Diagnostics

• Temporary diagnostics added for tracking down odd problems

Firewall

• Load sharing (on route override and session tracking rules) now allows sharing to be based on hash of IPs rather than random

IPsec

• Fix problem with local-ip not always taking effect.
• Fix crashes associated with NAT keepalives when sessions close
• Fix IPsec crash during session init when repeat message received
• Fix another IPsec corner case causing panic when IKE packets are dropped/repeated

Internal

• Introduce new flash driver - currently for alpha builds only

L2TP

• Added option to allow relay RADIUS auth reply to specify relay to another RADIUS server for auth or session steering.
• Further minor tweak to bonding to improve re-order issues
• Adjusted L2TP to drop routes before sending accounting RADIUS

LEDs

• Knightrider pattern (displayed when no ports connected) was running too slowly

Logging

• Improve flash log replay at system startup. Should fix problem with non-detection and emailing of panic logs.
• Fix problem causing non-detection of panic message at system startup

VoIP

• Changed aggregate call status handling to just be highest status, and removed group values
• Adjust to pick first priority on SRV even when DNS not cached (was falling back in such cases)
• Added de-registration on removal of carrier and on reboot
• Adjusted max-calls handling to a telephone to limit on connected calls not ringing, to allow ringing multiple registrations
• Adjusted max-calls to a telephone to test before calling all registered devices, so they all get calls rather than only some when limited
• Edge case could mean incorrect count of dynamic VoIP registrations

DHCP

• Added domain-search attribute, as it is specially coded

Pcap

• pcap web interface allowing multiple select interfaces to match underlying capabilities

VoIP

• Minor tweak for RADIUS call leg log accounting - seemed to miss some STOP records.
• Imrpoved log for ICMP error

Release notes from version 1.27.000 to 1.27.001

PPPoE

• PPPoE shows uptime

VoIP

• Added max time limit on call establishing (e.g. ringing forever not allowed), 5 min default

VoIP

• Edge case where VoIP would not send if fixed source address specified in some cases, typically IPv6

Release notes from version 1.26.010 to 1.27.000

XML config

• Changed some names to be xsd type NMTOKEN not string, so removing spaces - it is possible some configs with names only differentiated by spaces may not load correctly

Authentication

• Allow more than one OTP with same key if different serial number

BGP

• Corrected BGP OPEN message handling to ignore unrecognised capability advertisements
• Additional peer level import-tag to add communities to all imported routes
• Additional test for community not present in BGP rules
• Additional community tagging on network statement
• Fixed display of NETWORK route to show BGP attributes
• Fixed as-path in NETWORK routes, was not being set
• Added as-path and tag to loopback
• Updated BGP decision process to handle differenciation of route reflectors
• Added addition info in show route for RR
• Fix show bgp routes command (was crashing)
• Added command to refresh outgoing routes on a BGP session
• Correct odd cross IPv4/6 withdraws in some rare cases
• Stopped sending additional withdraw for routes during BGP session startup
• Fix locally generated community tags on network and loopback (was dropping last tag)
• Added tag and as-path to blackhole and nowhere
• BGP status shows count of exported routes as well as imported
• Re-sends announced routes on some BGP config changes, rather than restarting BGP session
• The send-default option sets no-export community on the default route that is sent

Config editor

• Tidy some help text on web config

DHCP

• Allow allocated IP on one interface to move to another valid interface for that IP for same device if no other IPs available
• Simpler DHCP options for vendor specific (43) options

DNS

• Change to DNS server load balancing and timeout logic
• Status of DNS servers now on web config pages

Firewall

• Special startup delay on generating bad sessions and rejects from incoming traffic to allow outgoing sessions to re-establish (when not using NAT)

IP

• Better handling of UDP port allocation clashes

IPsec

• IKEv2 support for IPsec added. Not yet fully implemented
• Added UI status page; fixed problem with rekeying
• Fixed IPsec i/f not always showing in firewall UI i/f lists. Fixed crash when turning profile off.
• Added support for SHA256; further stability improvements.
• Fixed routing problem
• Improve IPsec UI status page and other minor changes. Note for manually-configured connections the config item "ipsec" has been changed to "ipsec-manual".
• Further improvements and tidying up.
• Correct problems with UI status and graph display
• Fixed NAT problem
• Fixed dropping of initial packets on on-demand connections.

Logging

• Detect failure to connect to mailserver

PPPoE

• Edge case where removing PPPoE from config could cause a crash
• Fast-retry option on PPPoE

Product

• Introduce ETUN tunnelling on fully-loaded 2x00 models

RADIUS

• Adjusted RADIUS timeout handling

SNMP

• Fix very slow SNMP responses when collecting switch stats

TCP

• Fix leak in TCP port allocation when sending log emails or downloading URLs

VRRP

• VRRP status shows the MAC in use

VoIP

• Fix for routing SIP to IPV6 on 2002::/16 address space
• Additional steps to avoid looped RTP causing a crash
• Tweak for handling of bad ACK responses on incoming reinvites on outgoing calls
• Fix leak in UDP port allocation used, causing VoIP to eventually stop working after around 31000 calls
• Better logging for RTP port allocation errors
• Tweak for case where VoIP runs out of ports or too many calls
• Better handling of ring group progress when some phones are busy or not registered.
• Possible crash when viewing dynamic registrations
• Edge case where call ID can be re-used
• Added a ringall_time to VoIP groups to force ringing all phones after a certain time
• Added separate initial progress time for cascading calls in ring groups
• Adjust call progress on group to be quicker where a called target fails, rather than waiting progress time anyway
• Added option not to zap the display name when anonymous calls sent to phones, sends the withhold prefix as number instead. Per phone setting

Web control pages

• Colour coded state on web list for PPPoE and RADIUS
• Config edit better handling cases where option in pull down is no longer valid (e.g. deleted profile still referenced)
• Fixed DHCP status name setting feature

IP

• UDP/TCP port binding counters added to one second stats

L2TP

• Adjust matching L2TP incoming config on config load based on name attribute

Logging

• Improved route check for syslog targets to allow for NOWHERE and other silly targets to be skipped, also improved logging

Profiles

• Changed control-switches to use comment on screen not name

RADIUS

• Fixed show radius [ip] command

VoIP

• Possible crash if configured with black proxy
• Added "age" column to VoIP status for phones showing reference for order="oldest"
• Changed call-id

Web control pages

• Improve error message on s/w upload page
• Minor layout improvements on login, home and status pages
• Minor improvement to status page and UI config edit tunnels page

s/w upgrade

• Improve error message if auto s/w or capability upload fails

Release notes from version 1.26.000 to 1.26.010

FB105

• FB105 tunnels with non-default port setting were not working.

Profiles

• Converting a profile to a control-switch now sets control-switch to previous profile state when config loaded

VoIP

• Better handling of sip:user:pass@host syntax if pass contains unescaped @ symbol

Config

• Made local-only optional again and default true for http services

Release notes from version 1.25.101 to 1.26.000

VoIP

• Changes to CDR layout, see manual.

CLI

• ping and traceroute commands no longer need =true when specifying dontfrag or xml
• Spacing of columnated output improved

CQM

• Changed to hash used for extra long graph names

Config

• Allow colon, dot or hyphen inter byte punctuation in HEX in config

DHCP

• Fix DHCP allocation error when using 0.0.0.0/0 with multiple subnets available

Diagnostics

• Ping and Traceroute diagnostics now have a "Don't fragment" option (for IPv4)
• Max ping payload adjusted to ensure reply from ethernet will be accepted

Ethernet

• Ethernet MTU/MRU max increased to 2000 bytes (default is still 1500).

FB105

• Minor improvement to config change mechanism
• Added experimental split latency bonding feature to FB105 tunnels for satellite link testing

Firewall

• MAC based shaper/graphs as option in firewall rules, aimed at WiFi management
• Added check on source MAC in rules

Internal

• Minor performance enhancements.

L2TP

• Added logging in L2TP for DHCPv6 allocation
• Updated manual pages for L2TP operation as an ISP
• Fix missing session closing stats in some cases

Logging

• Fixed buffer overrun issue when very long syslog messages

Manual

• Additional work on manual - note several sections removed from FireBrick web site as they are now in the manuals with each s/w release

Profiles

• Option for profiles based on a simple switch on home page

RADIUS

• Added RADIUS timeout scaling factor

Sessions

• Fixed problem causing crashes or garbled output when session table display timed out or was interrupted

TCP

• Fixed problem with generating reset packets

VoIP

• Slight change to SDP to keep CISCO handsets happy.
• Early media sometimes passing multiple call's media to caller on ringing multiple targets
• Adjust target IP of ACK to match responded invite if no contact in response being ACKed
• RADIUS delayed calls were moved forward if there were any delayed calls even if existing calls were still trying
• Not always passing ringing media.
• Adjusted RADIUS registration so that not sending back a called number causes a sensible reply but not recording the actual registration state
• Added User-Agent sent as Class on RADIUS
• Added addition fields to RADIUS authentication (Call-ID)
• Corrected SIP_AOR RADIUS to full contact URI not just local part in auth request
• RADIUS call to sip: target default inheriting display name from caller
• Change to DTMF and tone generation where an underlying tone is also being generated
• Adjusted "Called number" on RADIUS auth to be the request URI not "To" field
• Wrap up time not considered if not actually set (edge case of multiple registered phones tripping it)
• Added control of domain used on outbound SIP calls
• Made "To" setting on carrier in to a list
• Local phones with no configured DDI were not registering correctly.
• Avoiding radical RTP sequence steps after calls placed on hold.
• Carrier setting to pass on hold state
• Tweak re-invites where additional Record-Route headers are causing problems
• Added contact in re-invite response
• Adjusted re-invite handling slightly
• Adjusted handling of Refer-To to be more correct and now work with CISCOs
• Bug in RTP sequence/timestamp adjustment when out of order and duplicate packets
• Call clearing race condition if cleared before ACK received
• Corrected audio sequence/ts sync adjustment, especially where DTMF events processed
• Allow longer CDR user field (up to 255 characters)
• Looped RTP (i.e. giving our details as RTP endpoint back to us) could cause a crash
• Edge case if set up via RADIUS only to make delayed calls then advance to first of those calls at start
• Decrement Max-Forwards when relaying on an outgoing call to stop loops, even though we are not actually a proxy
• Changed User-Agent to report version number and added configuration option
• Option to disable the recording start beep
• Clarified use of RADIUS fields for URI, To: and From: on authentication requests
• Faster clearing of call recording to avoid 3 seconds of silence one the end
• Small memory leak in multiple recorded call legs
• Call status was not always showing the recording leg
• Changed logging options to specifically control SIP traces
• Adjusted retry timing on DNS and related VoIP operations
• Allow 'X' in extn for incoming calls via carrier, for SIP -trunk use
• Fix sip:user:pass@host syntax
• Added support for asterisk style sip:user:pass@host/number
• Allowed list of extn and ddi on group config
• Added emergency-uri to allow for emergency calls via configured URI
• Added default carrier setting
• Added carrier setting for ring groups for external numbers connected to the group
• Change layout on web config for VoIP users, groups, carriers, etc.
• Corrected logging to use sip-other for OPTIONS, etc. Was going to sip-register
• Made OPTIONS not respond, or challenge of external user matches, when in PABX mode so sipvicious does not find PABXs
• Added option for backup carrier

Web control pages

• Fix firewall check web interface when long strings of IPv6 addresses used
• Improved and simplified use of html and css in basic page layout
• UI min page size changes with size of side menu
• Improve system thread stats page
• Changed URLs for .js and .css to be version specific to avoid cached old files showing wrongly
• Added handling of a user set at "nobody" level, to allow access to profile switches
• Added uptime to login screen when viewed from a trusted Ip
• Improved layout of FB105 config

ARP

• Change to respond to requests that are normally considered an invalid/broken configuration (seen from sharedband bonding kit)

FB105

• Fixed excessive debug logging of bogus FB105 packets

VoIP

• Minor adjustments to pass through of calling/called number on calls including withheld status
• Race condition on tone generation that could cause a crash
• Changed port numbers to be prefixed : not # in logs.
• Corrected logging of NAT subscriptions records over reboot
• Tweak to challenges on VoIP, and added option for RADIUS to return stale status
• Possible call recording race condition fix

Release notes from version 1.25.100 to 1.25.101

TCP

• Further minor tweak to TCP response timing

VoIP

• Fixed crash caused with local VoIP registrations expiring

Release notes from version 1.25.003 to 1.25.010

L2TP

• Fixed session inconsistency on relayed connections where relay fails
• Was constantly trying accounting RADIUS on all sessions every second if no RADIUS configured or responding

Logging

• Additional one second stats and change to the way counters are shown on them

TCP

• Reset TCP connection on seeing badly formatted options

VoIP

• Some cases of registrations getting duplicated/stuck, fixed

Web control pages

• Fix possible lock up under constant TCP port 80 attack, now recovers quickly

L2TP

• relay-pick feature not quite right
• Odd case of tunnels/sessions clearing with negative timers, logic changed to avoid this

Release notes from version 1.23.001 to 1.24.001

L2TP

• Changed default lockout timeout on relayed tunnels to 3 minutes
• Use graph setting on local termination L2TP/PPPoE using match

Logging

• Minor change to handling of some system log messages
• Minor changes to default settings for system log messages

Routing

• Changed logic for next hop checks where gateway is on multiple subnets, where at least one of which does not answer ARPs causing route to be suppressed

Web control pages

• Changed web status pages to not show unused menus even in debug level user

Release notes from version 1.22.001 to 1.23.001

CQM

• Off line detect on graphs with no timing (e.g. FB105 tunnels) was wrong, causing yellow traffic light
• Added CQM logging of when graphs start and stop responding
• Fixed use of = on numeric arguments for CQM graph URLs
• CQM graphs corrected to show damping data
• Redefined when keys show on graphs
• Added additional stats to CQM XML
• Fixed aggregate L2TP CQM graphs not showing damping, work around for older code is to add ?fud to URL
• Percent loss not scaling properly, so wrong when under 100 pings/LCPs

Config

• The factory config has been changed to set separate port groups and interfaces for each LAN port. Note that this means the FB does not, by default, act like a layer 2 switch over the LAN ports.

Config editor

• Moved VoIP config to separate icon
• Improved layout in config editor for radius service

Dongle

• Fixed buffer leak and resulting watchdog panic caused by dongle negotiation repeatedly failing.

Factory reset

• Changed factory reset to be consistent with separate LAN ports

L2TP

• Tidy the logic for CQM on slow LCP echo to show actual sent count.
• Changed default localpref for L2TP/RADIUS Framed-IP-Address to 0 instead of MAX. Being a /32 it is normally best route anyway, but this change allows a Framed-IP-Route /32 to set a metric where required.
• Increased calling and called length on L2TP as well as truncating if too long rather than discarding
• Increase to calling and called circuit ID in negotiation of L2TP to 64 characters consistent with platform RADIUS.
• Changed PPP negotiation to close if repeated unexpected PPP negotiation after PPP completed

PPPoE

• Fixed crash if pppod configured with no name field

Ping

• Ping file load now allows host names not just IPs
• Logging for ping graphs (e.g. DNS lookups, etc) now to CQM logging target

RADIUS

• RADIUS server config changed to single object type <server...> in services/radius with a type saying if authentication or accounting, etc.
• Changed port to auth-port in services radius, and added separate control-port for dynamic RADIUS
• Additional matching for (platform) RADIUS service (source and target IP of RADIUS request)
• Added support to handle NAS-IP-Address in RADIUS response for L2TP to specify the local end IPv4 negotiated on IPCP - does not add routing or loopback for this
• Platform RADIUS allows configurable secret based on matching rules
• Platform RADIUS has option to require authenticator in request
• Platform RADIUS supports RADIUS-Status-Server message
• Platform RADIUS now logs the requesting IP and target IP

Routing

• Network statement was not using profile, fixed
• Added gateway feasibility testing to static routes in the same way as BGP routes,

Subnet

• Subnet test can report one second false positive every 3 minutes, fixed
• Config load causes a suppressed subnet (test failed) to have false positive for one second
• Subnets with a test would start assumed active, now changed to start assumed inactive

VoIP

• Change to handle SIP from Gradwell VoIP
• Minor tweaks, better use of uri in auth reply, only sending auth reply once, etc.
• Made repeat 401 or 407 treated as a 403 on INVITES
• BYE was not sending to Contact from 200 header, changed.
• Correct handling of Record-Route and Route headers for proxied servers such as sipgate
• Fixed multiple Max-Forwards on REGISTER
• Added extra debug after reports of unexpected DNS lookups
• Fixed direct incoming SIP to a target using to="@..."
• Added I/O (in/out) to CDR log
• Tweak incorrect picking up contact from 1xx responses
• Change to retry for 401/407 response - tries a few times in case stale response
• Change to ensure CANCEL follows same route as original INVITE even when target has multiple IPs in DNS
• Change to correctly delay resend of INVITE once correctly matched 100 trying received
• Change in From heading not to include a blank display name if no display name set
• Prefix CLI with ? where not trusted from a carrier
• Added UK format CLI as text option
• Made UK CLI formatting default if not set and no display and country is 44
• Crash on lots of calls fixed
• Crashing calling IPv6 phones
• Clarify in config help that ddi is international format number
• Added area-code to telephone config to override default for calls from that phone
• Added CLI format option on carriers, default national

Web UI

• Added warning on home page when a reboot is necessary to activate new features

Web control pages

• Added option to set Access-Control-Allow-Origin response to allow cross site javascript access to FireBrick. USE WITH CARE as could compromise your brick by remote hosted javascript re-using a login session.
• Some menu items only shown if debug level user or if menu has some contents, specifically aimed at Status menu items for unused features

XML config

• Typo in help text

L2TP

• Some additional route looping protection

Release notes from version 1.21.001 to 1.22.001

Internal

• Fixed problem with allocation of multiple flash blocks when saving images or large configs or data. Please ensure you have a copy of the config before a manual upgrade. Save config several times on FireBrick to minimise risk of issues.

CQM

• Removed standard deviation from CQM graphs
• Added reject count on ping graphs (ICMP error response) - new CQM xml definition
• Changed fail on graph (dripping blood / red), and reject, to be percentage based

L2TP

• Changed platform radius matching code for L2TP to handle longer challenges than 16 (now 64)

Ping

• Slow setting on ping now defaults to auto, i.e. when no proper replies for 2 minutes, but can be set true or false

Web control pages

• No longer shows Wholesaler on status page (unless enabled for alpha builds)

Release notes from version 1.20.001 to 1.21.001

NTP

• NTP server field name now changed name and set to default which is ntp.firebrick.ltd.uk. Please configure any preferred ntp servers

XML config

• Changed services/platform-radius service to be services/radius as plans to expand config for other types of RADIUS
• Moved RADIUS authentication and accounting lists from l2tp to services/radius

BGP

• Reversed a previous change which affected network statements. Default localpref set to max as before. Could cause issues if BGP announcing and accepting own as on external transit.
• Fix BGP export community checking for built in community values

Config editor

• Adjusted some of the help text on config edit
• Traffic lights added to profile list for current state of profiles
• Traffic lights for profiles in config edit (on profile list and lists which reference profiles)
• Added recommendation in config recommending separate VRRP ID on separate VLANs

Factory reset

• Added PPPoE client in factory reset config on LAN as well as WAN

Firewall

• Tweak for firewall logic where target interface is a 6 to 4 tunnel to resolve final interface
• Adjusted session track handling on memory exhaustion
• Added more fields to session table
• Fixed bug in checking rules for interface="" where logic was not correct
• Not setting NAT for dongle/PPPoE if traffic from the FireBrick

Internal

• Change to improve shutdown / reboot sequencing and timing

L2TP

• Extra option in L2TP relay controls allowing picking one of the relay IPs at random first
• Slightly better debug for RADIUS count issue, use of volatile on state ocntrol, and adjust polling task

PPPoE

• Was incorrectly adding far end IP as a DNS server
• Added some level of backoff on PADI, longer if never seen PADS

Ping

• Changed ping graphs to follow firewall/mapping rules on outgoing packets

SNMP

• Added iso.3.6.1.2.1.1.2.0 sysObjectID

Subnet

• When changing a subnet, a new MAC is allocated - it now picks from subnets in same port/vlan first

Web control pages

• Username on web footer
• Added port/VLAN to subnet list

XML config

• Changed error messages on config load to provide more context - shows XML around the error point
• Corrected syntax check on XML duration with spurious letters
• Added new restrict-mac field to interface definition - NOTE: USING THIS MAY CHANGE MAC OF SUBNETS IN USE

s/w upgrade

• Longer backoff on s/w upgrade checks where no DNS available

Config editor

• Added "(b/s)" on description for rates in config

PPP

• Fix minor discrepancy in NAK and REJ logic on PPP

VoIP

• Fix potential crash on voip config change

Release notes from version 1.19.001 to 1.20.001

BGP

• Note that the localpref default is 0 for network statements on this factory release.

BGP

• Adjust next hop logic in presence of VRRP to avoid incorrect use of VRRP address in some route passing

CLI

• Fix double line spacing on some command line output
• Added a "show run" and "import config" in telnet/command line allowing dump and upload of raw XML.

CQM

• Configurable latency Y axis
• Ping only graphs (i.e. no throughput) now have standard deviation on ping timings
• Minor change to default colours
• Corrected showing of "off line" on graphs
• Minor tweak on graphs
• Setting Y axis latency in ms on graphs as part of URL

Config editor

• Moved css-url to http services config, will need editing as not automatically moved

DNS

• Malformed DNS packets could cause crash, fix

Factory reset

• Change to "recovery" factory default to have separate LAN ports
• Default timeserver set to ntp.firebrick.ltd.uk rather than pool.ntp.org

L2TP

• Additional control over timeouts on L2TP
• Changed default timeouts on outgoing L2TP client sessions - faster recovery and retry
• Possible lockup and watchdog in cases of unresponsive RADIUS servers
• Removed idle timeout from RADIUS as never implemented
• Added quota (tx) to L2TP (as RAIDUS filter code Q)
• Added quota (tx, or tx+rx) and terminate action to allow radius accounting on exceeding quota or session timeout
• Added Filter-Id and Session-Timeout to all RADIUS updates, was just Start record, as some data can change dynamically
• L2TP should now accept RADIUS CoA sooner - was not accepted until PPP negotiation had finished

PPP

• Improvements to checking and timing in PPP processes
• Slight change in PPP sequence numbering
• Minor tweaks, including new accept-dns in dongle config
• Improved debug / logging for PPP connections
• Support PAP as client login on PPP
• Adjusted retry timeouts on PAP/CHAP requests
• Corrected PPP client PAP continuing to IPCP

PPPoE

• Tweak to handle multiple service responses in PADO

Ping

• Allow configuration of larger ping packets

Profiles

• Profiles using date or time no longer register any state change if clock is not yet set
• Improved logging after non state change profile
• Date/time profile tests when not clock set assume initial state
• Date/time profile tests now have comment field in config

Web control pages

• New layout for ping and traceroute allowing XML export
• traceroute and ping no reporting a "firewalled" response if seen, rather than just unreachable
• Web interface showing system name on title if trusted IP

XML config

• Fix factory reset config
• Changed XSD duration to an FB type that uses saner syntax [[HH:]MM:]SS

• Changed [not] to [inverted] in Profile logging text.

BGP

• Fix debug log of accepted prefixes on BGP, was showing garbage extra bits

Release notes from version 1.18.001 to 1.19.001

• Factory release needed for chipset variant at factory

• Allowing larger config files

Internal

• Support alternative ether controller

L2TP

• Incorrect fragmentaion of locally generated IPv6 packets sent via L2TP, fixed

RADIUS

• RADIUS auth request sending NUl CUI as per RFC4372

VoIP

• In some cases, e.g. no configured password, voip could crash. Fixed

Web control pages

• autocomplete off on entry for OTP data
• Moved Log to separate main menu entry

XML config

• Tidy of XSD for schema validation
• Final XSD validation tidy

OSPF

• Started work on OSPF

XML config

• Added new types in preparation for new interface config structure

Release notes from version 1.17.001 to 1.18.001

• Pre beta/factory release build
• Pre beta/factory release build (again)
• Draft documentation included in releases

BGP

• New filter option to check for community present in a route
• Showing BGP route details shows additional community tags as well
• Fix for BGP config where local IP is DHCP, meaning BGP did not start up unless a local-id was set
• Fix BGP import/export filtering which only considered first match rule
• Allow use of pad on BGP peer if add-own-as set, even on ibgp
• New BGP option for next-hop-self="vrrp" to quote a VRRP address as next-hop if we have one on same subnet
• new use-vrrp-as-self (default true) means the next hop used in BGP will use an appropriate VRRP address if possible
• Ignored received announcments treated correctly as a withdrawal
• Corrected BGP ingress filtering to allow detagging the standard community tags
• Made BGP next hop logic consider routes to dead end and to network as non feasible (previously they were feasible but could not route)

CQM

• Fix for long term shapers which only worked if sharing of shaper was set
• Graphs show min and max rate limit per hour now
• More corrections on long term shaper logic
• Long term shapers were not actually applying the shaper limit, it seems, even if worked out correctly
• Changed min line on graph to be dotted

Config editor

• Tweak class for cqm images in css

DHCP

• Fix for possible lock up causing watchdogs in some cases

DNS

• DNS resolver no longer caching SOA as it was not expanding the MNAME/RNAME fields correctly
• DNS server now ignores expired DHCP allocations

Ethernet

• Added layer 2 interface mapping function (map port/VLAN to port/VLAN directly no session track or firewall)

FB105

• Updating the FB105 tunnel config did not always have immediate effect

Firewall

• Crash in some cases where traceroute via mapped address, fixed

IP

• Added ARP/ND based link state test on interfaces (changed to subnet level later)
• Added ARP/ND link state test to work at subnet level
• Made Wake on LAN a separate diagnostic and linked to DHCP

IPv6

• Fix for ND responses for FE80::/10 LL addresses matching our MAC prefix (we answered all requests even if specific MAC not in use)
• Adjusted routing for FE80::/10 so all interfaces are equal metric to locate LL endpoints

Internal

• Improved watchdog error reporting
• Further improvement to watchdog panic diagnostic

L2TP

• Change relayed L2TP session stats to be consistent with non relayed by counting only IP and not LCP, etc.
• L2TP status showing an accounting session ID even when not using RADIUS accounting, useful for pcap
• Better status report for back to back sessions

PPP

• Adjusted LCP restart logic to restart LCP if far end persists in restarting
• Allow far end to refuse magic number negotiation

PPPoE

• Linked status page from PPPoE to L2TP

SNMP

• Added some IfXEntry SNMP values

VRRP

• Changed default startup delay to 60 seconds as usually more sensible and should not cause any harm

VoIP

• Added contact header in REGISTER response
• Possible fix on some issues with ring group logic

BGP

• Fixed config to only allow one list of import and one list of export rules under bgp peer, as only first in list was checked anyway

DHCP

• Internal change to try and resolve issue where DHCP has been seen to cause a lock up and watchdog on some systems

IP

• Internal change to avoid possibility of recursive tunnelling overrunning buffer space

L2TP

• Correct NSN RADIUS parameters in platform RADIUS

Web control pages

• Set larger input box size on web diagnostic tools

Release notes from version 1.16.001 to 1.17.001

• Updated documentation

BGP

• Changed BGP to leaf node (i.e. not passing on BGP routes via BGP or recording ASpath)
• Corrected AS list in show routes to handle multiple sequences (was showing with no separator)

CLI

• Fix obscure race condition which may cause panic when logging to command line (console).

CQM

• Corrected URL processing for CQM where using x=value/x=value type syntax
• Change to ping scan and cqm polling functions to be more aligned to real time seconds, ready for when we do NTP fully

Config

• Removed redundant fast-reboot options

DHCP

• Corrected tool tips on Kill/Unlock

Internal

• More details in thread statistics report
• Improve reporting of hardware errors

L2TP

• RFC4818 Delegated-IPv6-Prefix support added - see RADIUS documentation for how this is used.
• Complex bug with IPv6 routed via IPv6 gateway that is routed via an L2TP over IPv4 and generating an ICMP error causing a crash - fixed

Logging

• Removed unused log types for SNMP trap (will move to profiles) and SMS (may be added later)

NTP

• Added option to set ntp poll rate, will be removed/changed when we do NTP fully.

Profiles

• Clarified wording for and, or, and not, tests in profiles
• Clarified meaning of timeout and recover as times not number of tests

RADIUS

• Reinstated platform RADIUS accounting handling and relay (missing since 1.13.111)

VoIP

• Second call in a queue is not getting ringing to caller - fixed

Web control pages

• Added layout for config edit for l2tp incoming and outgoing
• New CSS - especially on config edit pages

Release notes from version 1.15.001 to 1.16.001

BGP

• Colours on BGP status on web page

DNS

• DNS resolver negative caching handling and tweaks to handle VoIP DNS lookups where CNAME used
• Corrected negative caching timings

L2TP

• Added RADIUS option to avoid LCP restart on mismatched MRU
• Corrected sending MTU in RADIUS auth (could be sent twice in some cases)
• Allowing up to 64 byte CHAP challenge size in proxy auth

PPPoE

• Issue with IPv6 DNS servers not working on a second PPPoE client connection if same as previous

Ping

• Not trying to print reverse DNS on ping command while waiting DNS response

RADIUS

• RADIUS accounting refernce could change some time after reboot depending on clock setting, fixed
• Fix buffer leakage if RADIUS servers time out

Time

• Added very simple sanity check to SNTP clock setting, and logging to right place
• Logging IP from which clock was set

UI/CLI

• Added hard reboot option

VoIP

• Possible issue with hunt groups messing up after call transfer fixed
• Reduced some of the debug
• Some very basic SRV handling (picks lowest priority SRV record only)
• SRV handling for VoIP

Web control pages

• Avoid unnecessary invocation of bootloader when system reboot is requested

Logging

• Better wording for missed log entries

Release notes from version 1.14.001 to 1.15.001

Config

• Fixed factory default config for dns host name my.firebrick.co.uk - this means a new factory release of code.

BGP

• Route refresh capability announced and refresh request handled
• Minor adjustment in graceful restart logic (not yet advertised)
• Fixed long delay rebooting when BGP active

Config

• Corrected parsing of an IP using final :: in place of :0 (i.e. seemed to have too many colons)
• Not generating initial or trailing :: on IPv6 addresses where only one block replaced

Ethernet

• Avoid spurious port down messages at startup.

Firewall

• Routes to VRRP addresses now treated as to "self" not to "unknown" as previously
• Session table display indicates if incomplete as output was interrupted.

Flash

• Image priority tagging removed. Flash contents display shows penalty but no longer priority.
• Change to flash block allocation strategy to spread block usage.

L2TP

• Changed DHCPv6 served timing for L2TP

VRRP

• Fix issue if two separate VRRP configs used with same VRID one for IPv4 and one for IPv6

VoIP

• Mute on a snom caused a call drop due to loss of media, changed to send reinvite same as if on hold
• Validation of allow lists in config save for VoIP
• Tweak to send record route back correctly on dialogue responses

Web control pages

• Format of manual image upload UI page changed in line with auto update.

Release notes from version 1.13.090 to 1.14.001

Profiles

• Possible problem in ping profiles could result in a watchdog failure

RADIUS

• Corrected RADIUS tagging on NSN parameters in platform radius.
• Changed RADIUS accounting for where no start time is known for some reason not to send 1970

VoIP

• ACK generation on delayed response to closed call
• Fix crash case - looks related to hunt groups calling numbers for which users are not yet registered
• Fix for call transfer problems
• Increased number of carriers as often back to back with telephone users
• Outgoing carrier picking for external calls from hunt group using calling carrier
• Pickup was not working for a ringing call
• Transfer to ringing hunt group not working
• Added reason on CANCEL and BYE in some cases
• Race condition on call transfer can cause call to get stuck, fixed
• Corrected handling of Replaces header in REFER where escaping some characters
• Corrected handling of 100 Trying response on outgoing registration so we can register against asterisk
• Updated to handle OPTIONS from a carrier (e.g. asterisk)
• Added tag= on From for calls out via carrier, oops
• Changed for registration reply that does not contain explicit Expires header (e.g. sipgate)
• Changed domain on From and Call-ID
• Added handling of a 407 proxy auth request as well as 401
• Tweak for seq advance on INVITEs after 401/407 (asterisk was unhappy with reuse)
• Added more detail as a CDR log entry
• More CDR log tweaks
• Media detect logic added
• Made call related logs more consistent, always starting with call ID
• Corrected start time ms on CDR log
• Media loss detection improved
• Incorrect call time on status page
• Additional debug for NAT

Web control pages

• Typo in web config for dns-host/block

Release notes from version 1.12.002 to 1.13.001

• Increased memory buffer to allow larger code to be uploaded - breakpoint release needed to ensure existing units can load later code

Web control pages

• Changed graphics for rule lists in firewall - more flowchart like
• Fixed incorrect showing of "New" when a list of objects is full

CQM

• Added additional checkings on CQM shaper sharing to allow for erroneous negative traffic counts

Release notes from version 1.12.001 to 1.12.002

PPPoE

• PPPoE not working if no IPv6, doh, fixed

Release notes from version 1.11.001 to 1.11.004

General

• Various additional debugging code added

Release notes from version 1.09.001 to 1.10.001

L2TP

• Since 1.08.007 RADIUS timeouts could cause RADIUS servers to "clog up" and stop doing any RADIUS, fixed

CQM

• Correct for rare race condition leading to multiple graphs of same name

Flash

• Avoid flash fragmentation by deleting old images if necessary before saving new image.

L2TP

• Added min-retry as a minimum session time before retrying an outgoing L2TP connection (default 10 seconds)
• New platform RADIUS logic

CQM

• Change to correct issue with duplicate CQM graphs in some case

Shaping

• Fix incorrect handling of (legacy) tx-interval on shaper

Release notes from version 1.08.001 to 1.09.001

BGP

• Vendor specific SNMP for BGP status

DHCP

• Clear DHCP command now allows range/prefix to clear multiple entries
• Option to kill a DHCP allocation from web interface (DHCP status) now
• Change handling of BOOTP to operate as a REQUEST not DISCOVER so causing allocation of lease

L2TP

• Better "clear l2tp all", depending on speed of RADIUS accounting
• Vendor specific SNMP for L2TP status

PPP

• Added IP over LCP sending option to PPPoE code

SNMP

• SNMP now has extra logical interfaces which are all named shapers in order, including relevant stats for a shaper.

Release notes from version 1.07.001 to 1.08.001

• Auto upgrade software not done if new software already in flash, stops a crash causing a loop.

CLI

• Changed show [bgp] route command to list where each route is directed.
• Allow abort by pressing a key on the show routes command.
• Tidied show dhcp command

CQM

• CQM graphs now in alphabetic order
• Shaper sharing system
• Session based graphs should not persist if not used for a bit more than a day
• Increased number of historical rate changes shown on graphs to 5
• Increase number of historical rate changes show on graphs to 10 and not shoing before first rate
• CQM graphs no longer in alphabetic order, now most recent first. Alphabetic order broke polling when new graphs added
• Hourly rate line on CQM graphs
• Extended CQM line to end of graph

FB105

• Made payload-table consistent - now defaults to 0 not to "same as table"
• Convertor making more sensible names for things like "24-7"
• Not picking FB105 endpoint as our IP if cross table tunnel - picks any IP from a subnet on same table
• FB105 cross table tunnel source IP correction when internal IP defined

Firewall

• Change to logic where packet could go to multiple subnets on different interfaces. New interface "multiple" can check this, but default action in such cases now is to ignore the packet and send ARPs. New action "ignore" available.
• Changed logic more so all timed out ARPs on multiple interfaces is now "unknown", and default action for "unknown" is "drop"
• Improved traceroute through mapped IPs
• Additional logging on re-routing during session tracking
• Explicit action accept in rule was not overriding a default action of DROP for originally NOWHERE routes
• Further change so default action not allow only if no rule matches.

L2TP

• Made payload-table consistent - now defaults to 0 not (in some cases) "same as table"
• Faster session clearing when using clear all
• IP over LCP sending as RADIUS controlled flag (filter C)
• Increased L2TP sessions to 250
• Not picking L2TP endpoint as our IP if cross table tunnel - picks any IP from a subnet on same table
• Added return of Proxy-State in platform RADIUS response
• Added Tunnel-Medium-Type (IPv4/6) in platform RADIUS response
• Added optional Juniper Context-Name response in platform RADIUS response (for BT 20CN session steering)
• Added username hash based Tunnel-Preference in platform RADIUS response
• Recognise BT specific "Subscriber provisioning failed" error and send clear cause 15 on RADIUS
• More options for ordering the response on platform RADIUS
• Faster LCP conf req on l2tp connect with no LCP

PPP

• IP over LCP rx handling added. I.e. LCP with code 4X or 6X assumed to be IP.
• Buffer exhaustion handling in ppp fix crash risk

Profiles

• initial state of profile with set="..." now uses that setting not initial="..." value

RADIUS

• Fix platform radius proxy state return issue affecting relayed platform radius

Web control pages

• Added reboot link to web pages, in "status" section for ADMIN level or higher
• Added VRRP masters count to pre-shutdown message for reboot and s/w updates
• Fix bug showing FB105 tunnels up when not, in pre-shutdown message for reboot and s/w updates
• Added new form for pcap dumping to file from browser (/pcap/)

• Better error message on ip group name syntax check
• Added link to upload new config on factory reset screen
• Added link to upload new config on soft factory recovery screen

DHCP

• Internal change to handling of DHCP server when searching for a suitable IP

L2TP

• Additional debug added in L2TP/RADIUS code

XML

• XML checking recognises that an empty list is not valid on a mandatory attribute
• XML checking no longer reports issues with schemaLocation - they are now ignored

Release notes from version 1.06.001 to 1.07.001

Web control pages

• Using web interface diagnostics/routing could cause a crash

• Test release with additional debug - use as directed by tech suppport
• Does not auto update and reboot if in factory reset recovery state

CLI

• New show routes command not BGP specific

DHCP

• DHCP client sets /32 routes for DNS servers provided

FB105

• Shows associated routes on FB105 tunnel status
• Added graph on web view of fb105 tunnel status if a graph set

Factory reset

• Made factory default have NAT set on the 10.0.0.X subnet

L2TP

• Change of field name (username) not preserving old field (user-name) in l2tp-relay, fixed
• Pressing a key on telnet command "clear l2tp all" stops clearing lines.
• Support for RADIUS Framed-IP-Netmask mapped to L2TP PPP IPCP NETMASK (144)
• L2TP client mode asks for DNS on PPP
• Config change was unnecessarily restarting some L2TP sessions
• L2TP failed tunnel timeout reduced from 5 minutes to 1 minute
• L2TP error response on duplicate tunnel ID to try and manage restart case better
• Better logging of unexpected L2TP SCCRQ

Web control pages

• Showing associated routes on subnets, dongles, PPPoE, etc.

CLI

• Show dhcp command layout fix

Firewall

• Some better checking for warning about blank firewall rules

L2TP

• Issue with L2TP clients when no hostname and no local system name configured

Release notes from version 1.05.001 to 1.06.001

• Test release with additional debug - use as directed by tech suppport
• Additional stats for sessions per second started
• Added memory usage to one second stats
• Allow multicast packets to be passed through switch
• Possible obscure issue with DHCP server code fixed - probably only when default dhcp server user (i.e. ip not set)
• Added new show status command on telnet, and reformatted web status page

CQM

• Bug if graphs trying to scale to just under 4Gb/s, showed scaled at bottom end in error. Fixed.
• Not including old (off screen) rate changes in max scale on graphs

DHCP

• Additional options in DHCP client
• Changed DHCP server to serve bricks IP as DNS server allowing it to relay, unless explicit servers set in config

Dongle

• Colour on dongle status
• Default if no route= set to also set /32s to DNS servers as well as default route
• Dongle reporting negotiated DNS servers in status

Ethernet

• Changed autoneg setting on ethernet ports to default to false if manually setting speed or duplex and not 1G

FB105

• FB105 tunnel status reporting half-up status correctly
• Changed logging to only log fatal errors (such as no source Ip or no route) once until next works
• Added additional recursion detection for FB105 tunnels
• Config of ports used in FB105 tunnels, and update to config convertor to match
• Reduced repetition of receive related warnings on identifyable tunnels

Firewall

• Internal adjustment to session tracking hashing functions
• Additional sanity check to pick up if someone tries adding a blank rule to a rule-set (typically by mistake)
• Rule set logic for checking tables when previously having table changes in another rule-set may not have been correct
• Diagnostic for firewalling not correctly handling non table 0 rule checks

L2TP

• Changed L2TP logging so relay sessions have same logging as incoming session at the time
• L2TP config change was clearing tunnels if not using a hostname setting
• Changed logic for logging L2TP to try and ensure relayed sessions log correctly
• L2TP relay was dropping first packets exchanged
• Periodic RADIUS accounting was incorrectly showing timestamp less any current dropped packets which could cause a slight discrepancy
• Outgoing L2TP option ready for initial testing

Logging

• Session track counter in log-stats
• Log email sending retry logic changed
• Added much more debug for log-debug for logging email sending
• Added additional information to emailed logs

PPPoE

• Default if no route= set to also set /32s to DNS servers as well as default route

Ping

• Ping graphs can now use a host name

RADIUS

• L2TP RADIUS for PAP was using cleartext password as message auth (16 byte), changed to random.

VRRP

• Deleting an interface which VRRP master caused a crash

Web control pages

• Improved lists of objects with sub objects present in config editor
• General change to css, layout and menus, and new options for menu/banner controls
• Extra information on DHCP client status page (subnets)
• Change to allow you to stay logged in when clock first sets
• Added ethernet port status to web status page

Firewall

• Checking for blank rules refined to allow rules just settting nat or tables

L2TP

• Final LCP TERM sent not logged correct field length in PPP dump, though sent correctly.

Web control pages

• Home page shows if system name is not set is this really should always be set, but is not actually a mandatory field

Release notes from version 1.04.002 to 1.05.001

• Test release with additional debug - use as directed by tech suppport

BGP

• Stopped announce of FE80::/10 when subnet has bgp="true"
• No longer logging full BGP packet when discarded due to !allow-own-as or allow-only-their-as
• Added additional per peer counters for ignored and filtered incoming updates

Logging

• Possible fix to issue causing occasional unexplained crashes
• Bug where viewing logs on web pages could cause crash, fixed
• Removed hex dump debug log of DHCPv6 - as cluttred interface debug logs and better done using pcap

Ping

• Fixing interface based pings on startup not always working

Web control pages

• Missing titles on lists of blackhole and nowhere routes
• Config edit was not able to add / change shaper-override (profile based shaping logic)

Release notes from version 1.02.001 to 1.03.001

• Special release with extra testing, use as directed.

Config

• Changed default config - using LAN and WAN as interface and port group names and added more comments

Web control pages

• Manual s/w upgrade looks nicer now
• Graph names as text on graphs list to allow searching in browser
• Corrected icons for rule-set
• Tweak factory reset menu

Web control pages

• Adjust timing on status check to try and ensure we see new s/w first time