FireBrick Model: FB6000 | FB2500 | FB2700 | FB2900 | FB9000 | SoHo/Plus | FB105

Model Variant: FB2500   Change to: (default is FB2500)

Software Versions: Recent versions only | Factory releases | Factory and Beta | Factory, Beta & Alpha

Built 2024-10-29
Latest Beta release
2.01.101 (Balcombe)
Config:XSD Doc

Release notes from Beta release 2.01.010 to Beta release 2.01.101

BGP

  • Avoid some potential crashes with repeated config updates

CQM

  • Correct UDP checksum for shared shapers and add status page

DHCP

  • Add support for the "rebinding" state in client
  • Send server ID when in SELECTING state
  • Allow DHCP6 client to be configured directly (not via RA)

MQTT

  • Fix where subscriptions could get overwritten in some cases
  • Fix CPU spikes that can grow with uptime

OS

  • Handle devices that don't respond to unicast ARP (Starlink) more gracefully
  • Additional type of watchdog for catching rogue high priority threads

Routing

  • Fix bug that could cause routes to transiently appear as NULL in the forwarding table

VoIP

  • Add additional ways to detect anonymous calls for telephony operators
  • Fix rare issue with RTP packets from 0.0.0.0

Web UI

  • Accept connections from "trusted" (but not "allowed") hosts during ACME renewal
  • Group profile buttons on home page
  • Fix issue that could cause live logging to use CPU excessively
  • UI tweaks
Built 2024-10-28
Older Beta release
2.01.100 (Balcombe)
[Withdrawn]
Config:XSD Doc
This release has been withdrawn.

Release notes from Beta release 2.01.010 to Beta release 2.01.100

BGP

  • Avoid some potential crashes with repeated config updates

CQM

  • Correct UDP checksum for shared shapers and add status page

DHCP

  • Add support for the "rebinding" state in client
  • Send server ID when in SELECTING state
  • Allow DHCP6 client to be configured directly (not via RA)

MQTT

  • Fix where subscriptions could get overwritten in some cases
  • Fix CPU spikes that can grow with uptime

OS

  • Handle devices that don't respond to unicast ARP (Starlink) more gracefully
  • Additional type of watchdog for catching rogue high priority threads

Routing

  • Fix bug that could cause routes to transiently appear as NULL in the forwarding table

VoIP

  • Add additional ways to detect anonymous calls for telephony operators
  • Fix rare issue with RTP packets from 0.0.0.0

Web UI

  • Accept connections from "trusted" (but not "allowed") hosts during ACME renewal
  • Group profile buttons on home page
  • Fix issue that could cause live logging to use CPU excessively
  • UI tweaks
Built 2024-07-01
Older Beta release
2.01.010 (Balcombe)
Config:XSD Doc

Release notes from Beta release 2.01.001 to Beta release 2.01.010

FB105

  • Fix rare crash
Built 2024-06-24
Older Beta release
2.01.001 (Balcombe)
Config:XSD Doc

Release notes from Beta release 2.01.000 to Beta release 2.01.001

BGP

  • Fix potential crash with flappy routes and multiple peers

DNS

  • Fix race that could (very rarely) result in mangled packets whilst relaying
Built 2024-06-19
Older Beta release
2.01.000 (Balcombe)
Config:XSD Doc

Release notes from Factory release 2.00.100 to Beta release 2.01.000

ARP

  • Better handling when sending many messages to non-existant locally connected targets

BGP

  • Shutdown more cleanly on profile disabling
  • Log which AS we are rejecting if it doesn't match
  • Fix incorrectly reported exports with multiple tables in play
  • Remove inaccurate/confusing status text

CLI

  • Add filtering by table to "show bgp peer/summary" and "show route nexthop"

Config

  • Disable legacy time server (port 37) by default
  • Make it easier to find banner background option
  • Some improvements to demo mode

CQM

  • Treat graph names consistently case sensitively
  • Allow automatic ping graphs to be configured for DHCP entries

DHCP

  • Improve handling of locked entries
  • Fix crash when serving certain requests

Diagnostics

  • Add config option to dump some of the stack on certain classes of crash
  • Improve mutex acquisition timeout diagnostic

FB105

  • Improve speed of obfuscation

Firewall

  • Improve efficiency of firewall timeouts
  • Add obfuscation options
  • Fix race on one sided session reuse
  • Increase priority of firewall event processing task

HA

  • Fix for handling special packets and other tunnels within HA L2TP tunnels

Internal

  • Tweak scheduler to try and avoid rare thread starvation conditions on single core platforms
  • Use interrupts to change LED state

IPv6

  • Fix issue with duff broadcast address in some RAs

L2TP

  • Add speed settings to L2TP local authentication
  • Config option for L2TP IPv6 tunnels without a checksum
  • Avoid rare crash fetching status
  • Add option to send Operator-Name on a per <incoming> basis
  • Support specifying the source IP for payload traffic

LACP

  • Hot standby mode selection for wider switch compatibility

Logging

  • Log L2TP RADIUS errors to the RADIUS debug log (instead of the system one)
  • Add a log for a user's events (currently logins)
  • Report hardware watchdogs to support
  • Log slow config load functions to sys debug
  • Log bootloader upgrades
  • Improve detail in some logs
  • Shorten TCP connection timeout for email logs
  • Change VRRP not found to debug

Manual

  • Explain the 2 types of defaulting in the XSD
  • Improve layout slightly
  • Remove some out of date screenshots
  • Improve LACP standby explanation

MQTT

  • Fix retained message handling timeouts
  • Fix a couple of rare crashes
  • Drop oversize QOS0 messages
  • Correct sending retain to clients only for old retained messages not new ones after subscription established

NTP

  • Use MD5 hash for refid for IPv6 time sources

Ping

  • Don't crash when we cannot create ping from config (because too many have already been bulk loaded)

PPPoE

  • Add an additional profile to prevent responding to PADI messages
  • Allow omitting of automatic caller-id end
  • Show the acname correctly in status
  • Report PPPoE info more reliably on L2TP sessions page

Profiles

  • Allow control switches to be set from the menu (and allow them to be locked for sensitive ones)

RADIUS

  • Drop legacy AOR AVP number
  • Fix issue with RX shapers and CoA
  • Make status mechanism more in line with other services

Routing

  • Fix loop detection in source IP determination
  • Add debug user command for dumping internal state of routing

Sampling

  • Fix rare crash when changing interface config as a sample is taken

SNMP

  • Fixes for L2TP SNMP

Software upgrade

  • Add button for downloading latest software without rebooting

Strack

  • Fix crash due to wraparound optimisation

TCP

  • Add option for TCP stealth mode for the FireBrick itself (without using the firewall)

Telnet

  • Fix rare crash when quickly creating multiple telnet sessions
  • Add task stat clear command

VOIP

  • Tweak wording of security-replies registration warning and add context to manual
  • Improve logging
  • Handle NAT RTP more cleanly when far end is silent and not sending RTP packets

VRRP

  • Show time in a given state

Watchdog

  • Additional context for rare watchdog

Web UI

  • Add DNS cache state status (DEBUG only)
  • Make the status page clearer during reboots
  • Modify layout approach to avoid a couple of strange looking edge cases
  • Allow an additional level of submenus
  • Allow menus to be expanded and collapsed via JS
  • Scroll tables in x if they don't fit in the page
  • Reorganise the menu entries
  • Add button for clearing flash penalties (debug user)
  • CSS hinting tweaks
  • Add a page for unit info
  • Put intro text in page header
  • Ensure profile switches show up to date status over config change
  • Fix issue where test/save buttons could appear twice after repeated config test edits
  • Reword software upgrade page
  • Optionally group control switches in menu
Released 2023-10-16
Built 2023-10-09
Current factory release
2.00.100 (Abbotscliffe)
Config:XSD Doc

Release notes from Factory release 1.61.010 to Factory release 2.00.100

  • Rework apps to run efficiently on the FB9000 platform - this is a major rework that may impact all platforms

ARP

  • Recover faster from certain subnet changes
  • Slightly improve ARP queue timeout handling for entries that do not resolve but are in constant use.

BGP

  • Shutdown timeout - be tolerant of negative NTP adjustments
  • Add profile to peer list in config editor
  • Check that peers define unique connections
  • Improvements to graceful restart
  • Improve connection handling
  • Fix issue with GET method for new SNMP OIDs
  • Additional states for shutdown and preshutdown in new OIDs
  • Add prefix limit info to SNMP
  • Include held routes in the count of imported prefixes
  • Improvements and bugfixes
  • Intersperse connection handling better

Config

  • Added auto-backup-url to config to POST changed config
  • Improve config patch mechanism
  • Fix "*" parsing for port ranges
  • Small improvements to the auto backup feature to make it nicer

CQM

  • Calculate times for XML output the same way as for images
  • Handle extremely low ping latencies better

DNS

  • Prevent forwarding of other types for overridden DNS entries

Ethernet

  • Allow assignment of specific MAC addresses to subnets and interfaces

Firewall

  • Only ARP targets in overlapping subnets if we would allow traffic to them
  • Improve source IP selection when NAT is targetting overlapping subnets
  • Add more detail to firewall diagnostic

Internal

  • Improve resource utilisation of streams

IPsec

  • Remove path by which eap-user restrictions could be evaded by some clients

IPv6

  • Advertise a /64 for PD SLAAC (even if the delegated prefix is larger)
  • Introduce a list of ra-subnet-template on interfaces to allow setting of options for RA generated subnets (replaces ra-client)
  • Prevent prefix delegation on linked interfaces (including by implicit defaults)
  • Fix issue with RA and ignore_dns that can cause subnets to be recreated

L2TP

  • Corrected handling of Framed-IPv6-Address as interface address in RADIUS
  • Add calling/called station IDs to L2TP session status
  • Fix crash with packets claiming different lengths in different ways
  • Allow IPv6 DNS to be overridden via RADIUS
  • Don't kill tunnels immediately when profiling off incoming
  • Report the correct number of packets for TX and RX

LACP

  • Advertise additional links as standby when it makes sense to do so
  • Put secondary links in hot standby when speed limited by hardware
  • Handle badly behaved link partner better

Logging

  • Increase internal logging capacity

Manual

  • Add more commands to the manual
  • Improve MIB appendix

MQTT

  • Reconnect faster on "external" config changes and improve status
  • Fix issue where tx is available late

OSPF

  • Fix crash when config changed repeatedly very rapidly

Pcap

  • Make labels on pcap form slightly better
  • Support multiple IPs and ranges in the filtering

PPPoE

  • Fix typo on PPP status page
  • Don't accept PPPoE inbound connections if the matching incoming is profiled off
  • Log sending the PADR

Profiles

  • Add uptime test to allow staggered starting of services
  • Evaluate conditions when adding (to avoid flapping without careful choice of initial)

Routing

  • Remove 6to4 (2002:) IP mapping
  • Add tunnel IDs to routing diagnostic summary
  • Avoid sending packets with potentially inappropriate source IPs (applies to overlapping subnets mainly)
  • Force immediate reconsideration routes when related gateways have expired

SNMP

  • Add system memory utilisation to SNMP
  • Make buffer statistics reflect new reality (that most buffers are in a global pool)

TCP

  • Improve preempting of TCP connections in the timewait state
  • Limit accept queues more consistently
  • Reduce resource usage when in TIME-WAIT

TLS

  • Add connection count to 1 second stats

VoIP

  • Improve how VOIP logging reads

VRRP

  • Take notice of the profile on the parent interface

Web UI

  • Improve profile switch behaviour when clicked fast repeatedly
  • Config option to change colours of user interface
  • Add buttons to config editor for reordering items in ordered lists
  • Darker background for select multiple selections
  • Avoid underflow when showing number of seconds remaining for config test (cosmetic)
  • Added warning that config save is recommended
  • Tidy up config edit page
  • Improve layout of BGP buttons
  • Show reboot now option when shutting down
  • Wrap lines in XML editor on first load
  • Buttons to delete flash blocks as a DEBUG user
  • Click on headings to sort status tables
  • Provide load indicator on Status page
  • Suppress iphone phone number autodetection (so it doesn't pick up the serial number)
  • Add arrows (ascending and descending) to sorting
  • Record txnodesc more like other ethernet stats
  • Add ability to view old configurations and boot alternative images to flash contents (as DEBUG)
  • Reorder ping form
  • Tweak upload styling
  • Show route diagnostic in prefix order
Built 2023-09-18
Older Beta release
2.00.010 (Abbotscliffe)
Config:XSD Doc

Release notes from Beta release 2.00.001 to Beta release 2.00.010

Config

  • Fix "*" parsing for port ranges

IPv6

  • Fix issue with RA and ignore_dns that can cause subnets to be recreated

L2TP

  • Report the correct number of packets for TX and RX
  • Fix issue where damping could get stuck on

LACP

  • Handle badly behaved link partner better

MQTT

  • Fix issue where tx is available late

Web UI

  • Reorder ping form
  • Tweak upload styling
Built 2023-08-21
Older Beta release
2.00.001 (Priday)
Config:XSD Doc

Release notes from Beta release 2.00.000 to Beta release 2.00.001

  • Internal code changes to slightly improve performance
Built 2023-08-14
Older Beta release
2.00.000 (Priday)
Config:XSD Doc

Release notes from Factory release 1.61.010 to Beta release 2.00.000

  • Rework apps to run efficiently on the FB9000 platform - this is a major rework that may impact all platforms

ARP

  • Recover faster from certain subnet changes
  • Slightly improve ARP queue timeout handling for entries that do not resolve but are in constant use.

BGP

  • Shutdown timeout - be tolerant of negative NTP adjustments
  • Add profile to peer list in config editor
  • Check that peers define unique connections
  • Improvements to graceful restart
  • Improve connection handling
  • Fix issue with GET method for new SNMP OIDs
  • Additional states for shutdown and preshutdown in new OIDs
  • Add prefix limit info to SNMP
  • Include held routes in the count of imported prefixes
  • Improvements and bugfixes
  • Intersperse connection handling better

Config

  • Added auto-backup-url to config to POST changed config
  • Improve config patch mechanism
  • Small improvements to the auto backup feature to make it nicer

CQM

  • Calculate times for XML output the same way as for images
  • Handle extremely low ping latencies better

DNS

  • Prevent forwarding of other types for overridden DNS entries

Ethernet

  • Allow assignment of specific MAC addresses to subnets and interfaces

Firewall

  • Only ARP targets in overlapping subnets if we would allow traffic to them
  • Improve source IP selection when NAT is targetting overlapping subnets
  • Add more detail to firewall diagnostic

Internal

  • Improve resource utilisation of streams

IPsec

  • Remove path by which eap-user restrictions could be evaded by some clients

IPv6

  • Advertise a /64 for PD SLAAC (even if the delegated prefix is larger)
  • Introduce a list of ra-subnet-template on interfaces to allow setting of options for RA generated subnets (replaces ra-client)
  • Prevent prefix delegation on linked interfaces (including by implicit defaults)

L2TP

  • Corrected handling of Framed-IPv6-Address as interface address in RADIUS
  • Add calling/called station IDs to L2TP session status
  • Fix crash with packets claiming different lengths in different ways
  • Allow IPv6 DNS to be overridden via RADIUS
  • Don't kill tunnels immediately when profiling off incoming

LACP

  • Advertise additional links as standby when it makes sense to do so
  • Put secondary links in hot standby when speed limited by hardware

Logging

  • Increase internal logging capacity

Manual

  • Add more commands to the manual
  • Improve MIB appendix

MQTT

  • Reconnect faster on "external" config changes and improve status

OSPF

  • Fix crash when config changed repeatedly very rapidly

Pcap

  • Make labels on pcap form slightly better
  • Support multiple IPs and ranges in the filtering

PPPoE

  • Fix typo on PPP status page
  • Don't accept PPPoE inbound connections if the matching incoming is profiled off
  • Log sending the PADR

Profiles

  • Add uptime test to allow staggered starting of services
  • Evaluate conditions when adding (to avoid flapping without careful choice of initial)

Routing

  • Remove 6to4 (2002:) IP mapping
  • Add tunnel IDs to routing diagnostic summary
  • Avoid sending packets with potentially inappropriate source IPs (applies to overlapping subnets mainly)
  • Force immediate reconsideration routes when related gateways have expired

SNMP

  • Add system memory utilisation to SNMP
  • Make buffer statistics reflect new reality (that most buffers are in a global pool)

TCP

  • Improve preempting of TCP connections in the timewait state
  • Limit accept queues more consistently
  • Reduce resource usage when in TIME-WAIT

TLS

  • Add connection count to 1 second stats

VoIP

  • Improve how VOIP logging reads

VRRP

  • Take notice of the profile on the parent interface

Web UI

  • Improve profile switch behaviour when clicked fast repeatedly
  • Config option to change colours of user interface
  • Add buttons to config editor for reordering items in ordered lists
  • Darker background for select multiple selections
  • Avoid underflow when showing number of seconds remaining for config test (cosmetic)
  • Added warning that config save is recommended
  • Tidy up config edit page
  • Improve layout of BGP buttons
  • Show reboot now option when shutting down
  • Wrap lines in XML editor on first load
  • Buttons to delete flash blocks as a DEBUG user
  • Click on headings to sort status tables
  • Provide load indicator on Status page
  • Suppress iphone phone number autodetection (so it doesn't pick up the serial number)
  • Add arrows (ascending and descending) to sorting
  • Record txnodesc more like other ethernet stats
  • Add ability to view old configurations and boot alternative images to flash contents (as DEBUG)
Released 2022-11-16
Built 2022-11-07
Older factory release
1.61.010 (Ogust)
Config:XSD Doc

Release notes from Factory release 1.60.010 to Factory release 1.61.010

Certificates

  • Avoid panic on reboot if FB private key gets deleted

Config

  • Enforce list max occurrences limits for all config items

CQM

  • Small change to SVG to make loss/latency squared off like png

DHCP

  • Treat a profile on a DHCP config entry with a restriction consistently with other config profile usage.

DHCPv6

  • Various improvements (especially in the client)
  • Make DHCPv6 work better with larger prefixes
  • Allow larger server DUIDs

Ethernet

  • Share MAC address on VLAN 0 between bootloader and app for each port

IKE

  • Send out of band error when INIT request negotiation fails

IPv6

  • Improved reliability of RA handling

MQTT

  • Bigger MQTT messages
  • Additional options on MQTT external
  • MQTT crash fix
  • Sending cleaner CONNACK for error cases

PPP

  • Bug fix for issues with PPP client corrupting subnets

PPPoE

  • Increase number of allowed PPP sessions (and fix crash loading configs with more than 20)

RADIUS

  • Juniper ERX ingress/egress policy name in RADIUS server
  • Correct defaulting of RADIUS server settings

VoIP

  • Subtle change to message handling in VoIP (getting actual 408 response to INVITE)
  • CLI settings not always passing through
  • Allow addition Privacy header options

Web UI

  • Improve layout on XML edit page
  • Improve button placement on system info pages
  • Explanation added regarding TCP stress test blob output
  • Further improve XML edit and reduce vertical height of top bar
  • Make XML download links look like links
  • Add line numbers to XML editor
  • Reject paths with extraneous middle segments
  • Various UI improvements
  • Add a config option to prevent refreshing the CQM image lists
  • Make graphs on the image list page clickable
  • Editor - fix colour picker with 3 digit hex colours
  • Force text colour in buttons to black (apparently ipads can default it to white)
  • Warn on most pages when config is no longer valid
Built 2022-11-07
Older Beta release
1.61.000 (Ogust)
Config:XSD Doc

Release notes from Beta release 1.60.057 to Beta release 1.61.000

No changes reported for this platform.

Built 2022-11-07
Older Beta release
1.60.057 (Ogust)
Config:XSD Doc

Release notes from Factory release 1.60.010 to Beta release 1.60.057

Certificates

  • Avoid panic on reboot if FB private key gets deleted

Config

  • Enforce list max occurrences limits for all config items

CQM

  • Small change to SVG to make loss/latency squared off like png

DHCP

  • Treat a profile on a DHCP config entry with a restriction consistently with other config profile usage.

DHCPv6

  • Various improvements (especially in the client)
  • Make DHCPv6 work better with larger prefixes
  • Allow larger server DUIDs

Ethernet

  • Share MAC address on VLAN 0 between bootloader and app for each port

IKE

  • Send out of band error when INIT request negotiation fails

IPv6

  • Improved reliability of RA handling

MQTT

  • Bigger MQTT messages
  • Additional options on MQTT external
  • MQTT crash fix
  • Sending cleaner CONNACK for error cases

PPP

  • Bug fix for issues with PPP client corrupting subnets

PPPoE

  • Increase number of allowed PPP sessions (and fix crash loading configs with more than 20)

RADIUS

  • Juniper ERX ingress/egress policy name in RADIUS server
  • Correct defaulting of RADIUS server settings

VoIP

  • Subtle change to message handling in VoIP (getting actual 408 response to INVITE)
  • CLI settings not always passing through
  • Allow addition Privacy header options

Web UI

  • Improve layout on XML edit page
  • Improve button placement on system info pages
  • Explanation added regarding TCP stress test blob output
  • Further improve XML edit and reduce vertical height of top bar
  • Make XML download links look like links
  • Add line numbers to XML editor
  • Reject paths with extraneous middle segments
  • Various UI improvements
  • Add a config option to prevent refreshing the CQM image lists
  • Make graphs on the image list page clickable
  • Editor - fix colour picker with 3 digit hex colours
  • Force text colour in buttons to black (apparently ipads can default it to white)
  • Warn on most pages when config is no longer valid
Released 2022-07-20
Built 2022-07-11
Older factory release
1.60.010 (Nickell)
Config:XSD Doc

Release notes from Factory release 1.59.000 to Factory release 1.60.010

CLI

  • Show thread stats for longer sample period

DHCP

  • Improved controls over DHCP logging

DHCP/DNS

  • Additional "latest IP allocated" DNS name for DHCP - see auto-dhcp-new in DNS settings

DHCPv6

  • Simple DHCPv6 client mode (experimental)
  • Updated IPv6 SLAAC/RA logic to allow control of extra flags and simple ethernet side DHCPv6 server

Diagnostics

  • Provide info about HTTP connections for debug users on web and telnet

HA

  • Fix HA groups D-G
  • Improve handling of HA bonded tunnels with extremely mismatched latency (seconds)

HTTP

  • Be more tolerant of lack of Content-length in HTTP client

IP

  • Use the table's default source IP in more places

IPv6

  • Interface setting ra-client now default if wan set, else not default
  • Interface setting now define PD (prefix delegation), default if wan/ra-client/ra not set

L2TP

  • Respect table setting for MTU calculation for outgoing and relayed L2TP connections
  • Add mechanism for advising LAC of tx speed when needed
  • Put serial number in calling station ID if explicitly set to ''

Logging

  • Fix issue with emailed logs - were sending to last MX not first, and leaving TCP open causing issues if too many emails sent

MQTT

  • Added MQTT console

PPP

  • Handle missed PAP reply on PPP

RADIUS

  • Added allow list for RADIUS CoA requests as alternative to host IP match
  • Add logging on RADIUS match
  • Added top level IP allow check on RADIUS
  • Faster RADIUS failover (and updated documentation)

VoIP

  • Limit email addresses for recording to 2000 chars

Web UI

  • Add details of L2TP states session states on tunnel status pages
  • Show which tables session tracking is active on in UI
  • Fix looping causing loss of UI if TCP stress test fails
Built 2022-07-06
Older Beta release
1.60.000 (Nickell)
Config:XSD Doc

Release notes from Beta release 1.59.030 to Beta release 1.60.000

No changes reported for this platform.

Built 2022-06-27
Older Beta release
1.59.030 (Nickell)
Config:XSD Doc

Release notes from Factory release 1.59.000 to Beta release 1.59.030

CLI

  • Show thread stats for longer sample period

DHCP

  • Improved controls over DHCP logging

DHCP/DNS

  • Additional "latest IP allocated" DNS name for DHCP - see auto-dhcp-new in DNS settings

DHCPv6

  • Simple DHCPv6 client mode (experimental)
  • Updated IPv6 SLAAC/RA logic to allow control of extra flags and simple ethernet side DHCPv6 server

Diagnostics

  • Provide info about HTTP connections for debug users on web and telnet

HA

  • Fix HA groups D-G
  • Improve handling of HA bonded tunnels with extremely mismatched latency (seconds)

HTTP

  • Be more tolerant of lack of Content-length in HTTP client

IP

  • Use the table's default source IP in more places

IPv6

  • Interface setting ra-client now default if wan set, else not default
  • Interface setting now define PD (prefix delegation), default if wan/ra-client/ra not set

L2TP

  • Respect table setting for MTU calculation for outgoing and relayed L2TP connections
  • Add mechanism for advising LAC of tx speed when needed
  • Put serial number in calling station ID if explicitly set to ''

Logging

  • Fix issue with emailed logs - were sending to last MX not first, and leaving TCP open causing issues if too many emails sent

MQTT

  • Added MQTT console

PPP

  • Handle missed PAP reply on PPP

RADIUS

  • Added allow list for RADIUS CoA requests as alternative to host IP match
  • Add logging on RADIUS match
  • Added top level IP allow check on RADIUS
  • Faster RADIUS failover (and updated documentation)

VoIP

  • Limit email addresses for recording to 2000 chars

Web UI

  • Add details of L2TP states session states on tunnel status pages
Released 2022-04-20
Built 2022-04-13
Older factory release
1.59.000 (Macleod)
Config:XSD Doc

Release notes from Factory release 1.58.111 to Factory release 1.59.000

ACME

  • ACME error reporting could get garbled message in some error cases

DHCP

  • Changed some DHCP server logging to be JSON format (same as used for MQTT)

FB105

  • Fix rare crash with FB105 tunnel bonding during configuration change

IPsec

  • Fixed a problem with validation of peer certificate
  • Fixed handling of out-of-order IKE fragments
  • There is a new attribute peer-eaplist available on an IKE connection config item which enables the allowed EAP usernames to be specified.
  • Improve EAP diagnostic logging and fix minor problem with message ID number checking
  • Further improvements to EAP processing and error logging

L2TP

  • Configured outgoing L2TP sessions now respect the bgp setting in the config

MQTT

  • Added listener for FireBricks/# topic
  • Changed MQTT mapping field names and fixed incorrect help text

OSPF

  • OSPF marked experimental as it has some minor issues.

RADIUS

  • Some additional RADIUS server settings, matching, added mqtt logging and changed log format to JSON, for working with some WiFi kit

TLS

  • Improved stream handling in TLS to avoid occasional race conditions causing crashes

VoIP

  • Improve logging when bulk carrier import fails
Released 2022-01-05
Built 2021-12-21
Older factory release
1.58.111 (Landy)
Config:XSD Doc

Release notes from Factory release 1.57.010 to Factory release 1.58.111

Certificates

  • Removed expired DST Root CA X3 certificate

CLI

  • Added CLI command to view port status

Config

  • Allow numeric value with 0x prefix in config

DHCP

  • DHCP client will now attempt to renew leases when ports go down and come back up. This will automatically reconfigure the subnet if plugged into a different network.
  • Added mac-local test in DHCP pool
  • Improved DHCP allocation logging and MQTT logging

Diagnostics

  • Add diagnostic command and status page for buffer usage
  • Include uptime information in automatic crash reports
  • Log highest buffer users in case of exhaustion

Ethernet

  • Improve setting of default port config on startup (may be faster startup in some cases)

Firewall

  • Added option to set DSCP

IPsec

  • Increase max number of simultaneous IKE/IPsec connections
  • Fixed problem with IKE message fragmentation causing connection failures with some clients
  • Fixed occasional "Response not pending" panic.

L2TP

  • Added session-timeout to L2TP incoming

MQTT

  • Simple MQTT message mapping option
  • Improvements to MQTT broker (better error reports and sanity checks)
  • MQTT payload pattern match
  • Correct mapped MQTT messages erroneously setting retain
  • Made IP a link on mqtt status
  • MQTT mapping connection linking (e.g. for retained)
  • Fix outgoing mqtt bug
  • Started some MQTT v5 handling (a config option, experimental, not recommend yet)

OSPF

  • Correct OSPF checksum issue for certain auth types

Profiles

  • Added profile test for "DHCP allocated"
  • Nicer web socket based profile control switches.
  • MQTT profile control fixed
  • Minor change, only sending MQTT if corresponding payload set (even if empty)

TLS

  • Improve server authentication security and work around problems with some servers by using the signature algorithm extension.
  • Fix TLS connection failover
  • Added TLS stateless session resumption - without this newer versions of some browsers were very slow to load FB web pages
  • Issue with TLS resume keys used over a s/w upgrade fixed

VoIP

  • Double VOIP capacity limits
  • Double number of simultaneous call recordings
  • Tweak outgoing registrations for SIP servers that mash up the registered Contact rather than just using it as is.
  • Fixed issue with very long SIP registrations using IPv6 addresses
  • Added a simple BLF report state via MQTT
Built 2021-12-20
Older Beta release
1.58.100 (Landy)
Config:XSD Doc

Release notes from Beta release 1.58.000 to Beta release 1.58.100

MQTT

  • Correct mapped MQTT messages erroneously setting retain
  • Made IP a link on mqtt status
  • MQTT mapping connection linking (e.g. for retained)
  • Fix outgoing mqtt bug

OSPF

  • Correct OSPF checksum issue for certain auth types

TLS

  • Added TLS stateless session resumption - without this newer versions of some browsers were very slow to load FB web pages
Built 2021-12-09
Older Beta release
1.58.000 (Landy)
Config:XSD Doc

Release notes from Factory release 1.57.010 to Beta release 1.58.000

Certificates

  • Removed expired DST Root CA X3 certificate

CLI

  • Added CLI command to view port status

Config

  • Allow numeric value with 0x prefix in config

DHCP

  • DHCP client will now attempt to renew leases when ports go down and come back up. This will automatically reconfigure the subnet if plugged into a different network.
  • Added mac-local test in DHCP pool
  • Improved DHCP allocation logging and MQTT logging

Diagnostics

  • Add diagnostic command and status page for buffer usage
  • Include uptime information in automatic crash reports
  • Log highest buffer users in case of exhaustion

Ethernet

  • Improve setting of default port config on startup (may be faster startup in some cases)

Firewall

  • Added option to set DSCP

IPsec

  • Increase max number of simultaneous IKE/IPsec connections
  • Fixed problem with IKE message fragmentation causing connection failures with some clients
  • Fixed occasional "Response not pending" panic.

L2TP

  • Added session-timeout to L2TP incoming

MQTT

  • Simple MQTT message mapping option
  • Improvements to MQTT broker (better error reports and sanity checks)
  • MQTT payload pattern match
  • Started some MQTT v5 handling (a config option, experimental, not recommend yet)

Profiles

  • Added profile test for "DHCP allocated"
  • Nicer web socket based profile control switches.
  • MQTT profile control fixed
  • Minor change, only sending MQTT if corresponding payload set (even if empty)

TLS

  • Improve server authentication security and work around problems with some servers by using the signature algorithm extension.
  • Fix TLS connection failover

VoIP

  • Double VOIP capacity limits
  • Double number of simultaneous call recordings
  • Tweak outgoing registrations for SIP servers that mash up the registered Contact rather than just using it as is.
  • Fixed issue with very long SIP registrations using IPv6 addresses
  • Added a simple BLF report state via MQTT
Released 2021-09-29
Built 2021-09-15
Older factory release
1.57.010 (Kaplan)
Config:XSD Doc

Release notes from Factory release 1.56.010 to Factory release 1.57.010

ACME

  • Allow specifying of the source IP for ACME requests

BGP

  • BGP tags for static routes

Certificates

  • Fix problem with cross-signed certificates causing IPsec connection issues with Windows clients

Config

  • Allow delayed automatic upgrades

DHCP

  • DHCP option to force broadcast offer/ack to address edge case with some APs and devices

Ethernet

  • Fix over zealous ether damping

HTTP

  • Fixed issue where http client (e.g. ping graph download, etc) gets non 2XX response causing later problems

IPsec

  • Increase internal packet buffer size to help with IKE certificates
  • Fixed IP pool leakage
  • An IKE session was sometimes shown in waiting state as well as connected.
  • Further IPsec tweak to avoid losing connection in some circumstances
  • Add workaround to avoid repeated reauthentications when peer is StrongSwan and mode is immediate
  • Fix bad config status entry after deleting a live connection
  • Implemented IKE fragmentation to improve authentication with long certificate chains

L2TP

  • Slightly faster outgoing L2TP connect (proxy auth sent)
  • Handle incoming local match password check for PAP

MQTT

  • Experimental MQTT broker function added
  • Fix crash in configurations where will topic is set, but not will message

PPPoE

  • Issue with some PPPoE sessions restarting on config change

Routing

  • Default source IP per routing table

Shaping

  • Additional control on shapers (burst limit in ms)

TLS

  • Added support for simple TLS clients with limited storage
  • Minor memory leak in TLS client fixed

VoIP

  • Fix error handling unusual SIP packets
  • Allow IPv6 addresses in "recording-server" configuration

VRRP

  • Make VRRP clearer when used with profiles (status page and manuals)

Web control pages

  • Configurable intro text and links on login page
  • Web access security update

Web UI

  • Add ethernet counters to web
  • Show which type of app upgrade would be initiated
  • Show some context lines in live logging view
Built 2021-09-01
Older Beta release
1.57.000 (Kaplan)
Config:XSD Doc

Release notes from Factory release 1.56.010 to Beta release 1.57.000

ACME

  • Allow specifying of the source IP for ACME requests

Certificates

  • Fix problem with cross-signed certificates causing IPsec connection issues with Windows clients

Config

  • Allow delayed automatic upgrades

DHCP

  • DHCP option to force broadcast offer/ack to address edge case with some APs and devices

Ethernet

  • Fix over zealous ether damping

HTTP

  • Fixed issue where http client (e.g. ping graph download, etc) gets non 2XX response causing later problems

IPsec

  • Increase internal packet buffer size to help with IKE certificates
  • Fixed IP pool leakage
  • An IKE session was sometimes shown in waiting state as well as connected.
  • Further IPsec tweak to avoid losing connection in some circumstances
  • Add workaround to avoid repeated reauthentications when peer is StrongSwan and mode is immediate
  • Fix bad config status entry after deleting a live connection
  • Implemented IKE fragmentation to improve authentication with long certificate chains

L2TP

  • Slightly faster outgoing L2TP connect (proxy auth sent)
  • Handle incoming local match password check for PAP

MQTT

  • Experimental MQTT broker function added

PPPoE

  • Issue with some PPPoE sessions restarting on config change

Shaping

  • Additional control on shapers (burst limit in ms)

TLS

  • Added support for simple TLS clients with limited storage

VoIP

  • Fix error handling unusual SIP packets

VRRP

  • Make VRRP clearer when used with profiles (status page and manuals)

Web control pages

  • Configurable intro text and links on login page
  • Web access security update

Web UI

  • Add ethernet counters to web
Released 2021-04-16
Built 2021-03-24
Older factory release
1.56.010 (Jacoby)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.54.101 to Factory release 1.56.010

  • Fix bug in ASN.1 length encoding

Config

  • Additional options for finer control of source filtering setting
  • Additional help text for L2TP

CQM

  • Graphs used to show a damping level even when damping not in use (i.e. l2tp damping not set), removed

DHCP

  • Added "circuit" to the matching rules for DHCP server IP pool (circuit being Agent Info option 82 circuit sub option 1)

Ethernet

  • Improve performance when ports have a mixture of speeds (eg 1G and 100M)

ETUN

  • Add tx/rx packet stats

FB105

  • Change internal IP config for FB105 to allow IPv6 internal IPv6 to be set

HA

  • Some issues with invalid tunnel packets logging when using L2TP HAL
  • HAL did not work well if one of the links was rate limited
  • Increased number of HA sets to 7
  • Added additional hal-log for debug logging of HAL

IPsec

  • Additional logging and status information for roaming pools
  • Add manually triggerable IKE clearing
  • Change internal IP config in IPSec to use single IP46Addr field

IPv6

  • Slight change to SLAAC RA client default localpref so global addresses preferred

L2TP

  • Improved logging for incoming L2TP sessions so more obvious which config used
  • Minor changes to some L2TP config attribute names, and updates to manual
  • Correct logic on L2TP point to point speed controls on outgoing tunnel
  • Don't override manual shaper speeds on point to point L2TP where no speed is received from calling end
  • OSPF issues with incoming L2TP config fixed
  • L2TP tx/rx speed of -1 recognised and ignored
  • Issue with DOS limit on outgoing L2TP fixed

Manual

  • Updated manual for details of L2TP usage
  • Clarifed that config access on web interface also needs user "admin" level

PPP

  • Tweaked PPP handling when far end wants to talk IPV6CP and we were not planning to. We now negotiate.

PPPoE

  • New option to pick up speed from connect message to set egress rate on PPP (ideal for bonding)
  • L2TP PPPoE BRAS mode now picks up payload-table from L2TP config.

Routing

  • Fix startup issue when using source-filter.

SNMP

  • Integer values were sometimes misreported

VoIP

  • Change to source_ip and auth_source_ip so one field for the IPv4 and/or IPv6
  • VoIP caller directory with call screening controls
  • Added display name to call recording leg (because useful to have now we have directory)
  • Added config for how long before expiry we re-register to a carrier, and changed default to 30 seconds
  • Fix issue with incoming CLI not set correctly in some cases
  • Change incoming CLI processing to be transparent if not configured
  • Minor tweak to allow REFER to authenticate on from matching user target URI
  • Correct sending of P-Asserted-Id where configured to send to carrier and set explicitly (ie by RADIUS)
  • Allow carrier to have specified IP and port as target regardless of proxy name
  • Minor change to CLI logic on connecting calls
  • Change to withheld CLI passing to recording server
  • Additional debug

Web control pages

  • Setup wizard bug when IPv6 defined

Web UI

  • Minor changes, allowing some javascript to be embedded
  • Experimental feature added to allow js-url in config (for when logged in, trusted IP, non password entry pages)
  • Tweak XML edit so that a zero login timeout does not fail if XML config edit is longer than 5 minutes

XML

  • New IP46Addr field allowing one IPv4 and/or one IPv6
Built 2021-03-11
Older Beta release
1.56.000 (Jacoby)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Beta release 1.55.101 to Beta release 1.56.000

  • Fix a bug in the flash logging, which could cause logging to stop working after a while

CQM

  • Graphs used to show a damping level even when damping not in use (i.e. l2tp damping not set), removed

DHCP

  • Added "circuit" to the matching rules for DHCP server IP pool (circuit being Agent Info option 82 circuit sub option 1)

ETUN

  • Add tx/rx packet stats

IP

  • Fix ICMP handling regression

IPsec

  • Additional logging and status information for roaming pools
  • Add manually triggerable IKE clearing

L2TP

  • Issue with DOS limit on outgoing L2TP fixed

PPPoE

  • New option to pick up speed from connect message to set egress rate on PPP (ideal for bonding)

VoIP

  • Additional debug

Web control pages

  • Setup wizard bug when IPv6 defined
Built 2021-01-06
Older factory release
1.55.111 (Hamman)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.54.101 to Factory release 1.55.111

Config

  • Additional options for finer control of source filtering setting
  • Additional help text for L2TP

Ethernet

  • Improve performance when ports have a mixture of speeds (eg 1G and 100M)

FB105

  • Change internal IP config for FB105 to allow IPv6 internal IPv6 to be set

HA

  • Some issues with invalid tunnel packets logging when using L2TP HAL
  • HAL did not work well if one of the links was rate limited
  • Increased number of HA sets to 7
  • Added additional hal-log for debug logging of HAL

IPsec

  • Change internal IP config in IPSec to use single IP46Addr field

IPv6

  • Slight change to SLAAC RA client default localpref so global addresses preferred

L2TP

  • Improved logging for incoming L2TP sessions so more obvious which config used
  • Minor changes to some L2TP config attribute names, and updates to manual
  • Correct logic on L2TP point to point speed controls on outgoing tunnel
  • Don't override manual shaper speeds on point to point L2TP where no speed is received from calling end
  • OSPF issues with incoming L2TP config fixed
  • L2TP tx/rx speed of -1 recognised and ignored

Manual

  • Updated manual for details of L2TP usage
  • Clarifed that config access on web interface also needs user "admin" level

PPP

  • Tweaked PPP handling when far end wants to talk IPV6CP and we were not planning to. We now negotiate.

PPPoE

  • L2TP PPPoE BRAS mode now picks up payload-table from L2TP config.

Routing

  • Fix startup issue when using source-filter.

SNMP

  • Integer values were sometimes misreported

VoIP

  • Change to source_ip and auth_source_ip so one field for the IPv4 and/or IPv6
  • VoIP caller directory with call screening controls
  • Added display name to call recording leg (because useful to have now we have directory)
  • Added config for how long before expiry we re-register to a carrier, and changed default to 30 seconds
  • Fix issue with incoming CLI not set correctly in some cases
  • Change incoming CLI processing to be transparent if not configured
  • Minor tweak to allow REFER to authenticate on from matching user target URI
  • Correct sending of P-Asserted-Id where configured to send to carrier and set explicitly (ie by RADIUS)
  • Allow carrier to have specified IP and port as target regardless of proxy name
  • Minor change to CLI logic on connecting calls
  • Change to withheld CLI passing to recording server

Web UI

  • Minor changes, allowing some javascript to be embedded
  • Experimental feature added to allow js-url in config (for when logged in, trusted IP, non password entry pages)
  • Tweak XML edit so that a zero login timeout does not fail if XML config edit is longer than 5 minutes

XML

  • New IP46Addr field allowing one IPv4 and/or one IPv6
Built 2020-12-17
Older Beta release
1.55.101 (Hamman)
Config:XSD Doc
Manual:PDF HTML

Release notes from Beta release 1.55.100 to Beta release 1.55.101

Release

  • Corrected release name
Built 2020-12-17
Older Beta release
1.55.100 (Garozzo)
Config:XSD Doc
Manual:PDF HTML

Release notes from Beta release 1.55.001 to Beta release 1.55.100

Ethernet

  • Improve performance when ports have a mixture of speeds (eg 1G and 100M)

VoIP

  • Minor tweak to allow REFER to authenticate on from matching user target URI
  • Correct sending of P-Asserted-Id where configured to send to carrier and set explicitly (ie by RADIUS)
Built 2020-11-11
Older Beta release
1.55.001 (Hamman)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.54.101 to Beta release 1.55.001

Config

  • Additional options for finer control of source filtering setting
  • Additional help text for L2TP

FB105

  • Change internal IP config for FB105 to allow IPv6 internal IPv6 to be set

HA

  • Some issues with invalid tunnel packets logging when using L2TP HAL
  • HAL did not work well if one of the links was rate limited
  • Increased number of HA sets to 7
  • Added additional hal-log for debug logging of HAL

IPsec

  • Change internal IP config in IPSec to use single IP46Addr field

IPv6

  • Slight change to SLAAC RA client default localpref so global addresses preferred

L2TP

  • Improved logging for incoming L2TP sessions so more obvious which config used
  • Minor changes to some L2TP config attribute names, and updates to manual
  • Correct logic on L2TP point to point speed controls on outgoing tunnel
  • Don't override manual shaper speeds on point to point L2TP where no speed is received from calling end
  • OSPF issues with incoming L2TP config fixed
  • L2TP tx/rx speed of -1 recognised and ignored

Manual

  • Updated manual for details of L2TP usage
  • Clarifed that config access on web interface also needs user "admin" level

PPP

  • Tweaked PPP handling when far end wants to talk IPV6CP and we were not planning to. We now negotiate.

PPPoE

  • L2TP PPPoE BRAS mode now picks up payload-table from L2TP config.

Routing

  • Fix startup issue when using source-filter.

SNMP

  • Integer values were sometimes misreported

VoIP

  • Change to source_ip and auth_source_ip so one field for the IPv4 and/or IPv6
  • VoIP caller directory with call screening controls
  • Added display name to call recording leg (because useful to have now we have directory)
  • Added config for how long before expiry we re-register to a carrier, and changed default to 30 seconds
  • Fix issue with incoming CLI not set correctly in some cases
  • Change incoming CLI processing to be transparent if not configured
  • Allow carrier to have specified IP and port as target regardless of proxy name
  • Minor change to CLI logic on connecting calls
  • Change to withheld CLI passing to recording server

Web UI

  • Minor changes, allowing some javascript to be embedded
  • Experimental feature added to allow js-url in config (for when logged in, trusted IP, non password entry pages)
  • Tweak XML edit so that a zero login timeout does not fail if XML config edit is longer than 5 minutes

XML

  • New IP46Addr field allowing one IPv4 and/or one IPv6
Built 2020-11-10
Older Beta release
1.55.000 (Hamman)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.54.101 to Beta release 1.55.000

Config

  • Additional options for finer control of source filtering setting
  • Additional help text for L2TP

FB105

  • Change internal IP config for FB105 to allow IPv6 internal IPv6 to be set

HA

  • Some issues with invalid tunnel packets logging when using L2TP HAL
  • HAL did not work well if one of the links was rate limited
  • Increased number of HA sets to 7
  • Added additional hal-log for debug logging of HAL

IPsec

  • Change internal IP config in IPSec to use single IP46Addr field

IPv6

  • Slight change to SLAAC RA client default localpref so global addresses preferred

L2TP

  • Improved logging for incoming L2TP sessions so more obvious which config used
  • Minor changes to some L2TP config attribute names, and updates to manual
  • Correct logic on L2TP point to point speed controls on outgoing tunnel
  • Don't override manual shaper speeds on point to point L2TP where no speed is received from calling end
  • OSPF issues with incoming L2TP config fixed
  • L2TP tx/rx speed of -1 recognised and ignored

Manual

  • Updated manual for details of L2TP usage
  • Clarifed that config access on web interface also needs user "admin" level

PPP

  • Tweaked PPP handling when far end wants to talk IPV6CP and we were not planning to. We now negotiate.

PPPoE

  • L2TP PPPoE BRAS mode now picks up payload-table from L2TP config.

Routing

  • Fix startup issue when using source-filter.

SNMP

  • Integer values were sometimes misreported

VoIP

  • Change to source_ip and auth_source_ip so one field for the IPv4 and/or IPv6
  • VoIP caller directory with call screening controls
  • Added display name to call recording leg (because useful to have now we have directory)
  • Added config for how long before expiry we re-register to a carrier, and changed default to 30 seconds
  • Fix issue with incoming CLI not set correctly in some cases
  • Change incoming CLI processing to be transparent if not configured
  • Allow carrier to have specified IP and port as target regardless of proxy name
  • Minor change to CLI logic on connecting calls
  • Change to withheld CLI passing to recording server

Web UI

  • Minor changes, allowing some javascript to be embedded
  • Experimental feature added to allow js-url in config (for when logged in, trusted IP, non password entry pages)
  • Tweak XML edit so that a zero login timeout does not fail if XML config edit is longer than 5 minutes

XML

  • New IP46Addr field allowing one IPv4 and/or one IPv6
Built 2020-05-26
Older factory release
1.54.101 (Garozzo)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.53.000 to Factory release 1.54.101

ACME

  • ACME status for certificates shows when last error happened.
  • Make ACME status clear at start up if clock not set yet
  • Fix ACME error status to show time of error

BGP

  • Add Refresh buttons to BGP UI status page

CLI

  • show configuration now allowed (redacted) at "view" level

Config

  • Improved syntax checking of numeric fields
  • Separate logging for http client accesses
  • Added new config access level (demo) allowing test but not commit/save config.

Config editor

  • Tweak to config edit to make default values more obvious

DHCP

  • Improve lease expiry when the FireBrick does not know the correct time

Ethernet

  • Improve DoS detection and logging of ethernet damping

Firewall

  • Minor change to handling of clashing UDP sessions for better VoIP NAT logic

HTTP

  • HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

Internal

  • Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
  • In some circumstances Watchdog panics may report incorrect thread - fixed.

IPv6

  • Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

L2TP

  • Configurable PPP timeout values per tunnel
  • Additional logging on config change
  • Fix payload table logic on local auth incoming L2TP sessions
  • Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

LACP

  • Prevent unnecessary continuous packet exchange

Manual

  • Additional documentation on IPv6 prefix delegation and SLAAC

PPP

  • Tweak LCP restart timing for very slow latency links

Profiles

  • Profile ping of local gateway by ping 0.0.0.0

Session tracking

  • Change to default UDP timeout for UDP ports 80 and 443 to help QUIC

SNMP

  • Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

TLS

  • Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
  • Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
  • Improve TLS session end - avoid occasional crashes/lockups.
  • Fix a couple of TLS issues causing problems with ACME and downloading large pages
  • Finally fixed TLS issue
  • Extra diagnostics added to help with occasional TLS crashes

VoIP

  • RADIUS setting to explicitly set P-Asserted-Id needed for VoIP carriers

VRRP

  • Incorrect error message for ID clash in VRRP, fixed

Web UI

  • Improve UI status reporting for bgp, including ability to filter routes list
Built 2020-05-25
Older Beta release
1.54.100 (Garozzo)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.53.000 to Beta release 1.54.100

ACME

  • ACME status for certificates shows when last error happened.
  • Make ACME status clear at start up if clock not set yet
  • Fix ACME error status to show time of error

BGP

  • Add Refresh buttons to BGP UI status page

CLI

  • show configuration now allowed (redacted) at "view" level

Config

  • Improved syntax checking of numeric fields
  • Separate logging for http client accesses
  • Added new config access level (demo) allowing test but not commit/save config.

Config editor

  • Tweak to config edit to make default values more obvious

DHCP

  • Improve lease expiry when the FireBrick does not know the correct time

Ethernet

  • Improve DoS detection and logging of ethernet damping

Firewall

  • Minor change to handling of clashing UDP sessions for better VoIP NAT logic

HTTP

  • HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

Internal

  • Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
  • In some circumstances Watchdog panics may report incorrect thread - fixed.

IPv6

  • Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

L2TP

  • Configurable PPP timeout values per tunnel
  • Additional logging on config change
  • Fix payload table logic on local auth incoming L2TP sessions
  • Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

LACP

  • Prevent unnecessary continuous packet exchange

Manual

  • Additional documentation on IPv6 prefix delegation and SLAAC

PPP

  • Tweak LCP restart timing for very slow latency links

Profiles

  • Profile ping of local gateway by ping 0.0.0.0

Session tracking

  • Change to default UDP timeout for UDP ports 80 and 443 to help QUIC

SNMP

  • Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

TLS

  • Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
  • Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
  • Improve TLS session end - avoid occasional crashes/lockups.
  • Fix a couple of TLS issues causing problems with ACME and downloading large pages
  • Extra diagnostics added to help with occasional TLS crashes

VoIP

  • RADIUS setting to explicitly set P-Asserted-Id needed for VoIP carriers

VRRP

  • Incorrect error message for ID clash in VRRP, fixed

Web UI

  • Improve UI status reporting for bgp, including ability to filter routes list
Built 2020-05-25
Older Beta release
1.54.010 (Garozzo)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.53.000 to Beta release 1.54.010

ACME

  • ACME status for certificates shows when last error happened.
  • Make ACME status clear at start up if clock not set yet

BGP

  • Add Refresh buttons to BGP UI status page

CLI

  • show configuration now allowed (redacted) at "view" level

Config

  • Improved syntax checking of numeric fields
  • Separate logging for http client accesses
  • Added new config access level (demo) allowing test but not commit/save config.

Config editor

  • Tweak to config edit to make default values more obvious

DHCP

  • Improve lease expiry when the FireBrick does not know the correct time

Ethernet

  • Improve DoS detection and logging of ethernet damping

Firewall

  • Minor change to handling of clashing UDP sessions for better VoIP NAT logic

HTTP

  • HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

Internal

  • Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
  • In some circumstances Watchdog panics may report incorrect thread - fixed.

IPv6

  • Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

L2TP

  • Configurable PPP timeout values per tunnel
  • Additional logging on config change
  • Fix payload table logic on local auth incoming L2TP sessions
  • Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

LACP

  • Prevent unnecessary continuous packet exchange

Manual

  • Additional documentation on IPv6 prefix delegation and SLAAC

PPP

  • Tweak LCP restart timing for very slow latency links

Profiles

  • Profile ping of local gateway by ping 0.0.0.0

Session tracking

  • Change to default UDP timeout for UDP ports 80 and 443 to help QUIC

SNMP

  • Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

TLS

  • Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
  • Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
  • Improve TLS session end - avoid occasional crashes/lockups.
  • Fix a couple of TLS issues causing problems with ACME and downloading large pages
  • Extra diagnostics added to help with occasional TLS crashes

VoIP

  • RADIUS setting to explicitly set P-Asserted-Id needed for VoIP carriers

VRRP

  • Incorrect error message for ID clash in VRRP, fixed

Web UI

  • Improve UI status reporting for bgp, including ability to filter routes list
Built 2020-05-20
Older Beta release
1.54.000 (Garozzo)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.53.000 to Beta release 1.54.000

ACME

  • ACME status for certificates shows when last error happened.

BGP

  • Add Refresh buttons to BGP UI status page

CLI

  • show configuration now allowed (redacted) at "view" level

Config

  • Improved syntax checking of numeric fields
  • Separate logging for http client accesses
  • Added new config access level (demo) allowing test but not commit/save config.

Config editor

  • Tweak to config edit to make default values more obvious

DHCP

  • Improve lease expiry when the FireBrick does not know the correct time

Ethernet

  • Improve DoS detection and logging of ethernet damping

Firewall

  • Minor change to handling of clashing UDP sessions for better VoIP NAT logic

HTTP

  • HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

Internal

  • Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
  • In some circumstances Watchdog panics may report incorrect thread - fixed.

IPv6

  • Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

L2TP

  • Configurable PPP timeout values per tunnel
  • Additional logging on config change
  • Fix payload table logic on local auth incoming L2TP sessions
  • Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

LACP

  • Prevent unnecessary continuous packet exchange

PPP

  • Tweak LCP restart timing for very slow latency links

Profiles

  • Profile ping of local gateway by ping 0.0.0.0

Session tracking

  • Change to default UDP timeout for UDP ports 80 and 443 to help QUIC

SNMP

  • Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

TLS

  • Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
  • Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
  • Improve TLS session end - avoid occasional crashes/lockups.
  • Extra diagnostics added to help with occasional TLS crashes

VoIP

  • RADIUS setting to explicitly set P-Asserted-Id needed for VoIP carriers

Web UI

  • Improve UI status reporting for bgp, including ability to filter routes list
Built 2019-08-29
Older factory release
1.53.000 (Flint)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.52.010 to Factory release 1.53.000

ACME

  • Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
  • Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
  • Tweak to ACME to allow for additional challenges for a few seconds

Certificates

  • Make certificate domain name checking case-insensitive

Config editor

  • Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).

DHCP

  • Lease expiry times were incorrect when lease acquired before time had been set

DNS

  • DNS relay limit check

IPsec

  • Provide SNMP status info for IPsec
  • Fix crash when [id] is used in graph name of a waiting connection
  • Show EAP identity (username) in log messages and UI status, and allow it in graph names

IPv6

  • Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

L2TP

  • Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!

PPP

  • New PPP debug log/dump format options

PPPoE

  • PPPoE did not install IPv4 DNS if explicit routes set, fixed
  • PPPoE Calling ID prefix appended with VLAN and/or MAC

TCP/UI

  • Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

  • Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).
Built 2019-06-01
Older factory release
1.52.010 (Eisenberg)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.51.010 to Factory release 1.52.010

DNS

  • Added option to allow logging of DNS queries based on interface requesting the DNS

Factory reset

  • Changed factory default to allow set up from WAN as per quick start guide

IPsec

  • Fix problem with IPsec tunnels using IPv6 outer addresses

IPv6

  • Changed source IP of ND to link local in all cases - RFC allows any assigned address but some devices get upset

L2TP

  • Added Framed-IP-Address to accounting

LACP

  • Improvements to increase stability and reduce trunk downtime during status changes

Logging

  • Add Replay tag to panic/replay log lines displayed at startup

UI/CLI

  • Power monitoring improvements
Built 2019-05-17
Older factory release
1.52.000 (Eisenberg)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.51.010 to Factory release 1.52.000

DNS

  • Added option to allow logging of DNS queries based on interface requesting the DNS

Factory reset

  • Changed factory default to allow set up from WAN as per quick start guide

IPsec

  • Fix problem with IPsec tunnels using IPv6 outer addresses

IPv6

  • Changed source IP of ND to link local in all cases - RFC allows any assigned address but some devices get upset

L2TP

  • Added Framed-IP-Address to accounting

LACP

  • Improvements to increase stability and reduce trunk downtime during status changes

Logging

  • Add Replay tag to panic/replay log lines displayed at startup

UI/CLI

  • Power monitoring improvements
Built 2019-04-01
Older factory release
1.51.010 (Davies)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.50.000 to Factory release 1.51.010

BGP

  • Added AS-Path checks to BGP route filtering

Config

  • Renamed log-panic to log-support, as we may log other unusual events to fb-support and not just stack trace / panics

Config editor

  • Profile page layout tweaked

DHCP

  • Revert minor change in DHCP/DNS which was causing problems

General

  • Some final tweaks before being ready for next release
  • Some minor optimisations

Internal

  • Minor changes to boot time calculation
  • Avoid boot time appearing negative when time is adjusted

L2TP

  • Adjustments to ICMP logic for trace route though L2TP
  • Various performance enhancements
  • Local config for L2TP relay now allows relay via another table (payload-table)
  • Fix missing TID in L2TP tunnel status page
  • L2TP session xml url checking number is only number

Logging

  • Additional direct log-panic logging to try and find specific issue in recent code.

NTP

  • Restructure client with minor improvements prior to introduction of full NTP server
  • NTP server introduced. Early release - may not be stable.
  • Support clients using older versions of NTP protocol
  • DHCP serves FireBrick IP for NTP now (unless otherwise set in DHCP config)
  • Minor fixes, and a change to maxpoll and minpoll to use duration in config.
  • Various minor updates on NTP
  • Further NTP bugfixes, including earlier setting of system time.
  • Further improvement to NTP system clock conditioning
  • Improve NTP status message on main status page
  • Added UI status page and CLI status; other minor improvements
  • Improved status output
  • Fix crash when adding/removing time service in config
  • Yet more UI status improvements
  • NTP time adjustments are now applied smoothly by OS time conditioning
  • Improved access checking
  • NTP control (ntpq) access now defaults to true. UI diagnostic access check page was not displaying correct details for NTP.
  • Fixed possible crash after peer drop
  • Fix problem with time quickstep (mainly showing on 2700)
  • Fix NTP status erroneously reported as Acquiring after config change. Improve NTP server stateup/shutdown.

Ping

  • Added ping size option to bulk ping logic (+size after IP and #table)

PPPoE

  • pd-interface default on PPPoE excludes interfaces marked wan

RADIUS

  • ERX-Tunnel-Switch-Profile untagged even in tagged responses (for Talk Talk working)

Session tracking

  • Change to logic for set-graph-dynamic which was not setting speeds based on set-graph but on set-reverse-graph.
  • Edge case in use of NAT-PMP/PCP causing crash, fixed

Shaping

  • Shared shaper changed to allow > 4Gb/s total (new version, so all sharing systems need update at same time)
  • Catch some edge cases in session tracking shaper set up that seem to cause a crash

Web control pages

  • Live update of uptime, time, and RAM usage in status page
  • Minor change to way status web page shows

Web UI

  • Minor tweaks to UI colouring. Ping/Traceroute display is banded for better visibility.
  • Fix typo in UI on TCP stress test page.
  • Fixed NTP status submenu highlighting
  • Improve page layout when left-hand menu pane is tall
Built 2019-03-24
Older factory release
1.51.001 (Davies)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.50.000 to Factory release 1.51.001

BGP

  • Added AS-Path checks to BGP route filtering

Config

  • Renamed log-panic to log-support, as we may log other unusual events to fb-support and not just stack trace / panics

Config editor

  • Profile page layout tweaked

General

  • Some final tweaks before being ready for next release
  • Some minor optimisations

Internal

  • Minor changes to boot time calculation
  • Avoid boot time appearing negative when time is adjusted

L2TP

  • Adjustments to ICMP logic for trace route though L2TP
  • Various performance enhancements
  • Local config for L2TP relay now allows relay via another table (payload-table)
  • Fix missing TID in L2TP tunnel status page
  • L2TP session xml url checking number is only number

Logging

  • Additional direct log-panic logging to try and find specific issue in recent code.

NTP

  • Restructure client with minor improvements prior to introduction of full NTP server
  • NTP server introduced. Early release - may not be stable.
  • Support clients using older versions of NTP protocol
  • DHCP serves FireBrick IP for NTP now (unless otherwise set in DHCP config)
  • Minor fixes, and a change to maxpoll and minpoll to use duration in config.
  • Various minor updates on NTP
  • Further NTP bugfixes, including earlier setting of system time.
  • Further improvement to NTP system clock conditioning
  • Improve NTP status message on main status page
  • Added UI status page and CLI status; other minor improvements
  • Improved status output
  • Fix crash when adding/removing time service in config
  • Yet more UI status improvements
  • NTP time adjustments are now applied smoothly by OS time conditioning
  • Improved access checking
  • NTP control (ntpq) access now defaults to true. UI diagnostic access check page was not displaying correct details for NTP.
  • Fixed possible crash after peer drop
  • Fix problem with time quickstep (mainly showing on 2700)
  • Fix NTP status erroneously reported as Acquiring after config change. Improve NTP server stateup/shutdown.

Ping

  • Added ping size option to bulk ping logic (+size after IP and #table)

PPPoE

  • pd-interface default on PPPoE excludes interfaces marked wan

Session tracking

  • Change to logic for set-graph-dynamic which was not setting speeds based on set-graph but on set-reverse-graph.
  • Edge case in use of NAT-PMP/PCP causing crash, fixed

Shaping

  • Shared shaper changed to allow > 4Gb/s total (new version, so all sharing systems need update at same time)

Web control pages

  • Live update of uptime, time, and RAM usage in status page
  • Minor change to way status web page shows

Web UI

  • Minor tweaks to UI colouring. Ping/Traceroute display is banded for better visibility.
  • Fix typo in UI on TCP stress test page.
  • Fixed NTP status submenu highlighting
  • Improve page layout when left-hand menu pane is tall
Built 2019-03-23
Older Beta release
1.51.000 (Davies)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.50.000 to Beta release 1.51.000

BGP

  • Added AS-Path checks to BGP route filtering

Config

  • Renamed log-panic to log-support, as we may log other unusual events to fb-support and not just stack trace / panics

Config editor

  • Profile page layout tweaked

General

  • Some final tweaks before being ready for next release
  • Some minor optimisations

Internal

  • Minor changes to boot time calculation
  • Avoid boot time appearing negative when time is adjusted

L2TP

  • Adjustments to ICMP logic for trace route though L2TP
  • Various performance enhancements
  • Local config for L2TP relay now allows relay via another table (payload-table)
  • Fix missing TID in L2TP tunnel status page
  • L2TP session xml url checking number is only number

Logging

  • Additional direct log-panic logging to try and find specific issue in recent code.

NTP

  • Restructure client with minor improvements prior to introduction of full NTP server
  • NTP server introduced. Early release - may not be stable.
  • Support clients using older versions of NTP protocol
  • DHCP serves FireBrick IP for NTP now (unless otherwise set in DHCP config)
  • Minor fixes, and a change to maxpoll and minpoll to use duration in config.
  • Various minor updates on NTP
  • Further NTP bugfixes, including earlier setting of system time.
  • Further improvement to NTP system clock conditioning
  • Improve NTP status message on main status page
  • Added UI status page and CLI status; other minor improvements
  • Improved status output
  • Fix crash when adding/removing time service in config
  • Yet more UI status improvements
  • NTP time adjustments are now applied smoothly by OS time conditioning
  • Improved access checking
  • NTP control (ntpq) access now defaults to true. UI diagnostic access check page was not displaying correct details for NTP.
  • Fixed possible crash after peer drop
  • Fix problem with time quickstep (mainly showing on 2700)
  • Fix NTP status erroneously reported as Acquiring after config change. Improve NTP server stateup/shutdown.

Ping

  • Added ping size option to bulk ping logic (+size after IP and #table)

PPPoE

  • pd-interface default on PPPoE excludes interfaces marked wan

Session tracking

  • Change to logic for set-graph-dynamic which was not setting speeds based on set-graph but on set-reverse-graph.

Shaping

  • Shared shaper changed to allow > 4Gb/s total (new version, so all sharing systems need update at same time)

Web control pages

  • Live update of uptime, time, and RAM usage in status page
  • Minor change to way status web page shows

Web UI

  • Minor tweaks to UI colouring. Ping/Traceroute display is banded for better visibility.
  • Fix typo in UI on TCP stress test page.
  • Fixed NTP status submenu highlighting
  • Improve page layout when left-hand menu pane is tall
Built 2018-11-21
Older factory release
1.50.000 (Culbertson)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.49.000 to Factory release 1.50.000

ACME

  • Minor improvements to ACME - handling some extra order status responses

BGP

  • Additional debug for ignored updates

CQM

  • Added more stats (total bytes/packet/drops) to CQM XML

Crypto

  • PKCS#8 formats now fully accepted and served for RSA and DSA keys

Diagnostics

  • Fix TCP download test (was always saying 0 bytes loaded)

DNS

  • Changed DNS logic so not simply fallback="true" but fallback-table defined. This means multiple table DNS will default not to fall back now.

General

  • Slight performance improvements

IPsec

  • Fix duplicate connection problem after roadwarrior client switches from wifi to 3G
  • Fix Roadwarrior problems - IPv4 NAT not working and IPv6 routing failing on Apple clients

IPv6

  • Changed ICMPv6 (ND/NA) source address in some cases to match scope

L2TP

  • Allow L2TP matched incoming sessions to set payload-table
  • Added colours to tunnel and session status

Logging

  • Fix possible syslog buffer overrun

Pcap

  • Improved pcap "self exclude" to only exclude the actual TCP session traffic of the dump, not all traffic to/from the IP of the browser as before

PPPoE

  • Minor change to PPPoE timeout logic - could be disrupted by frequent profile changes

RADIUS

  • Platform RADIUS server ERX parameters now tagged if part of tagged response

Routing

  • Impove some logic where table 0 has no routes and totally mapped via rule-sets (e.g s/w upgrades, etc)

Telnet

  • Option to configure custom telnet prompt

TLS

  • Fix lockup at end of stream on TLS connections

VoIP

  • Separate carrier controls for P-Asserted-Identity, Remote-Party-Id, and Privacy on VoIP carriers. Change of defaults to send PAID and Privacy not RPID
  • Added ACR (Anonymous Call reject) feature on telephone config
  • Included User-Name in RADIUS auth for VoIP (from From header before @) if not otherwise set (based on config user/carrier)
  • Interim release with correct AVP for SIP_AOR (122) as well as accepting incorrect one (121)

VRRP

  • VRRP low-priority mode (e.g. for profile off) caused flapping

Web control pages

  • User setting to hide "save" button in config edit (i.e. has to do "test" first).
  • Added Content-Language to avoid some browsers offering to translate control pages
  • CSS update
  • Added kill on block/reject type sessions in session table
  • Adjust initial timeout to allow for slow TLS handshake
Built 2018-08-22
Older factory release
1.49.000 (Belladonna)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.48.101 to Factory release 1.49.000

BGP

  • Added startup delay for sending BGP announcements to make for cleaner reboots when used as part of a part

Config

  • Tweaked factory default LAN firewall rule to allow from FireBrick to LAN (needed for VoIP)
  • Removing Ethernet port config now sets port back to default settings

CQM

  • Tweak graph logic - was not working if only selecting ave or max latency to show on SVG

FB105

  • Fix internal-ip on fb105 tunnels routing

HTTP

  • Changed HTTP redirect logic to better handle cases where some port mapping is used in front of the web control pages

IPv6

  • Added DNSSL (search list) to RA settings on subnet

L2TP

  • Minor change to handle low buffer scenarios better

Logging

  • Fixed UTC timestamp on logs (was local time with Z suffix, sorry)

PPPoE

  • PPPoE can now be linked to physical port for direct connection to modem - resetting the port when PPPoE goes down (fixes bug in some modems)

SNMP

  • Various SNMP updates
  • bgp and l2tp now support SNMP treewalk
  • Vendor-specific SNMP for BGP and L2TP reorganized to follow standard table construction. ***NOTE*** this will affect customers using SNMP with BGP/L2TP
  • Add CPU buffer free counts to SNMP statistics

VoIP

  • Tweak for REFER logic, allow refer to match user details with no password (i.e. check IP)

VRRP

  • Corrected VRRP v3 checksum - UPGRADE BACKUP ROUTERS FIRST

Web control pages

  • New css for mobile use
  • Fix wizard when email specified as it caused save error
  • New control of whether logs on web/cli include system logs or not (default not, except for "default" log after factory reset)
  • Config edit not working when clock not set, fixed.
  • Recovery config edit now prompts to save even when no changes as it is not the "live" config
  • Minor improvements to web control pages (extra classes, etc)

Web UI

  • Add TCP throughput diagnostic
Built 2018-06-22
Older factory release
1.48.101 (Avarelli)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.47.100 to Factory release 1.48.101

ACME

  • Install root certificates for use with Let's Encrypt and ACME
  • Better error logging
  • Full ACME system to work with Let's Encrypt

BGP

  • Updates BGP refresh options including sending refresh request
  • Additional BGP shutdown subcodes added
  • Some additional debug for BGP

Config

  • Config top level attributes now include username and ip of last update
  • Config top level attributes now include serial number and version, but normal edit screen no longer has xmlns and xsi
  • IP groups can now reference subnets by name (including DHCP client subnets)

Crypto

  • New key generation logic in place for ACME and related functions
  • Avoid crash soon after startup following auto key generation

Firewall

  • Added a block/prefix mapping feature to firewall logic

Flash

  • Fix incorrect detection of flash timeout on heavily-loaded system

https

  • Self signed certificates as fallback for initial set up via https

Internal

  • Fix occasional lockup/crash during stream processing
  • Additional stats for entropy collection

IP

  • Increase pending ARP cache and drop if overloaded rather than sending spurious ICMP errors

IPv6

  • Change some logic to reduce use of 2002:: 6over4 address usage as source addresses where possible

L2TP/RADIUS

  • Tweaks to expected timeouts on RADIUS (e.g. for L2TP or session steering) and change default to min timeout 2 seconds total
  • More control of RADIUS timeouts for ad-hoc RADIUS from RADIUS response for L2TP session steering
  • Improve outgoing L2TP handling where target is hostname

Logging

  • Change to outgoing email timeout (spam scans and the like can take a while) RFC5321 4.5.3.2
  • Colour on web log not always correct

PPP

  • Send NAK asking for MD5 on receipt of non MD5 CHAP request

RADIUS

  • RADIUS client allowing fixed source-ip, and for ad-hoc L2TP steering uses L2TP source IP if set
  • Fix L2TP relay steering RADIUS min/max timeouts (5/20 not 20/5)

VoIP

  • Fix nc to 1 as we don't store/re-use nonce values. Some systems don't just look for duplicates but actually expect a 1
  • Not picking up media started until something that is not perfect silence is sent as some systems do that!
  • Better handling of overlapping INVITE replies where server is very slow or over long latency links

VRRP

  • Config check for duplicate VRRP MAC in use on different interfaces

Web control pages

  • Change layout of rule-set
  • Changed logic for self signed certificates, and made more transient in certificate store
  • Limit number of self signed certificates to reduce clutter, and avoid possible "make millions of certificates" attacks
Built 2018-06-18
Older Beta release
1.48.100 (Avarelli)
Config:XSD Doc
Manual:PDF HTML

Release notes from Beta release 1.48.000 to Beta release 1.48.100

Firewall

  • Added a block/prefix mapping feature to firewall logic

Flash

  • Fix incorrect detection of flash timeout on heavily-loaded system

Internal

  • Fix occasional lockup/crash during stream processing

L2TP/RADIUS

  • Tweaks to expected timeouts on RADIUS (e.g. for L2TP or session steering) and change default to min timeout 2 seconds total
  • More control of RADIUS timeouts for ad-hoc RADIUS from RADIUS response for L2TP session steering

PPP

  • Send NAK asking for MD5 on receipt of non MD5 CHAP request

RADIUS

  • Fix L2TP relay steering RADIUS min/max timeouts (5/20 not 20/5)

VoIP

  • Fix nc to 1 as we don't store/re-use nonce values. Some systems don't just look for duplicates but actually expect a 1
  • Not picking up media started until something that is not perfect silence is sent as some systems do that!
  • Better handling of overlapping INVITE replies where server is very slow or over long latency links
Built 2018-06-03
Older Beta release
1.48.000 (Avarelli)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.47.100 to Beta release 1.48.000

ACME

  • Install root certificates for use with Let's Encrypt and ACME
  • Better error logging
  • Full ACME system to work with Let's Encrypt

BGP

  • Updates BGP refresh options including sending refresh request
  • Additional BGP shutdown subcodes added
  • Some additional debug for BGP

Config

  • Config top level attributes now include username and ip of last update
  • Config top level attributes now include serial number and version, but normal edit screen no longer has xmlns and xsi
  • IP groups can now reference subnets by name (including DHCP client subnets)

Crypto

  • New key generation logic in place for ACME and related functions
  • Avoid crash soon after startup following auto key generation

https

  • Self signed certificates as fallback for initial set up via https

Internal

  • Additional stats for entropy collection

IPv6

  • Change some logic to reduce use of 2002:: 6over4 address usage as source addresses where possible

Logging

  • Change to outgoing email timeout (spam scans and the like can take a while) RFC5321 4.5.3.2
  • Colour on web log not always correct

RADIUS

  • RADIUS client allowing fixed source-ip, and for ad-hoc L2TP steering uses L2TP source IP if set

VRRP

  • Config check for duplicate VRRP MAC in use on different interfaces

Web control pages

  • Change layout of rule-set
  • Changed logic for self signed certificates, and made more transient in certificate store
  • Limit number of self signed certificates to reduce clutter, and avoid possible "make millions of certificates" attacks
Built 2018-04-19
Older factory release
1.47.100 (Zander)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.47.010 to Factory release 1.47.100

L2TP

  • Edge case where radius relay of tunnel could cause crash when using BRAS mode

Web control pages

  • TLS: Added AEAD-GCM cipher suites - now get an "A" rating with Qualys SSL Labs test.
  • Can now specify a list of possible certificates to be used for https in http config
Built 2018-04-11
Older factory release
1.47.010 (Zander)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.46.100 to Factory release 1.47.010

Authentication

  • Interface can be marked "wan" to consider it not local for "local-only" access controls
  • Added advice on printing and storing QR code in case phone fails

BGP

  • New "grey hole"community tag for IBGP to pass blackhole routes that have no-fib set, so routes get to EBGP for external blackhole announcements
  • More info on BGP peers

Config

  • Config editor did not show advanced selected option entries that are blank if without Show all

Config editor

  • Adjust timing on config edit as firefox keeps saying edited by someone else

CQM

  • More slight tweaks - edge case of SVG for unknown CQM graph (i.e. blank graph) with title text enabled caused a crash...
  • Slight changes to SVG (slightly bigger) to add id to some fields and include off image (cropped) data to allow some post processing (e.g. merging graphs)
  • CQM SVG now includes option for markers on the tx/rx lines like the old PNGs did - by popular demand, CSSable.
  • SVG CQM graphs did not show "damping"

DHCP

  • DHCP client Class and Client-Identifier now configurable
  • Minor tweaks to DHCP server as per RFC6842 (correctly returning client ID)

Internal

  • Fix incorrect flash log replay output at system startup
  • Minor change to low buffer checks for TCP management interfaces and L2TP

L2TP

  • PPP LCP restart if not negotiated after 30 seconds and an LCP restart has not been tried already
  • Added RADIUS Framed-IPv6-Prefix
  • Option to mark an L2TP session as isolated, i.e. not allowed to pass directly from another L2TP session
  • Added relay-local-ip config for L2TP to control the IP used for relaying connections, and extra debug info
  • Tweak behaviour if all RADIUS servers not responding
  • Malformed L2TP packet could cause crash

LEDs

  • Ensure LEDs start up in cycling (knightrider) mode
  • Fix LED issue - not showing power LED

Logging

  • Syslog missing NILVALUE for structured data
  • Some additional logging for impossible packet headers requiring split for MTU
  • Tweak to delayed logging (email) so it may send on controlled shutdown

Manual

  • Corrected explanation of trusted, local-only, and allow controls in manual
  • Updates to manual covering scripted access and special URLs

OSPF

  • Area ID was not set from config

Ping

  • Show ping/traceroute response coming back on wrong table

PPPoE

  • PPPoE was not handling priority tagged VLAN packets well
  • Tweak to PPPoE client back-off when connections start but don't complete

Profiles

  • Profiles now allow checking of outgoing L2TP tunnel state

Routing

  • Changed linked routes display, e.g. for L2TP sessions, to be more logical

Session Tracking

  • Possible very rare case of lock up at start-up fixed now

SNMP

  • SNMP was not respecting profile setting

SVG

  • Minor SVG tweaks to save space
  • Extra info in SVG to aid post processing

Telnet

  • Fix instructions on telnet config import. It ends with ^D or a line with just a dot on it

USB

  • Remove unnecessary logging

VoIP

  • Tweak to VoIP (Via/branch tag) to improve compatibility
  • Even though RFC 3261 8.1.3.2 requires UACs to handle 100 responses, some get upset, so as per 8.2.6.1 we only send for INVITE now

Web control pages

  • https support introduced. Should now support most modern browsers. Limited certificate management.
  • Change of monospace font
  • Dynamic status of ports
  • Started work on initial config wizard
  • Warning for config edited by someone else now advises IP and name of other user(s)
  • Tidy layout of config edit for system settings
  • Option to skip the setup wizard
  • DHCP clear all unused now operates per interface
  • Colour picker was not working for named colours (also, added "orange")
  • Additional security related http headers added with sensible defaults
  • Change ajax sync logic on config edit to be neater
  • The logs page was not working when you only had one log target. Given system defaults to two to start, this is rare!
  • Save button appearing on key press in a field, and not just when leaving field - so more obvious
  • Slight re-order of the config to be a little easier to follow

Web UI

  • More compact SVG for CQM and QR codes
  • Status shows currently ntp status, i.e. reports if no time server set, DNS not working, etc.
  • DHCP status now lists interfaces and shows per interface rather than all in one table
Built 2018-04-10
Older Beta release
1.47.000 (Zander)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.46.100 to Beta release 1.47.000

Authentication

  • Interface can be marked "wan" to consider it not local for "local-only" access controls
  • Added advice on printing and storing QR code in case phone fails

BGP

  • New "grey hole"community tag for IBGP to pass blackhole routes that have no-fib set, so routes get to EBGP for external blackhole announcements
  • More info on BGP peers

Config

  • Config editor did not show advanced selected option entries that are blank if without Show all

Config editor

  • Adjust timing on config edit as firefox keeps saying edited by someone else

CQM

  • More slight tweaks - edge case of SVG for unknown CQM graph (i.e. blank graph) with title text enabled caused a crash...
  • Slight changes to SVG (slightly bigger) to add id to some fields and include off image (cropped) data to allow some post processing (e.g. merging graphs)
  • CQM SVG now includes option for markers on the tx/rx lines like the old PNGs did - by popular demand, CSSable.
  • SVG CQM graphs did not show "damping"

DHCP

  • DHCP client Class and Client-Identifier now configurable
  • Minor tweaks to DHCP server as per RFC6842 (correctly returning client ID)

Internal

  • Fix incorrect flash log replay output at system startup
  • Minor change to low buffer checks for TCP management interfaces and L2TP

L2TP

  • PPP LCP restart if not negotiated after 30 seconds and an LCP restart has not been tried already
  • Added RADIUS Framed-IPv6-Prefix
  • Option to mark an L2TP session as isolated, i.e. not allowed to pass directly from another L2TP session
  • Tweak behaviour if all RADIUS servers not responding

LEDs

  • Ensure LEDs start up in cycling (knightrider) mode
  • Fix LED issue - not showing power LED

Logging

  • Syslog missing NILVALUE for structured data
  • Some additional logging for impossible packet headers requiring split for MTU
  • Tweak to delayed logging (email) so it may send on controlled shutdown

Manual

  • Corrected explanation of trusted, local-only, and allow controls in manual
  • Updates to manual covering scripted access and special URLs

OSPF

  • Area ID was not set from config

Ping

  • Show ping/traceroute response coming back on wrong table

PPPoE

  • PPPoE was not handling priority tagged VLAN packets well
  • Tweak to PPPoE client back-off when connections start but don't complete

Profiles

  • Profiles now allow checking of outgoing L2TP tunnel state

Routing

  • Changed linked routes display, e.g. for L2TP sessions, to be more logical

Session Tracking

  • Possible very rare case of lock up at start-up fixed now

SNMP

  • SNMP was not respecting profile setting

SVG

  • Minor SVG tweaks to save space
  • Extra info in SVG to aid post processing

Telnet

  • Fix instructions on telnet config import. It ends with ^D or a line with just a dot on it

USB

  • Remove unnecessary logging

VoIP

  • Tweak to VoIP (Via/branch tag) to improve compatibility
  • Even though RFC 3261 8.1.3.2 requires UACs to handle 100 responses, some get upset, so as per 8.2.6.1 we only send for INVITE now

Web control pages

  • https support introduced. Should now support most modern browsers. Limited certificate management.
  • Change of monospace font
  • Dynamic status of ports
  • Started work on initial config wizard
  • Warning for config edited by someone else now advises IP and name of other user(s)
  • Tidy layout of config edit for system settings
  • Option to skip the setup wizard
  • DHCP clear all unused now operates per interface
  • Colour picker was not working for named colours (also, added "orange")
  • Additional security related http headers added with sensible defaults
  • Change ajax sync logic on config edit to be neater
  • The logs page was not working when you only had one log target. Given system defaults to two to start, this is rare!
  • Save button appearing on key press in a field, and not just when leaving field - so more obvious
  • Slight re-order of the config to be a little easier to follow

Web UI

  • More compact SVG for CQM and QR codes
  • Status shows currently ntp status, i.e. reports if no time server set, DNS not working, etc.
  • DHCP status now lists interfaces and shows per interface rather than all in one table
Built 2017-11-26
Older factory release
1.46.100 (Yorick)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.45.001 to Factory release 1.46.100

ARP

  • Proxy ARP/ND logic was causing proxy ARP even when routing is to a next hop on same LAN, and so hijacking all IPs
  • Improvements to ARP handling - reduce chances of unexpected no route to host on first packet

ARP/DHCP

  • Timing improvements to prevent corner case of IP not getting allocated if recently unused

BGP

  • Export filters were not checking community fields on non BGP originated routes (e.g. locally generated with community tags)
  • Show more clearly when BGP has hit prefix limit (we don't drop BGP on that)
  • Added reduce-recursion option to BGP
  • No fib option on Blackhole routes (EBGP only and non FIB)

CLI

  • Eth/Switch stats display layout improved
  • Command completion was not working correctly
  • show tasks allows stack trace information for debug

Config

  • Minor change to factory reset config (WAN port name changes)
  • Port LED config option "Cycling" removed. [May be reinstated in the future.]
  • Config edit was reporting that someone else had changed config, on save...
  • Minor change to way simultaneous config changes are reported on web pages

CQM

  • SVG for CQM graphs

DHCP

  • Additional DHCP logging, and (debug) logging if seems to be another DHCP server present
  • Improved logging when no IP is available to help with diagnosis
  • Fix problem where wrong restricted dhcp entry could be used

DNS

  • Option to turn off local caching of relayed DNS lookups
  • DNS response times made a bit more adaptive to handle cruise ship levels of internet latency
  • DNS config allows resolvers table to be specified without restricting access to DNS caching function
  • Tweaks to DNS handling capacity for high load
  • Some aspects of local DNS were case sensitive, fixed
  • Fix for local IP (e.g. my.firebrick.uk) not returning A record when IPv6 DNS used, and other way around.

FB105

  • Fix routing to self when internal-ip set on fb105 tunnel
  • Simple FB105 obfuscation feature (for countries that ban encryption)

Firewall

  • Session tracking timeouts for native IPsec (ESP/AH) increased (was 5 seconds)
  • NAT-PMP and PCP handling (experimental)

Internal

  • Another modification to interrupt management to help with overload
  • Changes to image timestamp processing to avoid occasionally seen wild timestamps way in the future.
  • Improved error detection and recovery in legacy flash driver

L2TP

  • Changed L2TP tunnels to have two separate "LIVE" states on web page and on SNMP, one for incoming and one for outgoing tunnels
  • New L2TP config option to allow both LAC and LNS as NAS IP and port in RADIUS
  • Outgoing L2TP has NAT option (default true)
  • Outgoing L2TP with cross tunnel payload now handles local IP for local traffic and NAT correctly
  • Outgoing L2TP fixed DNS server setting with option to not accept DNS if required
  • Outgoing L2TP now allows server to be a host name, not just an IP
  • Outgoing L2TP hostname now defaults to "FireBrick" if no system name set
  • Allow RADIUS relay response to have #port on end of IP/hostname for non standard RADIUS auth port
  • Added additional SNMP L2TP for session negotiation slots that are free: iso.3.6.1.4.1.24693.1701.2.10
  • Using web page to kill L2TP session bypassed normal RADIUS accounting for closing session

LACP/LLDP

  • Prevent LACP/LLDP packets crossing between ports in same portgroup

LEDs

  • LED driver restructuring and timing improvements

Logging

  • Added email address to config - used as Reply-To on email logs
  • Rework of web logging to use web sockets and better layout, and allow download

NAT

  • Changed NAT logic to have longer session timeout after TCP closes to avoid accidental re-use of ports in FIN WAIT

Ping

  • Loading ping graphs was not handling host names properly if using multipart/formdata

PPP

  • Buffer leak in edge case where PPP negotiation is closing IPCP and failing the session

PPPoE

  • DHCPv6 over PPPoE server was broken, fixed
  • PPPoE server (BRAS mode) now allows calling station ID prefix for sending to RADIUS
  • Added explicit control of RFC4638 PPPoE tagging (default for >1492 MTU)

RADIUS

  • RADIUS server matching rules can be set to continue on match, allowing multiple stages of settings if needed
  • Added additional Juniper parameter to steering RADIUS for L2TP via TalkTalk newer platform
  • Added additional check on NAS-IP in steering RADIUS for L2TP via Talk Talk newer platform
  • Platform RADIUS nas-ip match was not right

s/w upgrade

  • Delay up to 15 mins to give FB a chance to get the time before performing an auto upgrade; Correct logic for checking if image already present in flash.

SIP

  • Fixed issue where re-try of SIP messages would go to port 0 if no SRV saying otherwise

SNMP

  • Extended SNMP for VoIP to include stats per carrier/telephone
  • SNMP 1.3.6.1.2.1.2.1.0 was not working

VoIP

  • Improved IPv6/IPv4 fallback logic
  • Split up some long SIP lines
  • Minor tweak to NAT keep alive on VoIP to reduce logging
  • Minor tweak to authorization header to be a bit more pedantic
  • Silly bug, RADIUS based SIP error codes scrambled slightly so middle digit added as unit not tens

Web UI

  • Sometimes the login page could show a corrupt hostname for connecting host (reverse DNS)
  • Changed to use svg for images because of higher res screens and scalable mobile screens
  • Change form entry timeout to match login timeout (if set, else 5 minutes as now)
Built 2017-11-23
Older Beta release
1.46.000 (Yorick)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.45.001 to Beta release 1.46.000

ARP

  • Proxy ARP/ND logic was causing proxy ARP even when routing is to a next hop on same LAN, and so hijacking all IPs
  • Improvements to ARP handling - reduce chances of unexpected no route to host on first packet

ARP/DHCP

  • Timing improvements to prevent corner case of IP not getting allocated if recently unused

BGP

  • Export filters were not checking community fields on non BGP originated routes (e.g. locally generated with community tags)
  • Show more clearly when BGP has hit prefix limit (we don't drop BGP on that)
  • Added reduce-recursion option to BGP
  • No fib option on Blackhole routes (EBGP only and non FIB)

CLI

  • Eth/Switch stats display layout improved
  • Command completion was not working correctly
  • show tasks allows stack trace information for debug

Config

  • Minor change to factory reset config (WAN port name changes)
  • Port LED config option "Cycling" removed. [May be reinstated in the future.]
  • Config edit was reporting that someone else had changed config, on save...
  • Minor change to way simultaneous config changes are reported on web pages

DHCP

  • Additional DHCP logging, and (debug) logging if seems to be another DHCP server present
  • Improved logging when no IP is available to help with diagnosis
  • Fix problem where wrong restricted dhcp entry could be used

DNS

  • Option to turn off local caching of relayed DNS lookups
  • DNS response times made a bit more adaptive to handle cruise ship levels of internet latency
  • DNS config allows resolvers table to be specified without restricting access to DNS caching function
  • Tweaks to DNS handling capacity for high load
  • Some aspects of local DNS were case sensitive, fixed
  • Fix for local IP (e.g. my.firebrick.uk) not returning A record when IPv6 DNS used, and other way around.

FB105

  • Fix routing to self when internal-ip set on fb105 tunnel
  • Simple FB105 obfuscation feature (for countries that ban encryption)

Firewall

  • Session tracking timeouts for native IPsec (ESP/AH) increased (was 5 seconds)
  • NAT-PMP and PCP handling (experimental)

Internal

  • Another modification to interrupt management to help with overload
  • Changes to image timestamp processing to avoid occasionally seen wild timestamps way in the future.
  • Improved error detection and recovery in legacy flash driver

L2TP

  • Changed L2TP tunnels to have two separate "LIVE" states on web page and on SNMP, one for incoming and one for outgoing tunnels
  • New L2TP config option to allow both LAC and LNS as NAS IP and port in RADIUS
  • Outgoing L2TP has NAT option (default true)
  • Outgoing L2TP with cross tunnel payload now handles local IP for local traffic and NAT correctly
  • Outgoing L2TP fixed DNS server setting with option to not accept DNS if required
  • Outgoing L2TP now allows server to be a host name, not just an IP
  • Outgoing L2TP hostname now defaults to "FireBrick" if no system name set
  • Allow RADIUS relay response to have #port on end of IP/hostname for non standard RADIUS auth port
  • Using web page to kill L2TP session bypassed normal RADIUS accounting for closing session

LACP/LLDP

  • Prevent LACP/LLDP packets crossing between ports in same portgroup

LEDs

  • LED driver restructuring and timing improvements

Logging

  • Added email address to config - used as Reply-To on email logs
  • Rework of web logging to use web sockets and better layout, and allow download

NAT

  • Changed NAT logic to have longer session timeout after TCP closes to avoid accidental re-use of ports in FIN WAIT

Ping

  • Loading ping graphs was not handling host names properly if using multipart/formdata

PPP

  • Buffer leak in edge case where PPP negotiation is closing IPCP and failing the session

PPPoE

  • DHCPv6 over PPPoE server was broken, fixed
  • PPPoE server (BRAS mode) now allows calling station ID prefix for sending to RADIUS
  • Added explicit control of RFC4638 PPPoE tagging (default for >1492 MTU)

RADIUS

  • RADIUS server matching rules can be set to continue on match, allowing multiple stages of settings if needed
  • Added additional Juniper parameter to steering RADIUS for L2TP via TalkTalk newer platform
  • Added additional check on NAS-IP in steering RADIUS for L2TP via Talk Talk newer platform
  • Platform RADIUS nas-ip match was not right

s/w upgrade

  • Delay up to 15 mins to give FB a chance to get the time before performing an auto upgrade; Correct logic for checking if image already present in flash.

SIP

  • Fixed issue where re-try of SIP messages would go to port 0 if no SRV saying otherwise

SNMP

  • Extended SNMP for VoIP to include stats per carrier/telephone
  • SNMP 1.3.6.1.2.1.2.1.0 was not working

VoIP

  • Improved IPv6/IPv4 fallback logic
  • Split up some long SIP lines
  • Minor tweak to NAT keep alive on VoIP to reduce logging
  • Minor tweak to authorization header to be a bit more pedantic
  • Silly bug, RADIUS based SIP error codes scrambled slightly so middle digit added as unit not tens

Web UI

  • Sometimes the login page could show a corrupt hostname for connecting host (reverse DNS)
  • Change form entry timeout to match login timeout (if set, else 5 minutes as now)
Built 2017-02-16
Older factory release
1.45.001 (Ximenes)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.44.000 to Factory release 1.45.001

DNS

  • Possible rare quirk that could cause a DNS resolver to be ignored/blocked

Internal

  • Improve OS interrupt scheduling to reduce possibility of panic under heavy load
  • Change of default value in new ethernet interrupt code config to address possible latency issue under load

IPv6

  • When turning off RA we were sending an RA making prefixes valid for infinity rather than 0

Profiles

  • Forcing a config load which has a reference to non existent profile could cause a crash

Routing

  • L2TP source routing check could, in some cases, cause a crash if routing for IP is primarily via different route (e.g. BGP) with L2TP as fallback

Web UI

  • Packet dump was blocking other forms on web interface whilst running (error 409), fixed
  • Allow certificate download if read access to config, and only show cert actions if available to user
  • Removing 2FA could result in a crash, fixed
  • Logging for http does not log every web page access on normal logging now, that is on debug logging
Built 2017-02-13
Older factory release
1.45.000 (Ximenes)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.44.000 to Factory release 1.45.000

DNS

  • Possible rare quirk that could cause a DNS resolver to be ignored/blocked

Internal

  • Improve OS interrupt scheduling to reduce possibility of panic under heavy load

IPv6

  • When turning off RA we were sending an RA making prefixes valid for infinity rather than 0

Profiles

  • Forcing a config load which has a reference to non existent profile could cause a crash

Routing

  • L2TP source routing check could, in some cases, cause a crash if routing for IP is primarily via different route (e.g. BGP) with L2TP as fallback

Web UI

  • Packet dump was blocking other forms on web interface whilst running (error 409), fixed
  • Allow certificate download if read access to config, and only show cert actions if available to user
  • Removing 2FA could result in a crash, fixed
  • Logging for http does not log every web page access on normal logging now, that is on debug logging
Built 2017-01-11
Older factory release
1.44.000 (Warbler)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.43.001 to Factory release 1.44.000

PPP

  • Ignoring unknown PPP/LCP protocol reject now
  • Closing PPP if IPv4 and IPv6 terminated or rejected

PPPoE

  • Rework of service name matching and PADO/PADS response logic for PPPoE

Web UI

  • Factory reset state not working due to new security measures means factory reset bricks cannot be configured via web interface, only telnet
  • Fix individual DHCP kill button which was not allowing unexpired or locked entries to be killed, and correct typo!
Built 2017-01-11
Older Beta release
1.43.100 (Vixen)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.43.001 to Beta release 1.43.100

PPP

  • Ignoring unknown PPP/LCP protocol reject now
  • Closing PPP if IPv4 and IPv6 terminated or rejected

PPPoE

  • Check for matching service name when selecting PPPoE config on PADI/PADR processing (BRAS mode)

Web UI

  • Factory reset state not working due to new security measures means factory reset bricks cannot be configured via web interface, only telnet
  • Fix individual DHCP kill button which was not allowing unexpired or locked entries to be killed, and correct typo!
Built 2017-01-05
Older factory release
1.43.001 (Vixen)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.42.100 to Factory release 1.43.001

Authentication

  • Made web & telnet login prompt for OTP authenticator code so can be entered separately from password

DHCPv6

  • Tested on Zen IPv6 PPPoE/DHCPv6 - addressed a number of issues, now working

Ethernet

  • Improve ethernet receive processing and CPU load monitoring

Firewall

  • Fix bug with session mapping using hash function, which sometimes did not pick any mapping
  • Load balancing issue for firewalling when not using hashing

L2TP

  • Additional RADIUS logging for RADIUS based steering

Sampling

  • Introduce packet sampling (IPFIX/sFlow) [not yet documented]

SNMP

  • Named shapers were not returning actual stats

VoIP

  • Added config name to outgoing registrations as display name on contact
  • Issue with outgoing registrations locking up indefinitely if ICMP errors received

Web UI

  • Did not show new bootloader as available on status upgrades page
  • New password change menu to simplify password change and to allow users without config save access to update their password
  • Added QR code and suggested key to OTP set up
  • New simpler OTP set up
  • Removed OTP check on config recovery mode - given physical access needed and likely clock not set
  • Cross site scripting checks on web forms
Built 2017-01-03
Older Beta release
1.43.000 (Vixen)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.42.100 to Beta release 1.43.000

Authentication

  • Made web & telnet login prompt for OTP authenticator code so can be entered separately from password

DHCPv6

  • Tested on Zen IPv6 PPPoE/DHCPv6 - addressed a number of issues, now working

Ethernet

  • Improve ethernet receive processing and CPU load monitoring

Firewall

  • Fix bug with session mapping using hash function, which sometimes did not pick any mapping

L2TP

  • Additional RADIUS logging for RADIUS based steering

Sampling

  • Introduce packet sampling (IPFIX/sFlow) [not yet documented]

SNMP

  • Named shapers were not returning actual stats

VoIP

  • Added config name to outgoing registrations as display name on contact
  • Issue with outgoing registrations locking up indefinitely if ICMP errors received

Web UI

  • Did not show new bootloader as available on status upgrades page
  • New password change menu to simplify password change and to allow users without config save access to update their password
  • Added QR code and suggested key to OTP set up
  • New simpler OTP set up
  • Removed OTP check on config recovery mode - given physical access needed and likely clock not set
  • Cross site scripting checks on web forms
Built 2016-11-01
Older factory release
1.42.100 (UncleYap)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.41.000 to Factory release 1.42.100

BGP

  • Subtle recursive next hop check logic error where DeadEnd community tagged routes used

CLI

  • Increase CLI regexp buffer to support lines up to 300 characters
  • Fix lockup problem when doing command completion
  • Debug command for DNS cache

config

  • Removed top-level profile setting from route-override (it was non-operational)

DNS

  • Bug in DNS caching that could have caused other side effects in other systems - fixed
  • Custom DNS responses can now be restricted to specific interfaces
  • More aggressive DNS cache expiry where multiple entries have different TTL
  • Better cache handling when being flooded with requests to cache limit
  • Slightly more aggressive clean up of domains with expired cache or caching limits reached

L2TP

  • Allow config of advertised receive window
  • Avoid sending CDN or other session related messages once a CDN is received
  • Better handling of zero length username and zero length passwords in proxied authentication
  • Graph names not showing on L2TP sessions immediately after connect
  • Option for local LCP echo handling in middle of L2TP relayed connection
  • Edge case of L2TP with PAP and auth-name but no auth-resp (assumed no/null password) which was not doing RADIUS
  • Change when relaying L2TP with null password and PAP to send null password in an auth-resp
  • L2TP relay to send auth even for zero length login
  • Fix bug with showing L2TP routing

Logging

  • Logging of config changes was not working correctly if system log-config was set

SNMP

  • Added some missing stats; Implemented Admin/Oper status reporting for ports; Improved port and interface naming.

VoIP

  • SIP DNS resolution where explicit :port suffix used was not working
  • Add force-dtmf option for telephone config, in PABX mode
  • Change of RTP sequence/timestamp logic to address some issues on DTMF event pass through
  • Fix SIP INFO DTMF from Snom
  • Change DTMF in-band generation to handle less frequent RTF/telephone-event messages
  • Better handling of SRV fallback
  • REGISTER now uses host name in URI and not name of proxy when proxy used
  • Finer control of when sending a pre-auth header (carrier setting)
  • http list of registrations now allows user to be of form localpart@domain with host being the proxy

Web UI

  • Subnets status page now shows portgroup name in Port column
  • Port group names shown on port status
Built 2016-10-28
Older Beta release
1.42.010 (UncleYap)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Beta release 1.41.004 to Beta release 1.42.010

BGP

  • Subtle recursive next hop check logic error where DeadEnd community tagged routes used

CLI

  • Increase CLI regexp buffer to support lines up to 300 characters
  • Fix lockup problem when doing command completion
  • Debug command for DNS cache

DNS

  • Bug in DNS caching that could have caused other side effects in other systems - fixed
  • Custom DNS responses can now be restricted to specific interfaces
  • More aggressive DNS cache expiry where multiple entries have different TTL
  • Better cache handling when being flooded with requests to cache limit
  • Slightly more aggressive clean up of domains with expired cache or caching limits reached

L2TP

  • Avoid sending CDN or other session related messages once a CDN is received
  • Better handling of zero length username and zero length passwords in proxied authentication
  • Graph names not showing on L2TP sessions immediately after connect
  • Option for local LCP echo handling in middle of L2TP relayed connection
  • Edge case of L2TP with PAP and auth-name but no auth-resp (assumed no/null password) which was not doing RADIUS
  • Change when relaying L2TP with null password and PAP to send null password in an auth-resp
  • L2TP relay to send auth even for zero length login
  • Fix bug with showing L2TP routing

Logging

  • Logging of config changes was not working correctly if system log-config was set

VoIP

  • SIP DNS resolution where explicit :port suffix used was not working
  • Add force-dtmf option for telephone config, in PABX mode
  • Change of RTP sequence/timestamp logic to address some issues on DTMF event pass through
  • Fix SIP INFO DTMF from Snom
  • Change DTMF in-band generation to handle less frequent RTF/telephone-event messages
  • Better handling of SRV fallback
  • REGISTER now uses host name in URI and not name of proxy when proxy used
  • Finer control of when sending a pre-auth header (carrier setting)
  • http list of registrations now allows user to be of form localpart@domain with host being the proxy

Web UI

  • Port group names shown on port status
Built 2016-10-28
Older Beta release
1.42.000 (UncleYap)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Beta release 1.41.004 to Beta release 1.42.000

BGP

  • Subtle recursive next hop check logic error where DeadEnd community tagged routes used

CLI

  • Increase CLI regexp buffer to support lines up to 300 characters
  • Fix lockup problem when doing command completion
  • Debug command for DNS cache

DNS

  • Bug in DNS caching that could have caused other side effects in other systems - fixed
  • Custom DNS responses can now be restricted to specific interfaces
  • More aggressive DNS cache expiry where multiple entries have different TTL
  • Better cache handling when being flooded with requests to cache limit
  • Slightly more aggressive clean up of domains with expired cache or caching limits reached

L2TP

  • Avoid sending CDN or other session related messages once a CDN is received
  • Better handling of zero length username and zero length passwords in proxied authentication
  • Graph names not showing on L2TP sessions immediately after connect
  • Option for local LCP echo handling in middle of L2TP relayed connection
  • Edge case of L2TP with PAP and auth-name but no auth-resp (assumed no/null password) which was not doing RADIUS
  • Change when relaying L2TP with null password and PAP to send null password in an auth-resp
  • L2TP relay to send auth even for zero length login

Logging

  • Logging of config changes was not working correctly if system log-config was set

VoIP

  • SIP DNS resolution where explicit :port suffix used was not working
  • Add force-dtmf option for telephone config, in PABX mode
  • Change of RTP sequence/timestamp logic to address some issues on DTMF event pass through
  • Fix SIP INFO DTMF from Snom
  • Change DTMF in-band generation to handle less frequent RTF/telephone-event messages
  • Better handling of SRV fallback
  • REGISTER now uses host name in URI and not name of proxy when proxy used
  • Finer control of when sending a pre-auth header (carrier setting)
  • http list of registrations now allows user to be of form localpart@domain with host being the proxy

Web UI

  • Port group names shown on port status
Built 2016-05-27
Older Beta release
1.41.004 (Taupi)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.41.000 to Beta release 1.41.004

config

  • Removed top-level profile setting from route-override (it was non-operational)

L2TP

  • Allow config of advertised receive window

SNMP

  • Added some missing stats; Implemented Admin/Oper status reporting for ports; Improved port and interface naming.

Web UI

  • Subnets status page now shows portgroup name in Port column
Built 2016-05-08
Older factory release
1.41.000 (Taupi)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.40.000 to Factory release 1.41.000

BGP

  • New dead-end-community used to propagate routes within IBGP that are dead ends (e.g. nowhere or network)

Firewall

  • Fix to NAT64 logic where target is nowhere/network

IPsec

  • Decision on whether to send INITIAL_CONTACT notification was inverted
  • Allow traffic selectors to be specified in config
  • Fix scheduling problem which could cause IKE to lock up after prolonged use

IPsec/IKE

  • Add option to enable traffic selector sent to peer to be constructed from specified routing

L2TP

  • If RADIUS overwrites the proxy auth logic to change auth type then change proxy last LCP tx
  • Change logic for dummy auth on L2TP to wait for LCP negotiation to complete before RADIUS allowing proxy LCP details to pass to relayed connection

Routing

  • Changed internal routing logic for "next hop" based routes to be more efficient
Built 2016-04-26
Older factory release
1.40.000 (Shed)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.39.000 to Factory release 1.40.000

ARP

  • Minor tweaks to ARP timing

BGP

  • Tweak next hop in some cases - review against RFC
  • Show BGP sessions that are down by profile as shutdown in peers list
  • Manual shutdown, albeit deprecated, was not working to close existing BGP sessions
  • Simplified the XML for BGP status, all peers list as <peer.../> now.
  • When originating routes from a 32 bit AS number via a 16 bit AS BGP session was not sending AS4_PATH
  • BGP tweak, allow incoming BGP in IDLE state

CLI

  • Command line completion could complete keyword arguments incorrectly

IP

  • Allow UDP to VRRP address - used for DNS, and RADIUS, etc.

IPsec

  • Fix crash when certificate named in connection is missing

L2TP

  • Incoming L2TP config allow any table if table attribute not set
  • Allow outgoing source IP setting on outgoing L2TP tunnels
  • RADIUS directed session steering for L2TP needs to use the specified table
  • Speed sanity check - do not believe L2TP speeds at or below 10kb/s as valid
  • Don't close tunnel on an out of order control packet showing backwards Nr sequence
  • Some more options for RADIUS to overwrite password on L2TP relay

Routing

  • Improve route caching update on deep recursive routes changing

SNMP

  • iso.3.6.1.2.1.31.1.1.1.1. (ifName) corrected as was a Counter64 not a String
  • Corrected counters for broadcast and multicast packets to 32 bit
  • Fix return ordering in bulk get requests; improve encoding of integer values

TCP

  • Do not perform TCP MSS fixups on MD5-authenticated sessions

Web control pages

  • Minor tweaks to status pages
Built 2016-03-20
Older factory release
1.39.000 (Rufus)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.38.001 to Factory release 1.39.000

CLI

  • Add command output filtering capability to CLI (telnet and serial link)
  • Fix crash in CLI when default logging is set to console
  • The "show route" and "show routes" commands have been combined to avoid ambiguity; If '?' is used to output command details the command help info is displayed, unless all commands are listed

DHCP

  • DHCP relay/remote server logic
  • Tidy up DHCP logging messages
  • Tweak for FireBrick as a DHCP client working via DHCP Relay Agents

DNS

  • Timeout of long-latency replies from DNS servers was flawed.

Ethernet

  • LACP send and receive/status
  • LLDP send and receive/status
  • Port trunking options (with or without LACP)

IPsec

  • Minor change to help with diagnosis of occasional IKE crash
  • Avoid crash when clearing a NATed connection
  • Fix IKE crash when moving incoming connection to a config with no peer_id set
  • Fix occasional crash after prolonged use.

L2TP

  • Uplink speed control per connection
  • Change to way hashes are handled for session steering

LACP

  • Option to control the hashing used for trunking
  • Default LACP mode is passive for non trunked ports as some switches are strange

NTP

  • Better error logs for NTP / clock setting
  • Better NTP back off logic
  • Option for fast-retry for NTP until clock first set

PPP

  • Better timing of PPP LCP when using dummy auth (no authentication)

PPPoE

  • Tweak PPPoE Host-Uniq

Profiles

  • Change to profiles use of and/or/not so these are tested on the "interval" rather than being immediate in some cases

Routing

  • Adjust hash logic slightly

Web UI

  • Kill link on web view of L2TP sessions/tunnels
Built 2016-02-14
Older factory release
1.38.001 (Quantum)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.37.002 to Factory release 1.38.001

Ethernet

  • Don't log transmit queue full errors (txqfull) caused by physical port being down

IPsec

  • IPSec upgrades and restructure
  • Minor change to logging of IKE messages; fix crash on shutdown; suppress errors relating to multicast messages
  • Fix crash during rekeying when heavily loaded; fix possible crash during setup if routing changes; check ESP padding more thoroughly
  • Fix crashes caused by one-way packet drop when both peers have mode Immedaiate

VoIP

  • Fix cases where tones not generated correctly such as ring tones, etc.
  • Audio pass through correctly when ringing a group and one leg is providing early audio
  • Allow RTP to quote IP6 and ::ffff:x.x.x.x format and treat as IP4

VRRP

  • Correct issue with VRRP ARP replies in some cases
Built 2016-02-10
Older Beta release
1.38.000 (Quantum)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.37.002 to Beta release 1.38.000

Ethernet

  • Don't log transmit queue full errors (txqfull) caused by physical port being down

IPsec

  • IPSec upgrades and restructure
  • Minor change to logging of IKE messages; fix crash on shutdown; suppress errors relating to multicast messages
  • Fix crash during rekeying when heavily loaded; fix possible crash during setup if routing changes; check ESP padding more thoroughly

VoIP

  • Fix cases where tones not generated correctly such as ring tones, etc.
  • Audio pass through correctly when ringing a group and one leg is providing early audio
  • Allow RTP to quote IP6 and ::ffff:x.x.x.x format and treat as IP4

VRRP

  • Correct issue with VRRP ARP replies in some cases
Built 2016-01-14
Older factory release
1.37.002 (Paul)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.36.002 to Factory release 1.37.002

BGP

  • Handle blackhole routes better - having an ingress and egress tag for blackhole routes
  • BGP rule override of pad was not working
  • Extra debug

Config

  • Default user password generation now salted SHA256

Config editor

  • Better handling of messages when test saving config with errors
  • Turn off autocomplete on config editor as causing issues

DHCP

  • Tweak DHCP server to use chaddr field not source MAC
  • Tweak to DHCP to allow renew of IP where ARP shows MAC as matching either chaddr or source MAC of request
  • Improved algorithm for selecting which restricted IP pools apply
  • Added a bit of sanity check on DHCP renew/expiry values received
  • Change DHCP retry to restart back off at expiry
  • DHCP log of moving IPs between interfaces was crashing, fixed
  • Extra debug counters for DHCP client

DNS

  • Random DNS source port for additional security
  • Incorrect ARCOUNT in cached responses when EDNS0 request used
  • Possible race condition in DNS tracking

etun

  • ETUN was ignoring profile settings - fixed

Firewall

  • Allow match of "same network" by target-ip in 0.0.0.0/8-31, e.g. use 0.0.0.0/24 to match "same /24 as source IP". Same logic in reverse for source-ip check. Same logic for ::/32-127
  • Layout change on firewall check

Flash

  • Improve flash scheduling; should fix occasional "Bad end read" crashes.
  • Fix another flash scheduling problem causing occasional crashes

IPsec

  • Recognize repeated INIT requests
  • Modify MSCHAPv2 to be compatible with MS Windows
  • EAP MSCHAPv2 - return a new challenge after password failure, allowing interactive password reentry on Windows clients
  • Add workarounds to allow interworking with OpenIKED
  • Minor improvement to error response when there is no suitable proposal for the IKE SA
  • Fix possible panic on shutdown
  • Fix crash when certificate trust chain is incomplete
  • Improvements to certificate storage, including fix for possible crashes after updating certificates.

L2TP

  • Changed overload logic for unresponsive LNS to better handle when LNS is relayed/outgoing connections
  • RADIUS auth sends original tx speed, not adjusted, which fixes issues when multiple authentication done on same connection
  • Allow overwrite of existing User-Password in RADIUS auth response (for PAP and CHAP use on relayed tunnel connection)
  • Relayed tx speed in connect info now reflects speed as updated by RADIUS, not original.
  • Fatal tunnel sequence errors now close tunnel
  • Tweak not to send ZLB in reply to message if the message causes a reply to be sent anyway
  • Allow session to be marked blackhole routed ('D' filter)
  • Added debug logging for DOS detection to show pps
  • L2TP clearing of dead tunnels improved (some edge cases left tunnels never clearing)
  • Internal stats cache clear on L2TP session start
  • RADUIS Accounting to show Connect based on actual speed, not original L2TP speed
  • Show when routes suppressed in L2TP session status
  • Additional LCP control (data len) for screwy Samsung LACs that don't cope with zero len
  • Send LCP TERM ACK reply when closing

L2TP/PPP

  • Change to allow non auth incoming L2TP to send RADIUS to validate as a "dummy authentication"
  • Stall (no reply) IPCP / IPV6CP if waiting on RADIUS, as can happen for dummy auth
  • Better handling of proxied LCP negotiating no authentication

OSPF

  • Initial testing for new OSPF code

Ping

  • Ping diagnostics "loss" stats were including ICMP errors as well as correct responses

PPP

  • Allow PPP LCP to negotiate unauthenticated (LCP rejecting AUTH)
  • Don't do IPCP whilst waiting on RADIUS (relevant for null auth)
  • PAP Ack/Nak with zero message now sends zero message len not zero data
  • Checking proxy LCP now accepts stupid LACs that claim to neg longer PAP/CHAP LCP messages if they otherwise look OK

PPPoE

  • Tweak PPPoE client to change Host-Uniq as some systems misbehave if always the same
  • PPPoE was not authenticating, Fixed

Routing

  • Next hop feasibility checking failed to spot when an Ethernet next hop stopped answering ARPs
  • Next hop logging is now separate system log target

Stats

  • One-second CPU stats output is now synchronized to UTC time

Tunnels

  • Allow more than one etun tunnel to be defined, and allow etun over a usb ethernet port

VLAN

  • Fix VLAN tagging problem

VoIP

  • Fix missing resend of invite response if no ACK received, fixed
  • Changed handling of retries to sequence through SRV records
  • Tweak default nonce response on RADIUS auth challenged request to match automatic auth request

Web control pages

  • Status/Subnets now shows the interface headings

Web UI

  • Improve diagnostic if s/w upgrade fails
Built 2016-01-12
Older Beta release
1.37.001 (Paul)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Beta release 1.37.000 to Beta release 1.37.001

Config editor

  • Turn off autocomplete on config editor as causing issues
Built 2015-12-28
Older Beta release
1.37.000 (Paul)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.36.002 to Beta release 1.37.000

BGP

  • Handle blackhole routes better - having an ingress and egress tag for blackhole routes
  • BGP rule override of pad was not working
  • Extra debug

Config

  • Default user password generation now salted SHA256

Config editor

  • Better handling of messages when test saving config with errors

DHCP

  • Tweak DHCP server to use chaddr field not source MAC
  • Tweak to DHCP to allow renew of IP where ARP shows MAC as matching either chaddr or source MAC of request
  • Improved algorithm for selecting which restricted IP pools apply
  • Added a bit of sanity check on DHCP renew/expiry values received
  • Change DHCP retry to restart back off at expiry
  • DHCP log of moving IPs between interfaces was crashing, fixed
  • Extra debug counters for DHCP client

DNS

  • Random DNS source port for additional security
  • Incorrect ARCOUNT in cached responses when EDNS0 request used
  • Possible race condition in DNS tracking

etun

  • ETUN was ignoring profile settings - fixed

Firewall

  • Allow match of "same network" by target-ip in 0.0.0.0/8-31, e.g. use 0.0.0.0/24 to match "same /24 as source IP". Same logic in reverse for source-ip check. Same logic for ::/32-127
  • Layout change on firewall check

Flash

  • Improve flash scheduling; should fix occasional "Bad end read" crashes.
  • Fix another flash scheduling problem causing occasional crashes

IPsec

  • Recognize repeated INIT requests
  • Modify MSCHAPv2 to be compatible with MS Windows
  • EAP MSCHAPv2 - return a new challenge after password failure, allowing interactive password reentry on Windows clients
  • Add workarounds to allow interworking with OpenIKED
  • Minor improvement to error response when there is no suitable proposal for the IKE SA
  • Fix possible panic on shutdown
  • Fix crash when certificate trust chain is incomplete
  • Improvements to certificate storage, including fix for possible crashes after updating certificates.

L2TP

  • Changed overload logic for unresponsive LNS to better handle when LNS is relayed/outgoing connections
  • RADIUS auth sends original tx speed, not adjusted, which fixes issues when multiple authentication done on same connection
  • Allow overwrite of existing User-Password in RADIUS auth response (for PAP and CHAP use on relayed tunnel connection)
  • Relayed tx speed in connect info now reflects speed as updated by RADIUS, not original.
  • Fatal tunnel sequence errors now close tunnel
  • Tweak not to send ZLB in reply to message if the message causes a reply to be sent anyway
  • Allow session to be marked blackhole routed ('D' filter)
  • Added debug logging for DOS detection to show pps
  • L2TP clearing of dead tunnels improved (some edge cases left tunnels never clearing)
  • Internal stats cache clear on L2TP session start
  • RADUIS Accounting to show Connect based on actual speed, not original L2TP speed
  • Show when routes suppressed in L2TP session status
  • Additional LCP control (data len) for screwy Samsung LACs that don't cope with zero len
  • Send LCP TERM ACK reply when closing

L2TP/PPP

  • Change to allow non auth incoming L2TP to send RADIUS to validate as a "dummy authentication"
  • Stall (no reply) IPCP / IPV6CP if waiting on RADIUS, as can happen for dummy auth
  • Better handling of proxied LCP negotiating no authentication

OSPF

  • Initial testing for new OSPF code

Ping

  • Ping diagnostics "loss" stats were including ICMP errors as well as correct responses

PPP

  • Allow PPP LCP to negotiate unauthenticated (LCP rejecting AUTH)
  • Don't do IPCP whilst waiting on RADIUS (relevant for null auth)
  • PAP Ack/Nak with zero message now sends zero message len not zero data
  • Checking proxy LCP now accepts stupid LACs that claim to neg longer PAP/CHAP LCP messages if they otherwise look OK

PPPoE

  • Tweak PPPoE client to change Host-Uniq as some systems misbehave if always the same

Routing

  • Next hop feasibility checking failed to spot when an Ethernet next hop stopped answering ARPs
  • Next hop logging is now separate system log target

Stats

  • One-second CPU stats output is now synchronized to UTC time

Tunnels

  • Allow more than one etun tunnel to be defined, and allow etun over a usb ethernet port

VLAN

  • Fix VLAN tagging problem

VoIP

  • Fix missing resend of invite response if no ACK received, fixed
  • Changed handling of retries to sequence through SRV records
  • Tweak default nonce response on RADIUS auth challenged request to match automatic auth request

Web control pages

  • Status/Subnets now shows the interface headings

Web UI

  • Improve diagnostic if s/w upgrade fails
Built 2015-04-29
Older factory release
1.36.002 (Orlando)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.35.001 to Factory release 1.36.002

Authentication

  • Not upgrading passwords to SHA256+15, but to SHA1+3 so backwards compatible if code revertse

BGP

  • Replacement routes with different flags were treated as no change
  • Fix mis handling of ORIGINATOR ID when not sent
  • Tweak to remove non standard tie break logic in BGP code
  • Cluster ID, Custer List and Originator ID now only sent where source is IBGP

Config

  • Certificate management extended

CQM

  • Tweak URLs for images of graphs to allow for graphs that look like a URL and break some browsers
  • Change logic for adjusting shared shapers when hitting limits to favour unit dropping most packets more

Ethernet

  • Fix packet padding which leaked internal ethernet checksum in last 4 bytes (not harmful but confusing)

IPsec

  • Please change from manual keyed IPsec to IKE shared key as manual keying between bricks is deprecated
  • Manually keyed IPsec config migrated to new config format on upgrade - logs upgrade has taken place to fb-support which normally emails FireBrick team as use of manual keying is not recommended
  • Authentication using certificates added
  • EAP authentication introduced.
  • Logging messages improved. Minor bugfixes.
  • Roaming IP pool implementation complete. RoadWarrior access now possible.
  • Add MSChapV2 to EAP methods. Some minor bugfixes.
  • Improvements in ID processing; session lifetime now configurable; bugfixes
  • Allow dead peer detection period to be configurable
  • Allow EAP to work with iPhone (iOS8.1.3+); more logging; minor bugfixes.
  • Fix crash during system shutdown
  • Internal restructure of IKE to better support multiple sessions and clean reauthentication. Should also fix problems with graphing.
  • Fix crash following unexpected SPI detection
  • UI status shows allocated IP for roaming connections; algorithms now only displayed in detailed view
  • Fix possible crash when a profile state change occurs
  • Connections controlled by profile were occasionally starting when profile inactive
  • Unnecessary diagnostic causing crash in some circumstances removed
  • Add ability to respond to rekey requests; minor bug fixes.
  • Avoid unnecessary duplicate session startup
  • Move manually-keyed config element. WARNING: If you use manually-keyed IPsec connections this update will delete them. Save your config before update so you can re-enter the connection data.
  • Allow graph names to include peer's ID or IP address
  • Fix crash when establishing new session
  • Fix routing table problem on immediate mode IKE connections
  • Avoid child SPI reuse
  • Fix packet drops following reauthentication on immediate mode IKE connections
  • Fix occasional crash in connection setup when initiated remotely
  • Fix problem with NATing incoming roaming sessions when using non-default routing table
  • Fix crash when using IPv6 roaming pool
  • Allow (and prefer) prefixes DNS and EMAIL rather than DOMAIN, FQDN, MAILADDR or MAIL for IKE identities
  • Fix possible crash when closing a NATed connection
  • Add debug logging of IP allocations
  • Problems with reassigning pool IPs after abrupt device disconnect fixed; Treatment of ID prefixes improved (FQDN: now preferred to DNS:); Multiple DNS servers accepted in pool config; cert/profile script improvements

Logging

  • Logging of panic message was not working correctly - fixed.

Manual

  • Added some more IPsec doc and corrected some other minor typos in manual

Ping

  • Added ping stats on ping command line and web (was already in XML)
  • Web/command line ping stats showed wrong average

PPP

  • Tweak to try and handle case of CHAP final reply having been missed, and reprocess duplicate CHAP response

PPPoE

  • Fix source MTU for sending down PPPoE link

Routing

  • Diagnostics for routes shows reason for ordering

VoIP

  • Edge case causing outgoing registrations to fail if unexpected contact expiry sent back
  • Tweak handling of RADIUS based 302 response handling from telephones
  • More ring groups and users
  • Sending Authorization header with just username set where we have a username and no challenge yet
  • Handle receipt of Authorisation with username and no response to match against carriers for incoming invites
  • Improved screen=yes/no handling where incoming has screen set, or is from untrusted cli source
  • No longer expecting SIP replies from same IP as some forwarding/NAT sends from different IP
  • New cascading group logic for out of hours
  • ACCESS_CHALLENGE response was not properly generating the authentication request
  • Cleaned up carrier matching logic and documentation
  • Allow Authorization/username to find telephone user if not matched on to address
  • Allow Authorization/username to find carrier when carrier is not configured with to address

Web UI

  • Ticking the check box for an optional multiple select input (set) with one member pre-sets the only member as selected
Built 2015-04-27
Older Beta release
1.36.001 (Orlando)
Config:XSD Doc
Manual:PDF HTML

Release notes from Beta release 1.36.000 to Beta release 1.36.001

IPsec

  • Please change from manual keyed IPsec to IKE shared key as manual keying between bricks is deprecated
  • Add debug logging of IP allocations
  • Problems with reassigning pool IPs after abrupt device disconnect fixed; Treatment of ID prefixes improved (FQDN: now preferred to DNS:); Multiple DNS servers accepted in pool config; cert/profile script improvements
  • Minor manual changes
Built 2015-04-25
Older Beta release
1.36.000 (Orlando)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.35.001 to Beta release 1.36.000

Authentication

  • Not upgrading passwords to SHA256+15, but to SHA1+3 so backwards compatible if code revertse

BGP

  • Replacement routes with different flags were treated as no change
  • Fix mis handling of ORIGINATOR ID when not sent
  • Tweak to remove non standard tie break logic in BGP code
  • Cluster ID, Custer List and Originator ID now only sent where source is IBGP

Config

  • Certificate management extended

CQM

  • Tweak URLs for images of graphs to allow for graphs that look like a URL and break some browsers
  • Change logic for adjusting shared shapers when hitting limits to favour unit dropping most packets more

Ethernet

  • Fix packet padding which leaked internal ethernet checksum in last 4 bytes (not harmful but confusing)

IPsec

  • Authentication using certificates added
  • EAP authentication introduced.
  • Logging messages improved. Minor bugfixes.
  • Roaming IP pool implementation complete. RoadWarrior access now possible.
  • Add MSChapV2 to EAP methods. Some minor bugfixes.
  • Improvements in ID processing; session lifetime now configurable; bugfixes
  • Allow dead peer detection period to be configurable
  • Allow EAP to work with iPhone (iOS8.1.3+); more logging; minor bugfixes.
  • Fix crash during system shutdown
  • Internal restructure of IKE to better support multiple sessions and clean reauthentication. Should also fix problems with graphing.
  • Fix crash following unexpected SPI detection
  • UI status shows allocated IP for roaming connections; algorithms now only displayed in detailed view
  • Fix possible crash when a profile state change occurs
  • Connections controlled by profile were occasionally starting when profile inactive
  • Unnecessary diagnostic causing crash in some circumstances removed
  • Add ability to respond to rekey requests; minor bug fixes.
  • Avoid unnecessary duplicate session startup
  • Move manually-keyed config element. WARNING: If you use manually-keyed IPsec connections this update will delete them. Save your config before update so you can re-enter the connection data.
  • Allow graph names to include peer's ID or IP address
  • Fix crash when establishing new session
  • Fix routing table problem on immediate mode IKE connections
  • Avoid child SPI reuse
  • Fix packet drops following reauthentication on immediate mode IKE connections
  • Fix occasional crash in connection setup when initiated remotely
  • Fix problem with NATing incoming roaming sessions when using non-default routing table
  • Fix crash when using IPv6 roaming pool
  • Allow (and prefer) prefixes DNS and EMAIL rather than DOMAIN, FQDN, MAILADDR or MAIL for IKE identities
  • Fix possible crash when closing a NATed connection

Logging

  • Logging of panic message was not working correctly - fixed.

Manual

  • Added some more IPsec doc and corrected some other minor typos in manual

Ping

  • Added ping stats on ping command line and web (was already in XML)
  • Web/command line ping stats showed wrong average

PPP

  • Tweak to try and handle case of CHAP final reply having been missed, and reprocess duplicate CHAP response

PPPoE

  • Fix source MTU for sending down PPPoE link

Routing

  • Diagnostics for routes shows reason for ordering

VoIP

  • Edge case causing outgoing registrations to fail if unexpected contact expiry sent back
  • Tweak handling of RADIUS based 302 response handling from telephones
  • More ring groups and users
  • Sending Authorization header with just username set where we have a username and no challenge yet
  • Handle receipt of Authorisation with username and no response to match against carriers for incoming invites
  • Improved screen=yes/no handling where incoming has screen set, or is from untrusted cli source
  • No longer expecting SIP replies from same IP as some forwarding/NAT sends from different IP
  • New cascading group logic for out of hours
  • ACCESS_CHALLENGE response was not properly generating the authentication request
  • Cleaned up carrier matching logic and documentation
  • Allow Authorization/username to find telephone user if not matched on to address
  • Allow Authorization/username to find carrier when carrier is not configured with to address

Web UI

  • Ticking the check box for an optional multiple select input (set) with one member pre-sets the only member as selected
Built 2014-12-03
Older factory release
1.35.001 (Nestor)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.34.001 to Factory release 1.35.001

BGP

  • Added import-filters and export-filters and named bgp rules to config
  • Less agressive retry on BGP in some cases such as TCP connect failure
  • Improved BGP status
  • Withdraw of non existent route may cause parent route to be mistakenly withdrawn

Config

  • Check each interface has a unique port/vlan setting. Invalid configs will still load on bootup but must be corrected before resaving.
  • Storage and management of certificates and keys added (cannot be used effectively yet).

DHCP

  • Improved DHCP clear command and added link to clear all old DHCP

Firewall

  • Removed experimental EUI64 mapping (de-privacy IPv6 addressing) feature

Profiles

  • Added setting for expected (good) state of a profile, showing as green in status if expected, and listed unexpected on home page
  • Added profile to fixed ping graph config, and made ping on interface subject to interface profile
  • Control switches no long show by default on NOBODY level users or those without full config access unless specifically listed in the control switch users

TCP

  • Fix TCP session stalling on large fast transfers

VoIP

  • Fix handling of 3XX SIP response from carriers
  • Fix sending of 3XX SIP status on RADIUS response

Web control pages

  • Added "add" to home page links list as order matters
  • Changed list of radius steering settings to show "ip" in list as important field
Built 2014-12-03
Older Beta release
1.35.000 (Nestor)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.34.001 to Beta release 1.35.000

BGP

  • Added import-filters and export-filters and named bgp rules to config
  • Less agressive retry on BGP in some cases such as TCP connect failure
  • Improved BGP status
  • Withdraw of non existent route may cause parent route to be mistakenly withdrawn

Config

  • Check each interface has a unique port/vlan setting. Invalid configs will still load on bootup but must be corrected before resaving.
  • Storage and management of certificates and keys added (cannot be used effectively yet).

DHCP

  • Improved DHCP clear command and added link to clear all old DHCP

Firewall

  • Removed experimental EUI64 mapping (de-privacy IPv6 addressing) feature

Profiles

  • Added setting for expected (good) state of a profile, showing as green in status if expected, and listed unexpected on home page
  • Added profile to fixed ping graph config, and made ping on interface subject to interface profile
  • Control switches no long show by default on NOBODY level users or those without full config access unless specifically listed in the control switch users

TCP

  • Fix TCP session stalling on large fast transfers

VoIP

  • Fix handling of 3XX SIP response from carriers
  • Fix sending of 3XX SIP status on RADIUS response

Web control pages

  • Added "add" to home page links list as order matters
  • Changed list of radius steering settings to show "ip" in list as important field
Built 2014-10-27
Older factory release
1.34.001 (Mercury)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.33.000 to Factory release 1.34.001

BGP

  • Route show lists exports via BGP peers
  • Better change detect on BGP config changes and better logging of changes causing BGP restart

CQM

  • Updated graph names to 40 characters max, and allow colon in graph name

Firewall/CQM

  • Change to allow graphs based on source IP
  • Changed MAC based graph names to include colons

Flash

  • Avoid watchdog during flash write when CPU is busy

Internal

  • Improve scheduling control when CPU is busy

L2TP

  • L2TP/RADIUS not trying second choice when first is blacklisted

Logging

  • Detect closed browser window, and close TCP session, when displaying log

PPPoE

  • Tweak to PPPoE startup sequence

Routing

  • Better next hop change detect logic (less trigger happy on config changes)

TCP

  • Add status display for TCP sessions (debug level users)
  • Correct connection timeout detection for rare corner cases. Improve TCP status display.
  • Add buffered data counts to TCP status display
  • Add window sizes to TCP status display
  • Fix TCP session hangs caused by packet drops in uncommon situations
  • Add TCP SYN cookie handling to mitigate SYN flooding

VoIP

  • Improved some VoIP error codes, fewer 500's and better logging of cause of errors
  • Added compact headers for Refer-To and Event
Built 2014-10-24
Older Beta release
1.34.000 (Mercury)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Beta release 1.33.010 to Beta release 1.34.000

BGP

  • Better change detect on BGP config changes and better logging of changes causing BGP restart

Logging

  • Detect closed browser window, and close TCP session, when displaying log

Routing

  • Better next hop change detect logic (less trigger happy on config changes)

TCP

  • Add status display for TCP sessions (debug level users)
  • Correct connection timeout detection for rare corner cases. Improve TCP status display.
  • Add buffered data counts to TCP status display
  • Add window sizes to TCP status display
  • Fix TCP session hangs caused by packet drops in uncommon situations
  • Add TCP SYN cookie handling to mitigate SYN flooding
Built 2014-10-17
Older Beta release
1.33.010 (Lucifer)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.33.000 to Beta release 1.33.010

BGP

  • Route show lists exports via BGP peers

CQM

  • Updated graph names to 40 characters max, and allow colon in graph name

Firewall/CQM

  • Change to allow graphs based on source IP
  • Changed MAC based graph names to include colons

Flash

  • Avoid watchdog during flash write when CPU is busy

Internal

  • Improve scheduling control when CPU is busy

L2TP

  • L2TP/RADIUS not trying second choice when first is blacklisted

VoIP

  • Improved some VoIP error codes, fewer 500's and better logging of cause of errors
  • Added compact headers for Refer-To and Event
Built 2014-10-09
Older factory release
1.33.000 (Lucifer)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.32.000 to Factory release 1.33.000

BGP

  • Delay BGP announce until FIB update started for route in question to minimise black holes
  • Further work deferring BGP announce until routes in FIB
  • Faster BGP withdrawal
  • BGP export stats to count "default" when send-default is set
  • Change of send-default restarts BGP session
  • Change of send-no-routes correctly withdraws routes, no session restart
  • Change to use-vrrp-as-self now correctly re-announces the changed next hop
  • Possibly trigger happy BGP keep alive check when lots of peers, fixed
  • Balance load better on rx traffic between peers

DHCP

  • DHCP server now does not send default router, subnet, lease, renew, syslog, timed, ntpd, domain, domain-search, if there are manually configured response attributes for these
  • DHCP server no longer no longer sends "name" attribute as host-name (12). Configure as an extra string attribute if required

Diagnostics

  • Showing routes was truncating if too many routes - buffer size increased

Firewall

  • Longer default start-delay on firewall rules (1 min)

General

  • Better logging to flash of source of s/w load or reboot commands

Internal

  • Adjust buffer pool sizes and thresholds to avoid buffer depletion
  • More buffer count stats added to TCP

PPP

  • Tweak to avoid resend of CHAP response to challenge if LCP restarted

Routing

  • Avoid route updates hogging all CPU

TCP

  • Improved congestion control and loss recovery
  • Fix problem with TCP window calculation causing buffer overload

TCP/BGP

  • Avoid BGP sessions being aborted by TCP if buffers run out

VoIP

  • Handling inbound RFC based DTMF mixed with audio (non DTMF) at the same time (e.g. gigaset)

VRRP

  • Delay VRRP startup while route updates pending
  • Longer startup (uses configured delay when routes are updating)
Built 2014-09-17
Older factory release
1.32.000 (Klingsor)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.31.000 to Factory release 1.32.000

BGP

  • Making BGP keep-alives higher priority, in case of really heavy BGP load
  • Fix race condition allowing BGP peer to vanish in rare conditions
  • Improved BGP shutdown sequence announces lower priority before withdrawing routes on shutdown
  • Shortened the BGP shutdown so it does not send the clears after the low-priority
  • Added configuration of BGP shutdown logic

Ethernet

  • Add new Ethernet DoS-detection parameters to config

General

  • Several minor internal changes that should improve stability

Internal

  • OS Stream and TCP restructure

IPsec

  • Peer IP added to log messages

L2TP

  • Fix for NAT via outgoing L2TP connection
  • Crash if too many graphs created with L2TP
  • RADIUS L2TP Relay for steering was sending zero length Proxy-State with is not value
  • Outgoing tunnel did not come up / go down on profile change

Logging

  • External syslog now only includes general system log messages if specifically configured to do so
  • Fixed issue with logging causing occasional bad buffer address panics
  • Improve logging efficiency and avoid dropped log messages
  • Fixed http logging of graph URLs

PPP

  • PPP challenge response resend on no accept/reject response

Routing

  • Path/community fixed settings in routing config with multiple IPs listed caused error on memory allocation
  • Improved checking for route loops

TCP

  • Tidy TCP MSS handling. Allow minimum MSS to be as low as 200.
  • Further TCP stack enhancements
  • Fix windowing problem - possibly causing slow transfers
  • Send window updates more often - improves BGP performance

VoIP

  • Fix use of backup carrier which may have been calling in parallel
  • Added routing table on Tx/Rx log lines
  • Fix for working on routing tables other than zero
  • Changed contact style in outbound registrations, uses IP literal now and no extra attributes on end
  • Add profile to list of carriers in config

VRRP

  • Fix bug in vrrp shutdown that was slowing down other shutdown processes

Web UI

  • Show current stack usage as well as HWM in thread stats
Built 2014-08-08
Older factory release
1.31.000 (Janus)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.30.001 to Factory release 1.31.000

  • URLs fetched from the FireBrick for any reason now handle IP literals.
  • Option for URL to GET before a controlled reboot - mainly to warn nagios

DHCP

  • Minor tweaks to make NAK meet later RFCs

DNS

  • DNS fallback (default on) allows use of other tables for local lookups within the firebrick

Ethernet

  • Increased MTU to around 4k

Firewall

  • Interface option to map IPv6 source address to one based on EUI64 from MAC

Internal

  • Increase stack sizes and make route loop counter an error counter

IPsec

  • IPsec status display now shows algorithms in use

L2TP

  • Fix for steering RADIUS response - was causing RADIUS to lock up totally
  • RADIUS options to control long term shapers for L2TP sessions

Logging

  • Avoid crash when displaying logging using CLI
  • Fix crash when displaying logs using colours

TCP

  • Ongoing TCP improvements. Minor functional changes - mod to initial MSS calculation; TIME-WAIT time reduced.
  • TCP restructuring to prepare for enhancements. Includes fix for failure to resend lost SYN introduced recently.
  • Fix failure to send MSS option with SYN

VoIP

  • Tweak to handle possible overrun on SIP messages
  • Audio recording has DTMF in audio even if it arrives and is relayed as telephone events.
  • Allow wildcard contact in deregistration
  • Now sending periodic invite responses when trying/ringing/progress.
  • Send call progress 183 once we have started connecting a call and 3 seconds have passed even if far side still at trying stage
  • Accept privacy=no as well as the standard privacy=off in Remote-Party-ID to interwork with splicecom
  • Not sending ACK to contact found in 4xx response
  • Logging for VoIP messages relating to "calls" now includes REFER
  • Fix response to REFER (was 404 not 200) when non RADIUS working
  • Early call progress (at 3 seconds) now a configurable setting (default on)
  • Option to send SIP headers in long version rather than compact version
  • Tweak to ACK sending when response via proxy with Record-Route
  • Additional nonce checking for replay attacks
  • Nonce check on response even when using RADIUS (unless RADIUS did challenge)
  • Tweak to handling of expiry on registrations
  • Tweak nonce check - if no nonce, allow RADIUS auth to decide if to allow. Still checks nonce valid if present.
  • Tweak initial 100 Trying response when waiting for RADIUS
  • Avoid resend of INVITE after cancelled at 100 Trying, and not received 487 (i.e. ignore lack of 487) to avoid phantom calls
  • Internal change to handling of incomplete responses to VoIP requests
  • Initial 100 Trying waiting on RADIUS no longer tries to tag To: line as not establishing a dialogue (so, as per RFC).
  • Addition log to log-sip-call to record linkage of call-ids

Web control pages

  • Latest safari adds xmlns attributes on every element for no apparent reason, was breaking web config edit. Worked around
Built 2014-06-03
Older factory release
1.30.001 (Icarus)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.29.000 to Factory release 1.30.001

  • Release candidate

Config

  • Fix profile "traffic lights" in config edit (did not change state on some browsers)

Config editor

  • Minor typos in config edit

Diagnostics

  • Ping and Traceroute no accessible using GET as well as POST. GET assumes XML output
  • Fixed crash when more than one ping or traceroute diagnostic was run concurrently

DNS

  • DNS resolution and caching is now routing table specific
  • DNS fallback option - for incoming requests if no server in required routing table relay to any DNS available - default true

L2TP

  • Fix for race condition in RADIUS/L2TP causing crash

Logging

  • New log-config setting in system to specifically log config changes

Ping

  • Added ping stats to XML for ping/traceroute

PPPoE

  • IPv4 local end would "stick" if changed from having IPv4 to not (i.e. IPv6 only)

Profiles

  • Slight change to control switch graphic
  • A new control switch profile will now start with the initial value.
  • Control switches can now use and/or/not logic to enable them to be set or reset by other profile changes.

RADIUS

  • Fix race condition

VoIP

  • Added source ip option to bulk voip carrier config
  • Added default source IPv4/6 for sending potentially authenticated SIP messages
  • Added default source IPv4/6
  • Better handling for failed calls where auth required and none available. Was continually retrying.
  • Fix for RADIUS based REGISTER check where expires is on contact not its own header
  • Handling missing contact in ACK
  • Handle repeat failed auth on INVITE
  • Limit retries on final BYE or CANCEL if unable to send
  • Added direct URI for telephone user (called in addition to registered contacts)
  • Corrected in-band DTMF generation logic, previously intermittent
  • Added option for outgoing registrations to use a wildcard domain instead of a line= attribute
  • Added some initial SNMP stats for VoIP (number of call legs and RADIUS based incoming registrations)

Web control pages

  • Link to see DNS server details on IPv6 was broken URL on some browsers
  • Minor change to control switch profile images to help colour blind users
Built 2014-05-31
Older Beta release
1.30.000 (Icarus)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.29.000 to Beta release 1.30.000

  • Release candidate

Config

  • Fix profile "traffic lights" in config edit (did not change state on some browsers)

Config editor

  • Minor typos in config edit

Diagnostics

  • Ping and Traceroute no accessible using GET as well as POST. GET assumes XML output
  • Fixed crash when more than one ping or traceroute diagnostic was run concurrently

DNS

  • DNS resolution and caching is now routing table specific

L2TP

  • Fix for race condition in RADIUS/L2TP causing crash

Logging

  • New log-config setting in system to specifically log config changes

Ping

  • Added ping stats to XML for ping/traceroute

Profiles

  • Slight change to control switch graphic
  • A new control switch profile will now start with the initial value.
  • Control switches can now use and/or/not logic to enable them to be set or reset by other profile changes.

RADIUS

  • Fix race condition

VoIP

  • Added source ip option to bulk voip carrier config
  • Added default source IPv4/6 for sending potentially authenticated SIP messages
  • Added default source IPv4/6
  • Better handling for failed calls where auth required and none available. Was continually retrying.
  • Fix for RADIUS based REGISTER check where expires is on contact not its own header
  • Handling missing contact in ACK
  • Handle repeat failed auth on INVITE
  • Limit retries on final BYE or CANCEL if unable to send
  • Added direct URI for telephone user (called in addition to registered contacts)
  • Corrected in-band DTMF generation logic, previously intermittent
  • Added option for outgoing registrations to use a wildcard domain instead of a line= attribute
  • Added some initial SNMP stats for VoIP (number of call legs and RADIUS based incoming registrations)
Built 2014-04-03
Older factory release
1.29.000 (Hendra)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.28.000 to Factory release 1.29.000

  • Release candidate for testing

Authentication

  • Added manual section on OTP

DHCP

  • Subnet list shows pending DHCP client subnets
  • Typo in DHCP logs

DNS

  • Min nxdomain of 10 seconds now

FB105

  • Log (rather than crash) if a badly fragmented 105 tunnel packet is received

Firewall

  • Some cases of setting multiple aspects of a session in one go did not force a re-evaluation of target route for new IP so could affect other tests and NAt checks

Internal

  • Increase ethernet transmit max queue size to avoid packet drops during bursty transmissions.

IPsec

  • Support all crypto key lengths when using manual keying. Avoid crash when IPsec is under heavy load.

L2TP

  • Added Proxy-State on session steering RADIUS requests
  • Added control of reply hostname on incoming L2TP connection
  • Added default hostname (system name) on outgoing L2TP connections

NAT

  • New chapter/section covering Network Address Translation

PPPoE

  • PPPoE server (BRAS) handling of standard GEA Agent Remote ID and Circuit ID as called/calling and downstream speed setting
  • PPPoE handling gerenal VLAN tagging
  • Added text NAS-Port to RADIUS when using PPPoE "port{:vlan}/MAC"
  • PPPoE did not handle VLAN priority tagging on inbound packets
  • Some extra debug of unexpected PPPoE messages or fields

Profiles

  • Profiles can now test an ethernet port status

RADIUS

  • New section of manual explaining RADIUS client settings and timeouts

Routing

  • New source-filter-table setting on interfaces to allow separate source filtering lists to be managed using routing tables

SNMP

  • Updated manual to include FireBrick specific SNMP in appendix

TCP

  • Add debug logging for aborted TCP sessions; avoid tcp timeout control upsetting TIMED_WAIT state.

VoIP

  • Additional beep option for where "Record" button is used on snom phones
  • Extra debug on call states
  • Dynamic carriers existing would lose some non dynamic carriers on config load, fixed
  • Fix shutdown delay
  • Added option for controlling CLI format to telephones
  • Added config for tones when no media for calls to a carrier
  • Was sending invalid Via header for IPv6
  • Picking up correct expiry when less than requested on outbound registrations but not sent Expires header (e.g. sipgate)
  • Fixed possible crash on malformed SIP message
  • Tweak to allow call steal from your own number, i.e. when multiple registered devices
  • Adde option to re-map 404 error to a carrier
  • Faster, and more concurrent outbound registrations - better handling of registration changes
  • Fix for mixed sample size call recording (e.g. when 10ms one way and 20ms other)
  • 415 unsuppported media response to reinvite with unknown media
  • Possible stuck outgoing registrations fix
  • Tweak to allow radius based SIP target to control domain on From header
  • Added available buffer check on call set up
  • Added additional named tones to defaults
  • Changed auto registrations to use same realm in From as in To
  • Sending RADIUS response for CLI of "Allowed" was not unsetting withheld flag
  • CLI handling tweak
  • Loading new register URL list clears proxy (from redirect) on change of config

Web UI

  • Fix broken XML links in system status pages
  • Add memory block usage to system status memory page (alpha releases only)
Built 2014-01-09
Older factory release
1.28.000 (Gordius)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.27.001 to Factory release 1.28.000

Bonding

  • Minor change to bonding to minimize packet reordering on arrival

Config

  • Removed profile from port groups as not used
  • Replaced shutdown with profile on ethernet control settings
  • Added "Test" option to config save to automatically revert if not properly saved within 5 minutes.

DHCP

  • Added domain-search attribute, as it is specially coded

Diagnostics

  • Temporary diagnostics added for tracking down odd problems

Firewall

  • Load sharing (on route override and session tracking rules) now allows sharing to be based on hash of IPs rather than random

Internal

  • Introduce new flash driver - currently for alpha builds only

IPsec

  • Fix problem with local-ip not always taking effect.
  • Fix crashes associated with NAT keepalives when sessions close
  • Fix IPsec crash during session init when repeat message received
  • Fix another IPsec corner case causing panic when IKE packets are dropped/repeated

L2TP

  • Added option to allow relay RADIUS auth reply to specify relay to another RADIUS server for auth or session steering.
  • Further minor tweak to bonding to improve re-order issues
  • Adjusted L2TP to drop routes before sending accounting RADIUS

LEDs

  • Knightrider pattern (displayed when no ports connected) was running too slowly

Logging

  • Improve flash log replay at system startup. Should fix problem with non-detection and emailing of panic logs.
  • Fix problem causing non-detection of panic message at system startup

Pcap

  • pcap web interface allowing multiple select interfaces to match underlying capabilities

VoIP

  • Changed aggregate call status handling to just be highest status, and removed group values
  • Adjust to pick first priority on SRV even when DNS not cached (was falling back in such cases)
  • Added de-registration on removal of carrier and on reboot
  • Adjusted max-calls to a telephone to test before calling all registered devices, so they all get calls rather than only some when limited
  • Edge case could mean incorrect count of dynamic VoIP registrations
  • Minor tweak for RADIUS call leg log accounting - seemed to miss some STOP records.
  • Imrpoved log for ICMP error
Built 2013-11-05
Older factory release
1.27.001 (Fidelio)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.27.000 to Factory release 1.27.001

PPPoE

  • PPPoE shows uptime

VoIP

  • Added max time limit on call establishing (e.g. ringing forever not allowed), 5 min default
  • Edge case where VoIP would not send if fixed source address specified in some cases, typically IPv6
Built 2013-10-31
Older factory release
1.27.000 (Fidelio)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.26.010 to Factory release 1.27.000

Authentication

  • Allow more than one OTP with same key if different serial number

BGP

  • Corrected BGP OPEN message handling to ignore unrecognised capability advertisements
  • Additional peer level import-tag to add communities to all imported routes
  • Additional test for community not present in BGP rules
  • Additional community tagging on network statement
  • Fixed display of NETWORK route to show BGP attributes
  • Fixed as-path in NETWORK routes, was not being set
  • Added as-path and tag to loopback
  • Updated BGP decision process to handle differenciation of route reflectors
  • Added addition info in show route for RR
  • Fix show bgp routes command (was crashing)
  • Added command to refresh outgoing routes on a BGP session
  • Stopped sending additional withdraw for routes during BGP session startup
  • Fix locally generated community tags on network and loopback (was dropping last tag)
  • Added tag and as-path to blackhole and nowhere
  • BGP status shows count of exported routes as well as imported
  • Re-sends announced routes on some BGP config changes, rather than restarting BGP session
  • The send-default option sets no-export community on the default route that is sent

Config editor

  • Tidy some help text on web config

DHCP

  • Allow allocated IP on one interface to move to another valid interface for that IP for same device if no other IPs available
  • Simpler DHCP options for vendor specific (43) options

DNS

  • Change to DNS server load balancing and timeout logic
  • Status of DNS servers now on web config pages

Firewall

  • Special startup delay on generating bad sessions and rejects from incoming traffic to allow outgoing sessions to re-establish (when not using NAT)

IP

  • Better handling of UDP port allocation clashes
  • UDP/TCP port binding counters added to one second stats

IPsec

  • IKEv2 support for IPsec added. Not yet fully implemented
  • Added UI status page; fixed problem with rekeying
  • Fixed IPsec i/f not always showing in firewall UI i/f lists. Fixed crash when turning profile off.
  • Added support for SHA256; further stability improvements.
  • Fixed routing problem
  • Improve IPsec UI status page and other minor changes. Note for manually-configured connections the config item "ipsec" has been changed to "ipsec-manual".
  • Further improvements and tidying up.
  • Correct problems with UI status and graph display
  • Fixed NAT problem
  • Fixed dropping of initial packets on on-demand connections.

L2TP

  • Adjust matching L2TP incoming config on config load based on name attribute

Logging

  • Detect failure to connect to mailserver
  • Improved route check for syslog targets to allow for NOWHERE and other silly targets to be skipped, also improved logging

PPPoE

  • Edge case where removing PPPoE from config could cause a crash
  • Fast-retry option on PPPoE

Product

  • Introduce ETUN tunnelling on fully-loaded 2x00 models

Profiles

  • Changed control-switches to use comment on screen not name

RADIUS

  • Adjusted RADIUS timeout handling
  • Fixed show radius [ip] command

s/w upgrade

  • Improve error message if auto s/w or capability upload fails

SNMP

  • Fix very slow SNMP responses when collecting switch stats

TCP

  • Fix leak in TCP port allocation when sending log emails or downloading URLs

VoIP

  • Fix for routing SIP to IPV6 on 2002::/16 address space
  • Additional steps to avoid looped RTP causing a crash
  • Tweak for handling of bad ACK responses on incoming reinvites on outgoing calls
  • Fix leak in UDP port allocation used, causing VoIP to eventually stop working after around 31000 calls
  • Better logging for RTP port allocation errors
  • Tweak for case where VoIP runs out of ports or too many calls
  • Better handling of ring group progress when some phones are busy or not registered.
  • Possible crash when viewing dynamic registrations
  • Edge case where call ID can be re-used
  • Added a ringall_time to VoIP groups to force ringing all phones after a certain time
  • Added separate initial progress time for cascading calls in ring groups
  • Adjust call progress on group to be quicker where a called target fails, rather than waiting progress time anyway
  • Added option not to zap the display name when anonymous calls sent to phones, sends the withhold prefix as number instead. Per phone setting
  • Possible crash if configured with black proxy
  • Added "age" column to VoIP status for phones showing reference for order="oldest"
  • Changed call-id

VRRP

  • VRRP status shows the MAC in use

Web control pages

  • Colour coded state on web list for PPPoE and RADIUS
  • Config edit better handling cases where option in pull down is no longer valid (e.g. deleted profile still referenced)
  • Fixed DHCP status name setting feature
  • Improve error message on s/w upload page
  • Minor layout improvements on login, home and status pages
  • Minor improvement to status page and UI config edit tunnels page

XML config

  • Changed some names to be xsd type NMTOKEN not string, so removing spaces - it is possible some configs with names only differentiated by spaces may not load correctly
Built 2013-07-24
Older factory release
1.26.010 (Enigmatist)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.26.000 to Factory release 1.26.010

Config

  • Made local-only optional again and default true for http services

FB105

  • FB105 tunnels with non-default port setting were not working.

Profiles

  • Converting a profile to a control-switch now sets control-switch to previous profile state when config loaded

VoIP

  • Better handling of sip:user:pass@host syntax if pass contains unescaped @ symbol
Built 2013-07-18
Older factory release
1.26.000 (Enigmatist)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.25.101 to Factory release 1.26.000

ARP

  • Change to respond to requests that are normally considered an invalid/broken configuration (seen from sharedband bonding kit)

CLI

  • ping and traceroute commands no longer need =true when specifying dontfrag or xml
  • Spacing of columnated output improved

Config

  • Allow colon, dot or hyphen inter byte punctuation in HEX in config

CQM

  • Changed to hash used for extra long graph names

DHCP

  • Fix DHCP allocation error when using 0.0.0.0/0 with multiple subnets available

Diagnostics

  • Ping and Traceroute diagnostics now have a "Don't fragment" option (for IPv4)
  • Max ping payload adjusted to ensure reply from ethernet will be accepted

Ethernet

  • Ethernet MTU/MRU max increased to 2000 bytes (default is still 1500).

FB105

  • Minor improvement to config change mechanism
  • Added experimental split latency bonding feature to FB105 tunnels for satellite link testing
  • Fixed excessive debug logging of bogus FB105 packets

Firewall

  • MAC based shaper/graphs as option in firewall rules, aimed at WiFi management
  • Added check on source MAC in rules

Internal

  • Minor performance enhancements.

L2TP

  • Added logging in L2TP for DHCPv6 allocation
  • Updated manual pages for L2TP operation as an ISP
  • Fix missing session closing stats in some cases

Logging

  • Fixed buffer overrun issue when very long syslog messages

Manual

  • Additional work on manual - note several sections removed from FireBrick web site as they are now in the manuals with each s/w release

Profiles

  • Option for profiles based on a simple switch on home page

RADIUS

  • Added RADIUS timeout scaling factor

Sessions

  • Fixed problem causing crashes or garbled output when session table display timed out or was interrupted

TCP

  • Fixed problem with generating reset packets

VoIP

  • Changes to CDR layout, see manual.
  • Slight change to SDP to keep CISCO handsets happy.
  • Early media sometimes passing multiple call's media to caller on ringing multiple targets
  • Adjust target IP of ACK to match responded invite if no contact in response being ACKed
  • RADIUS delayed calls were moved forward if there were any delayed calls even if existing calls were still trying
  • Not always passing ringing media.
  • Adjusted RADIUS registration so that not sending back a called number causes a sensible reply but not recording the actual registration state
  • Added User-Agent sent as Class on RADIUS
  • Added addition fields to RADIUS authentication (Call-ID)
  • Corrected SIP_AOR RADIUS to full contact URI not just local part in auth request
  • RADIUS call to sip: target default inheriting display name from caller
  • Change to DTMF and tone generation where an underlying tone is also being generated
  • Adjusted "Called number" on RADIUS auth to be the request URI not "To" field
  • Wrap up time not considered if not actually set (edge case of multiple registered phones tripping it)
  • Added control of domain used on outbound SIP calls
  • Made "To" setting on carrier in to a list
  • Local phones with no configured DDI were not registering correctly.
  • Avoiding radical RTP sequence steps after calls placed on hold.
  • Carrier setting to pass on hold state
  • Tweak re-invites where additional Record-Route headers are causing problems
  • Added contact in re-invite response
  • Adjusted re-invite handling slightly
  • Adjusted handling of Refer-To to be more correct and now work with CISCOs
  • Call clearing race condition if cleared before ACK received
  • Corrected audio sequence/ts sync adjustment, especially where DTMF events processed
  • Allow longer CDR user field (up to 255 characters)
  • Looped RTP (i.e. giving our details as RTP endpoint back to us) could cause a crash
  • Edge case if set up via RADIUS only to make delayed calls then advance to first of those calls at start
  • Decrement Max-Forwards when relaying on an outgoing call to stop loops, even though we are not actually a proxy
  • Changed User-Agent to report version number and added configuration option
  • Option to disable the recording start beep
  • Clarified use of RADIUS fields for URI, To: and From: on authentication requests
  • Faster clearing of call recording to avoid 3 seconds of silence one the end
  • Small memory leak in multiple recorded call legs
  • Call status was not always showing the recording leg
  • Changed logging options to specifically control SIP traces
  • Adjusted retry timing on DNS and related VoIP operations
  • Allow 'X' in extn for incoming calls via carrier, for SIP -trunk use
  • Fix sip:user:pass@host syntax
  • Added support for asterisk style sip:user:pass@host/number
  • Allowed list of extn and ddi on group config
  • Added emergency-uri to allow for emergency calls via configured URI
  • Added default carrier setting
  • Added carrier setting for ring groups for external numbers connected to the group
  • Change layout on web config for VoIP users, groups, carriers, etc.
  • Corrected logging to use sip-other for OPTIONS, etc. Was going to sip-register
  • Made OPTIONS not respond, or challenge of external user matches, when in PABX mode so sipvicious does not find PABXs
  • Added option for backup carrier
  • Minor adjustments to pass through of calling/called number on calls including withheld status
  • Race condition on tone generation that could cause a crash
  • Changed port numbers to be prefixed : not # in logs.
  • Corrected logging of NAT subscriptions records over reboot
  • Tweak to challenges on VoIP, and added option for RADIUS to return stale status
  • Possible call recording race condition fix

Web control pages

  • Fix firewall check web interface when long strings of IPv6 addresses used
  • Improved and simplified use of html and css in basic page layout
  • UI min page size changes with size of side menu
  • Improve system thread stats page
  • Changed URLs for .js and .css to be version specific to avoid cached old files showing wrongly
  • Added handling of a user set at "nobody" level, to allow access to profile switches
  • Added uptime to login screen when viewed from a trusted Ip
  • Improved layout of FB105 config
Built 2013-06-02
Older factory release
1.25.101 (Dexter)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.25.010 to Factory release 1.25.101

BGP

  • Changed default for vrrp-as-self on BGP config to be true if peertype is customer or transit (where vrrp used to maximise uptime in event of failure)

Firewall

  • Changed session track logic to better handle spoofed TCP sessions
  • Slight adjustment to some default session timeouts

L2TP

  • Make Acct-Delay optional parameter in L2TP accounting, if not sent the packet is identical on resends making duplicates easier to spot in RADIUS server

PPPoE

  • Closing PPPoE more cleanly on shutdown

RADIUS

  • RADIUS being too agressive with retry times, and recording timeouts to quickly

Routing

  • Added lightweight source filter option on interface: "blackhole" that checks source address is routeable to anything sensible, allowing blackhole routes to block source traffic

TCP

  • TCP timeout improvements. Now less aggressive when recovering from packet drops, and in particular when faced with spoofed source TCP SYNs

VoIP

  • RADIUS controlled calls sending invites before setting CLI
  • CDR not being logged for outgoing calls
  • RADIUS connected calls delayed up to a second starting call - fixed
  • Edge case of malformed SIP reply causing call to stay in a Done/Wait stay indefinitely
  • Issue with persistent data getting stuck with lots of duplicate registrations.
  • Parser improved to allow for malformed packets causing watchdog
  • UK CLI formatting generating duff SIP headers
  • SIP URIs with no local part were treating host part as local, breaking CLI logic
  • Change to RADIUS accounting, additional fields for SIP URIs and original Call-Id
  • Race condition could fail to send a RADIUS STOP after a START sent if call immediately fails
  • Added support for RADIUS DISCONNECT to clear calls in progress using Acct-Session-Id
  • Incorrect matching of escaped characters in SIP headers causing issues with matching SIP replies
  • Allow lists on VoIP config were not allowing named IP Groups
  • Fixed crash caused with local VoIP registrations expiring
Built 2013-06-01
Older Beta release
1.25.100 (Dexter)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.25.010 to Beta release 1.25.100

BGP

  • Changed default for vrrp-as-self on BGP config to be true if peertype is customer or transit (where vrrp used to maximise uptime in event of failure)

Firewall

  • Changed session track logic to better handle spoofed TCP sessions
  • Slight adjustment to some default session timeouts

L2TP

  • Make Acct-Delay optional parameter in L2TP accounting, if not sent the packet is identical on resends making duplicates easier to spot in RADIUS server

PPPoE

  • Closing PPPoE more cleanly on shutdown

RADIUS

  • RADIUS being too agressive with retry times, and recording timeouts to quickly

Routing

  • Added lightweight source filter option on interface: "blackhole" that checks source address is routeable to anything sensible, allowing blackhole routes to block source traffic

TCP

  • TCP timeout improvements. Now less aggressive when recovering from packet drops, and in particular when faced with spoofed source TCP SYNs

VoIP

  • RADIUS controlled calls sending invites before setting CLI
  • CDR not being logged for outgoing calls
  • RADIUS connected calls delayed up to a second starting call - fixed
  • Edge case of malformed SIP reply causing call to stay in a Done/Wait stay indefinitely
  • Issue with persistent data getting stuck with lots of duplicate registrations.
  • Parser improved to allow for malformed packets causing watchdog
  • UK CLI formatting generating duff SIP headers
  • SIP URIs with no local part were treating host part as local, breaking CLI logic
  • Change to RADIUS accounting, additional fields for SIP URIs and original Call-Id
  • Race condition could fail to send a RADIUS STOP after a START sent if call immediately fails
  • Added support for RADIUS DISCONNECT to clear calls in progress using Acct-Session-Id
  • Incorrect matching of escaped characters in SIP headers causing issues with matching SIP replies
  • Allow lists on VoIP config were not allowing named IP Groups
Built 2013-05-27
Older factory release
1.25.010 (Dexter)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.25.003 to Factory release 1.25.010

L2TP

  • Fixed session inconsistency on relayed connections where relay fails
  • Was constantly trying accounting RADIUS on all sessions every second if no RADIUS configured or responding
  • relay-pick feature not quite right
  • Odd case of tunnels/sessions clearing with negative timers, logic changed to avoid this

Logging

  • Additional one second stats and change to the way counters are shown on them

TCP

  • Reset TCP connection on seeing badly formatted options

VoIP

  • Some cases of registrations getting duplicated/stuck, fixed

Web control pages

  • Fix possible lock up under constant TCP port 80 attack, now recovers quickly
Built 2013-05-25
Older factory release
1.25.003 (Dexter)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.24.001 to Factory release 1.25.003

Config

  • Changed ip= to host= in radius servers as this will shortly work for hostnames as well as IPs
  • Correct detection of which features are enabled in UI config edit
  • Added field length restriction checks on graph names

CQM

  • Long graph names are now mapped to a hash to fit within size of graph name internally
  • Removed some debug log for pings/DNS

DHCP

  • DHCP address allocation for new devices changed to be more reliable
  • Finally found issue with "no IP available" on DHCP serving.

DNS

  • Added sanity check on TTL (1 sec to 3600) for internal caching

Firewall

  • Fix to NAT logic when mapping traffic through the FireBrick and not setting source address
  • Adjusted NAT cancellation logic to avoid NAT to/from brick itself
  • RFC4787 recommends min 2 min and default 5 min for UDP NAT, so defaults for initial and ongoing set to 2m and 5m
  • Exception for UDP ports under 1024 (e.g. DNS) as allowed by RFC4787
  • Corrected Age & Idle stats on session table to actually be seconds (was units of a few seconds)
  • Showing session queue time in seconds/minutes/hours

GGSN

  • Correct faked proxy LCP negotiation, was using wrong tag for auth and same magic both ways

Internal

  • Some thread priorities adjusted.
  • Avoid SSP error report during system shutdown/reboot

IPsec

  • IPsec with manual keying available on 2500 and 2700
  • Minor tweak on IPsec code for performance
  • Avoid crash when changing IPsec config
  • Improved UI layout for IPsec config
  • Fixed problem with HMAC_SHA1 authentication
  • Further changes to IPsec config settings
  • AH processing added. Statistics counters added. Improvements to config checking.

L2TP

  • Changed format of L2TP session IDs (same length), starts S
  • CoA/Disconnect using new "control" type field to verify requesting RADIUS server
  • Corrected RADIUS attributes used for DNS to Vendor 311 AVP 28 and 29
  • relay-nas-ip is now an L2TP setting not a RADIUS setting
  • Changed L2TP auth over to new RADIUS module
  • Fix handling of relay L2TP where tunnel password is longer than 16 characters
  • Moved L2TP start records to new RADIUS
  • Added require-radius-acct option to L2TP, clearing connection if RADIUS accounting fails
  • Major rework of L2TP RADIUS handling
  • Added table to debug for L2TP routing (when non zero)
  • The system to detect spurious post negotiation PPP chatter was picking up protocol rejects, now changed to only measure conf requests
  • log-debug from matching incoming L2TP tunnel now used on PPPoE and GGSN sessions

Logging

  • Log target UI extended to enable setting of colour to be used in web log view. Critical system error counters are now logged to the system error log target every second, and by default displayed in red.

Manual

  • Some updates to manuals - reworking CLI references
  • Manual now includes L2TP AVP appendix
  • Manual now includes L2TP RADIUS AVP appendix
  • Further documentation updates regarding VoIP
  • Added the config field and data type descriptions as an appendix to the manual
  • Updated command line reference in manuals
  • IPsec chapter improved

RADIUS

  • Fix crash on timeout of RADIUS server (VoIP specific at present)
  • Sanity check on timing stats on RADIUS server
  • Not using blacklisted RADIUS servers
  • Internal changes to make RADIUS code more defensive to issues
  • Configurable timeouts per RADIUS server
  • Crash in some cases on RADIUS when request cancelled (i.e. due to excessive time taken)

Routing

  • Source filter option on interface to help with BCP38

TCP

  • Fixed a problem in TCP processing which could cause a hand-crafted poison TCP packet to crash the FB

VoIP

  • VoIP CDRs via RADIUS for initial testing
  • Changed REGISTER to use "username" as localpart for contact not "name", if username is set.
  • Changed session ID on VoIP RADIUS accounting to start I or O for call direction
  • Added pabx setting to voip to control some defaults
  • Added subscription control on telephone/hunt-group
  • Changed pikcup-allow to allow-pickup in config
  • Optional variant of UK CLI fomatting to replace zero with letter owe which may look cleared on some CLI devices
  • Started some work on VoIP REGISTER/INVITE RADIUS requests.
  • Separated different radius types in VoIP config
  • VoIP/RADIUS routing to sip: and to @carrier routing working
  • VoIP/RADIUS routing delayed connect working
  • VoIP/RADIUS routing to tel:number for registered connections
  • VoIP/RADIUS CLI setting in routing
  • VoIP/RADIUS Updates to for some initial CDR improvements
  • New CDR logic, detailed in full in the manual. This is a change to log format, and also separate log-cdr setting
  • Added concept of a sticky CDR (stays on a specific call leg only) for recording incoming legs, e.g. 0800 numbers, etc
  • Added support for 302 redirect response to outgoing registrations
  • Added additional option for RADIUS response to cause a 302 redirect response
  • VoIP/RADIUS: Updated the AVPs used, and documentation and tested RADIUS access requests sent when expected
  • Added force-dtmf to carrier config to force in-band DTMF to carrier
  • Added call recording features - tee's off a SIP call to an endpoint that is expected to handle the recording
  • Added recognition of pcma/8000/2 for stereo feed to call recording
  • Re-invite (e.g. placing on hold) on call clear was causing re-connect in some cases
  • VoIP now only does RADIUS where specific radius server name is configured, not using default (e.g. L2TP RADIUS servers)
  • Updated layout of config page
  • Buffer leak fix in VoIP recording
  • Finer control of automatic call recordings from telephones (in-only, out-only, or both)
  • Better control of non local registration, invites, options, etc not challenging if not a known user that allows non-local requests
  • Re worked the RADIUS call routing response code and documentation
  • Added control over security replies (i.e. not challenging or replying to non local unknown users) defaults true
  • Added suppot for sip:user:pass@hostname support for direct authentication
  • Audio blocked (hold tone) if record-mandatory set and call recording not yet established
  • Added controls over display name in RADIUS call routing
  • Extended size of CUI in CDRs, and fixed duplicate accounting of CDRs in some cases
  • Better handling of recording where the recorded leg goes on hold
  • Added ring time to CDR
  • Made sticky CDR log even if call not connected, duration is minus and call status
  • Added connected number to CDR, i.e. who first answered hunt group call, if different to dialled number
  • Added general call response code as well as 3XX response codes and redirect in RADIUS
  • Added redirect response handling for RADIUS replies for REGISTER
  • Removed OPTIONS as we are not actually supporting or generating any
  • Added Expires header (Session-Timeout) to REGISTER RADIUS request so de-register can be identified
  • Fix issue with outgoing REGISTER, and tested redirect response handling to outbound REGISTER
  • Better handling of redirect 3xx response from non telephone outgoing call legs
  • Added count of dynamic (RADIUS based) registrations to pre-shutdown report
  • Changed logic to use configured proxy, but with domain using registrar hostname
  • Early media passthrough
  • Buffer leak in ICMP handling fixed
  • Added space after colon in SIP headers as per "should" in RFC3261, to keep sipsak happy
  • Better ordering of call status on web page
  • Fix theoretical failure mode with duff SIP packets
  • Handling 401/407 challenge on outgoing SIP where no credentials available (treats as 403)
  • Recording failure possible after several recordings
  • Hold tones not working, fixed
  • Added tone documentation and fixed test URL
  • Better detect of phones not configured for a-law
  • Fixed REFER details on RADIUS (correct called party)
  • Additional sanity check on SIP message receipt
  • Improve handling of ICMP errors
  • Fix stuck call on timeout responses
  • Corrected duplication registration issues
  • NAT support on RTP - replying to sending IP/port if request was via simple NAT
  • NAT poking of registrations that are through simple NAT every 60 seconds
  • Adjusted session timeout logic to only timeout on both sides timing out

Web control pages

  • Web diagnostics such as ping and traceroute would block access to graphs and some other functions, fixed

Web UI

  • Fix UI config edit layout of a normally hidden item when it has been set.
Built 2013-05-25
Older Beta release
1.25.001 (Dexter)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.24.001 to Beta release 1.25.001

Config

  • Changed ip= to host= in radius servers as this will shortly work for hostnames as well as IPs
  • Correct detection of which features are enabled in UI config edit
  • Added field length restriction checks on graph names

CQM

  • Long graph names are now mapped to a hash to fit within size of graph name internally
  • Removed some debug log for pings/DNS

DHCP

  • DHCP address allocation for new devices changed to be more reliable
  • Finally found issue with "no IP available" on DHCP serving.

DNS

  • Added sanity check on TTL (1 sec to 3600) for internal caching

Firewall

  • Fix to NAT logic when mapping traffic through the FireBrick and not setting source address
  • Adjusted NAT cancellation logic to avoid NAT to/from brick itself
  • RFC4787 recommends min 2 min and default 5 min for UDP NAT, so defaults for initial and ongoing set to 2m and 5m
  • Exception for UDP ports under 1024 (e.g. DNS) as allowed by RFC4787
  • Corrected Age & Idle stats on session table to actually be seconds (was units of a few seconds)
  • Showing session queue time in seconds/minutes/hours

GGSN

  • Correct faked proxy LCP negotiation, was using wrong tag for auth and same magic both ways

Internal

  • Some thread priorities adjusted.
  • Avoid SSP error report during system shutdown/reboot

IPsec

  • IPsec with manual keying available on 2500 and 2700
  • Minor tweak on IPsec code for performance
  • Avoid crash when changing IPsec config
  • Improved UI layout for IPsec config
  • Fixed problem with HMAC_SHA1 authentication
  • Further changes to IPsec config settings
  • AH processing added. Statistics counters added. Improvements to config checking.

L2TP

  • Changed format of L2TP session IDs (same length), starts S
  • CoA/Disconnect using new "control" type field to verify requesting RADIUS server
  • Corrected RADIUS attributes used for DNS to Vendor 311 AVP 28 and 29
  • relay-nas-ip is now an L2TP setting not a RADIUS setting
  • Changed L2TP auth over to new RADIUS module
  • Fix handling of relay L2TP where tunnel password is longer than 16 characters
  • Moved L2TP start records to new RADIUS
  • Added require-radius-acct option to L2TP, clearing connection if RADIUS accounting fails
  • Major rework of L2TP RADIUS handling
  • Added table to debug for L2TP routing (when non zero)
  • The system to detect spurious post negotiation PPP chatter was picking up protocol rejects, now changed to only measure conf requests
  • log-debug from matching incoming L2TP tunnel now used on PPPoE and GGSN sessions

Logging

  • Log target UI extended to enable setting of colour to be used in web log view. Critical system error counters are now logged to the system error log target every second, and by default displayed in red.

Manual

  • Some updates to manuals - reworking CLI references
  • Manual now includes L2TP AVP appendix
  • Manual now includes L2TP RADIUS AVP appendix
  • Further documentation updates regarding VoIP
  • Added the config field and data type descriptions as an appendix to the manual
  • Updated command line reference in manuals
  • IPsec chapter improved

RADIUS

  • Fix crash on timeout of RADIUS server (VoIP specific at present)
  • Sanity check on timing stats on RADIUS server
  • Not using blacklisted RADIUS servers
  • Internal changes to make RADIUS code more defensive to issues
  • Configurable timeouts per RADIUS server
  • Crash in some cases on RADIUS when request cancelled (i.e. due to excessive time taken)

Routing

  • Source filter option on interface to help with BCP38

TCP

  • Fixed a problem in TCP processing which could cause a hand-crafted poison TCP packet to crash the FB

VoIP

  • VoIP CDRs via RADIUS for initial testing
  • Changed REGISTER to use "username" as localpart for contact not "name", if username is set.
  • Changed session ID on VoIP RADIUS accounting to start I or O for call direction
  • Added pabx setting to voip to control some defaults
  • Added subscription control on telephone/hunt-group
  • Changed pikcup-allow to allow-pickup in config
  • Optional variant of UK CLI fomatting to replace zero with letter owe which may look cleared on some CLI devices
  • Started some work on VoIP REGISTER/INVITE RADIUS requests.
  • Separated different radius types in VoIP config
  • VoIP/RADIUS routing to sip: and to @carrier routing working
  • VoIP/RADIUS routing delayed connect working
  • VoIP/RADIUS routing to tel:number for registered connections
  • VoIP/RADIUS CLI setting in routing
  • VoIP/RADIUS Updates to for some initial CDR improvements
  • New CDR logic, detailed in full in the manual. This is a change to log format, and also separate log-cdr setting
  • Added concept of a sticky CDR (stays on a specific call leg only) for recording incoming legs, e.g. 0800 numbers, etc
  • Added support for 302 redirect response to outgoing registrations
  • Added additional option for RADIUS response to cause a 302 redirect response
  • VoIP/RADIUS: Updated the AVPs used, and documentation and tested RADIUS access requests sent when expected
  • Added force-dtmf to carrier config to force in-band DTMF to carrier
  • Added call recording features - tee's off a SIP call to an endpoint that is expected to handle the recording
  • Added recognition of pcma/8000/2 for stereo feed to call recording
  • Re-invite (e.g. placing on hold) on call clear was causing re-connect in some cases
  • VoIP now only does RADIUS where specific radius server name is configured, not using default (e.g. L2TP RADIUS servers)
  • Updated layout of config page
  • Buffer leak fix in VoIP recording
  • Finer control of automatic call recordings from telephones (in-only, out-only, or both)
  • Better control of non local registration, invites, options, etc not challenging if not a known user that allows non-local requests
  • Re worked the RADIUS call routing response code and documentation
  • Added control over security replies (i.e. not challenging or replying to non local unknown users) defaults true
  • Added suppot for sip:user:pass@hostname support for direct authentication
  • Audio blocked (hold tone) if record-mandatory set and call recording not yet established
  • Added controls over display name in RADIUS call routing
  • Extended size of CUI in CDRs, and fixed duplicate accounting of CDRs in some cases
  • Better handling of recording where the recorded leg goes on hold
  • Added ring time to CDR
  • Made sticky CDR log even if call not connected, duration is minus and call status
  • Added connected number to CDR, i.e. who first answered hunt group call, if different to dialled number
  • Added general call response code as well as 3XX response codes and redirect in RADIUS
  • Added redirect response handling for RADIUS replies for REGISTER
  • Removed OPTIONS as we are not actually supporting or generating any
  • Added Expires header (Session-Timeout) to REGISTER RADIUS request so de-register can be identified
  • Fix issue with outgoing REGISTER, and tested redirect response handling to outbound REGISTER
  • Better handling of redirect 3xx response from non telephone outgoing call legs
  • Added count of dynamic (RADIUS based) registrations to pre-shutdown report
  • Changed logic to use configured proxy, but with domain using registrar hostname
  • Early media passthrough
  • Buffer leak in ICMP handling fixed
  • Added space after colon in SIP headers as per "should" in RFC3261, to keep sipsak happy
  • Better ordering of call status on web page
  • Fix theoretical failure mode with duff SIP packets
  • Handling 401/407 challenge on outgoing SIP where no credentials available (treats as 403)
  • Recording failure possible after several recordings
  • Hold tones not working, fixed
  • Added tone documentation and fixed test URL
  • Better detect of phones not configured for a-law
  • Fixed REFER details on RADIUS (correct called party)
  • Additional sanity check on SIP message receipt
  • Improve handling of ICMP errors
  • Fix stuck call on timeout responses
  • Corrected duplication registration issues
  • NAT support on RTP - replying to sending IP/port if request was via simple NAT
  • NAT poking of registrations that are through simple NAT every 60 seconds
  • Adjusted session timeout logic to only timeout on both sides timing out

Web control pages

  • Web diagnostics such as ping and traceroute would block access to graphs and some other functions, fixed

Web UI

  • Fix UI config edit layout of a normally hidden item when it has been set.
Built 2013-05-24
Older Beta release
1.25.000 (Dexter)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.24.001 to Beta release 1.25.000

Config

  • Changed ip= to host= in radius servers as this will shortly work for hostnames as well as IPs
  • Correct detection of which features are enabled in UI config edit
  • Added field length restriction checks on graph names

CQM

  • Long graph names are now mapped to a hash to fit within size of graph name internally
  • Removed some debug log for pings/DNS

DHCP

  • DHCP address allocation for new devices changed to be more reliable
  • Finally found issue with "no IP available" on DHCP serving.

DNS

  • Added sanity check on TTL (1 sec to 3600) for internal caching

Firewall

  • Fix to NAT logic when mapping traffic through the FireBrick and not setting source address
  • Adjusted NAT cancellation logic to avoid NAT to/from brick itself
  • RFC4787 recommends min 2 min and default 5 min for UDP NAT, so defaults for initial and ongoing set to 2m and 5m
  • Exception for UDP ports under 1024 (e.g. DNS) as allowed by RFC4787
  • Corrected Age & Idle stats on session table to actually be seconds (was units of a few seconds)
  • Showing session queue time in seconds/minutes/hours

GGSN

  • Correct faked proxy LCP negotiation, was using wrong tag for auth and same magic both ways

Internal

  • Some thread priorities adjusted.
  • Avoid SSP error report during system shutdown/reboot

IPsec

  • IPsec with manual keying available on 2500 and 2700
  • Minor tweak on IPsec code for performance
  • Avoid crash when changing IPsec config
  • Improved UI layout for IPsec config
  • Fixed problem with HMAC_SHA1 authentication
  • Further changes to IPsec config settings
  • AH processing added. Statistics counters added. Improvements to config checking.

L2TP

  • Changed format of L2TP session IDs (same length), starts S
  • CoA/Disconnect using new "control" type field to verify requesting RADIUS server
  • Corrected RADIUS attributes used for DNS to Vendor 311 AVP 28 and 29
  • relay-nas-ip is now an L2TP setting not a RADIUS setting
  • Changed L2TP auth over to new RADIUS module
  • Fix handling of relay L2TP where tunnel password is longer than 16 characters
  • Moved L2TP start records to new RADIUS
  • Added require-radius-acct option to L2TP, clearing connection if RADIUS accounting fails
  • Major rework of L2TP RADIUS handling
  • Added table to debug for L2TP routing (when non zero)
  • The system to detect spurious post negotiation PPP chatter was picking up protocol rejects, now changed to only measure conf requests
  • log-debug from matching incoming L2TP tunnel now used on PPPoE and GGSN sessions

Logging

  • Log target UI extended to enable setting of colour to be used in web log view. Critical system error counters are now logged to the system error log target every second, and by default displayed in red.

Manual

  • Some updates to manuals - reworking CLI references
  • Manual now includes L2TP AVP appendix
  • Manual now includes L2TP RADIUS AVP appendix
  • Further documentation updates regarding VoIP
  • Added the config field and data type descriptions as an appendix to the manual
  • Updated command line reference in manuals
  • IPsec chapter improved

RADIUS

  • Fix crash on timeout of RADIUS server (VoIP specific at present)
  • Sanity check on timing stats on RADIUS server
  • Not using blacklisted RADIUS servers
  • Internal changes to make RADIUS code more defensive to issues
  • Configurable timeouts per RADIUS server
  • Crash in some cases on RADIUS when request cancelled (i.e. due to excessive time taken)

Routing

  • Source filter option on interface to help with BCP38

VoIP

  • VoIP CDRs via RADIUS for initial testing
  • Changed REGISTER to use "username" as localpart for contact not "name", if username is set.
  • Changed session ID on VoIP RADIUS accounting to start I or O for call direction
  • Added pabx setting to voip to control some defaults
  • Added subscription control on telephone/hunt-group
  • Changed pikcup-allow to allow-pickup in config
  • Optional variant of UK CLI fomatting to replace zero with letter owe which may look cleared on some CLI devices
  • Started some work on VoIP REGISTER/INVITE RADIUS requests.
  • Separated different radius types in VoIP config
  • VoIP/RADIUS routing to sip: and to @carrier routing working
  • VoIP/RADIUS routing delayed connect working
  • VoIP/RADIUS routing to tel:number for registered connections
  • VoIP/RADIUS CLI setting in routing
  • VoIP/RADIUS Updates to for some initial CDR improvements
  • New CDR logic, detailed in full in the manual. This is a change to log format, and also separate log-cdr setting
  • Added concept of a sticky CDR (stays on a specific call leg only) for recording incoming legs, e.g. 0800 numbers, etc
  • Added support for 302 redirect response to outgoing registrations
  • Added additional option for RADIUS response to cause a 302 redirect response
  • VoIP/RADIUS: Updated the AVPs used, and documentation and tested RADIUS access requests sent when expected
  • Added force-dtmf to carrier config to force in-band DTMF to carrier
  • Added call recording features - tee's off a SIP call to an endpoint that is expected to handle the recording
  • Added recognition of pcma/8000/2 for stereo feed to call recording
  • Re-invite (e.g. placing on hold) on call clear was causing re-connect in some cases
  • VoIP now only does RADIUS where specific radius server name is configured, not using default (e.g. L2TP RADIUS servers)
  • Updated layout of config page
  • Buffer leak fix in VoIP recording
  • Finer control of automatic call recordings from telephones (in-only, out-only, or both)
  • Better control of non local registration, invites, options, etc not challenging if not a known user that allows non-local requests
  • Re worked the RADIUS call routing response code and documentation
  • Added control over security replies (i.e. not challenging or replying to non local unknown users) defaults true
  • Added suppot for sip:user:pass@hostname support for direct authentication
  • Audio blocked (hold tone) if record-mandatory set and call recording not yet established
  • Added controls over display name in RADIUS call routing
  • Extended size of CUI in CDRs, and fixed duplicate accounting of CDRs in some cases
  • Better handling of recording where the recorded leg goes on hold
  • Added ring time to CDR
  • Made sticky CDR log even if call not connected, duration is minus and call status
  • Added connected number to CDR, i.e. who first answered hunt group call, if different to dialled number
  • Added general call response code as well as 3XX response codes and redirect in RADIUS
  • Added redirect response handling for RADIUS replies for REGISTER
  • Removed OPTIONS as we are not actually supporting or generating any
  • Added Expires header (Session-Timeout) to REGISTER RADIUS request so de-register can be identified
  • Fix issue with outgoing REGISTER, and tested redirect response handling to outbound REGISTER
  • Better handling of redirect 3xx response from non telephone outgoing call legs
  • Added count of dynamic (RADIUS based) registrations to pre-shutdown report
  • Changed logic to use configured proxy, but with domain using registrar hostname
  • Early media passthrough
  • Buffer leak in ICMP handling fixed
  • Added space after colon in SIP headers as per "should" in RFC3261, to keep sipsak happy
  • Better ordering of call status on web page
  • Fix theoretical failure mode with duff SIP packets
  • Handling 401/407 challenge on outgoing SIP where no credentials available (treats as 403)
  • Recording failure possible after several recordings
  • Hold tones not working, fixed
  • Added tone documentation and fixed test URL
  • Better detect of phones not configured for a-law
  • Fixed REFER details on RADIUS (correct called party)
  • Additional sanity check on SIP message receipt
  • Improve handling of ICMP errors
  • Fix stuck call on timeout responses
  • Corrected duplication registration issues
  • NAT support on RTP - replying to sending IP/port if request was via simple NAT
  • NAT poking of registrations that are through simple NAT every 60 seconds
  • Adjusted session timeout logic to only timeout on both sides timing out

Web control pages

  • Web diagnostics such as ping and traceroute would block access to graphs and some other functions, fixed

Web UI

  • Fix UI config edit layout of a normally hidden item when it has been set.
Built 2013-04-20
Older factory release
1.24.001 (Crispa)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.23.001 to Factory release 1.24.001

L2TP

  • Changed default lockout timeout on relayed tunnels to 3 minutes
  • Use graph setting on local termination L2TP/PPPoE using match

Logging

  • Minor changes to default settings for system log messages

Routing

  • Changed logic for next hop checks where gateway is on multiple subnets, where at least one of which does not answer ARPs causing route to be suppressed

Web control pages

  • Changed web status pages to not show unused menus even in debug level user
Built 2013-04-19
Older factory release
1.23.001 (Bunthorne)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.22.001 to Factory release 1.23.001

Config

  • The factory config has been changed to set separate port groups and interfaces for each LAN port. Note that this means the FB does not, by default, act like a layer 2 switch over the LAN ports.

Config editor

  • Moved VoIP config to separate icon
  • Improved layout in config editor for radius service

CQM

  • Off line detect on graphs with no timing (e.g. FB105 tunnels) was wrong, causing yellow traffic light
  • Added CQM logging of when graphs start and stop responding
  • Fixed use of = on numeric arguments for CQM graph URLs
  • CQM graphs corrected to show damping data
  • Redefined when keys show on graphs
  • Added additional stats to CQM XML
  • Fixed aggregate L2TP CQM graphs not showing damping, work around for older code is to add ?fud to URL
  • Percent loss not scaling properly, so wrong when under 100 pings/LCPs

Dongle

  • Fixed buffer leak and resulting watchdog panic caused by dongle negotiation repeatedly failing.

Factory reset

  • Changed factory reset to be consistent with separate LAN ports

L2TP

  • Tidy the logic for CQM on slow LCP echo to show actual sent count.
  • Changed default localpref for L2TP/RADIUS Framed-IP-Address to 0 instead of MAX. Being a /32 it is normally best route anyway, but this change allows a Framed-IP-Route /32 to set a metric where required.
  • Increase to calling and called circuit ID in negotiation of L2TP to 64 characters consistent with platform RADIUS.
  • Changed PPP negotiation to close if repeated unexpected PPP negotiation after PPP completed
  • Some additional route looping protection

Ping

  • Ping file load now allows host names not just IPs
  • Logging for ping graphs (e.g. DNS lookups, etc) now to CQM logging target

PPPoE

  • Fixed crash if pppod configured with no name field

RADIUS

  • RADIUS server config changed to single object type <server...> in services/radius with a type saying if authentication or accounting, etc.
  • Changed port to auth-port in services radius, and added separate control-port for dynamic RADIUS
  • Additional matching for (platform) RADIUS service (source and target IP of RADIUS request)
  • Added support to handle NAS-IP-Address in RADIUS response for L2TP to specify the local end IPv4 negotiated on IPCP - does not add routing or loopback for this
  • Platform RADIUS allows configurable secret based on matching rules
  • Platform RADIUS has option to require authenticator in request
  • Platform RADIUS supports RADIUS-Status-Server message
  • Platform RADIUS now logs the requesting IP and target IP

Routing

  • Network statement was not using profile, fixed
  • Added gateway feasibility testing to static routes in the same way as BGP routes,

Subnet

  • Subnet test can report one second false positive every 3 minutes, fixed
  • Config load causes a suppressed subnet (test failed) to have false positive for one second
  • Subnets with a test would start assumed active, now changed to start assumed inactive

VoIP

  • Change to handle SIP from Gradwell VoIP
  • Minor tweaks, better use of uri in auth reply, only sending auth reply once, etc.
  • Made repeat 401 or 407 treated as a 403 on INVITES
  • BYE was not sending to Contact from 200 header, changed.
  • Correct handling of Record-Route and Route headers for proxied servers such as sipgate
  • Fixed multiple Max-Forwards on REGISTER
  • Added extra debug after reports of unexpected DNS lookups
  • Fixed direct incoming SIP to a target using to="@..."
  • Added I/O (in/out) to CDR log
  • Tweak incorrect picking up contact from 1xx responses
  • Change to retry for 401/407 response - tries a few times in case stale response
  • Change to ensure CANCEL follows same route as original INVITE even when target has multiple IPs in DNS
  • Change to correctly delay resend of INVITE once correctly matched 100 trying received
  • Change in From heading not to include a blank display name if no display name set
  • Prefix CLI with ? where not trusted from a carrier
  • Added UK format CLI as text option
  • Made UK CLI formatting default if not set and no display and country is 44
  • Crash on lots of calls fixed
  • Crashing calling IPv6 phones
  • Clarify in config help that ddi is international format number
  • Added area-code to telephone config to override default for calls from that phone
  • Added CLI format option on carriers, default national

Web control pages

  • Added option to set Access-Control-Allow-Origin response to allow cross site javascript access to FireBrick. USE WITH CARE as could compromise your brick by remote hosted javascript re-using a login session.
  • Some menu items only shown if debug level user or if menu has some contents, specifically aimed at Status menu items for unused features

Web UI

  • Added warning on home page when a reboot is necessary to activate new features

XML config

  • Typo in help text
Built 2013-02-25
Older factory release
1.22.001 (Araucaria)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.21.001 to Factory release 1.22.001

CQM

  • Removed standard deviation from CQM graphs
  • Added reject count on ping graphs (ICMP error response) - new CQM xml definition
  • Changed fail on graph (dripping blood / red), and reject, to be percentage based

Internal

  • Fixed problem with allocation of multiple flash blocks when saving images or large configs or data. Please ensure you have a copy of the config before a manual upgrade. Save config several times on FireBrick to minimise risk of issues.

L2TP

  • Changed platform radius matching code for L2TP to handle longer challenges than 16 (now 64)

Ping

  • Slow setting on ping now defaults to auto, i.e. when no proper replies for 2 minutes, but can be set true or false

Web control pages

  • No longer shows Wholesaler on status page (unless enabled for alpha builds)
Built 2013-02-22
Older factory release
1.21.001 (Zoe)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.20.001 to Factory release 1.21.001

BGP

  • Reversed a previous change which affected network statements. Default localpref set to max as before. Could cause issues if BGP announcing and accepting own as on external transit.
  • Fix BGP export community checking for built in community values

Config editor

  • Adjusted some of the help text on config edit
  • Traffic lights for profiles in config edit (on profile list and lists which reference profiles)
  • Added recommendation in config recommending separate VRRP ID on separate VLANs
  • Added "(b/s)" on description for rates in config

Factory reset

  • Added PPPoE client in factory reset config on LAN as well as WAN

Firewall

  • Tweak for firewall logic where target interface is a 6 to 4 tunnel to resolve final interface
  • Adjusted session track handling on memory exhaustion
  • Added more fields to session table
  • Fixed bug in checking rules for interface="" where logic was not correct
  • Not setting NAT for dongle/PPPoE if traffic from the FireBrick

Internal

  • Change to improve shutdown / reboot sequencing and timing

L2TP

  • Extra option in L2TP relay controls allowing picking one of the relay IPs at random first
  • Slightly better debug for RADIUS count issue, use of volatile on state ocntrol, and adjust polling task

NTP

  • NTP server field name now changed name and set to default which is ntp.firebrick.ltd.uk. Please configure any preferred ntp servers

Ping

  • Changed ping graphs to follow firewall/mapping rules on outgoing packets

PPP

  • Fix minor discrepancy in NAK and REJ logic on PPP

PPPoE

  • Was incorrectly adding far end IP as a DNS server
  • Added some level of backoff on PADI, longer if never seen PADS

s/w upgrade

  • Longer backoff on s/w upgrade checks where no DNS available

SNMP

  • Added iso.3.6.1.2.1.1.2.0 sysObjectID

Subnet

  • When changing a subnet, a new MAC is allocated - it now picks from subnets in same port/vlan first

VoIP

  • Fix potential crash on voip config change

Web control pages

  • Username on web footer
  • Added port/VLAN to subnet list

XML config

  • Changed services/platform-radius service to be services/radius as plans to expand config for other types of RADIUS
  • Moved RADIUS authentication and accounting lists from l2tp to services/radius
  • Changed error messages on config load to provide more context - shows XML around the error point
  • Corrected syntax check on XML duration with spurious letters
  • Added new restrict-mac field to interface definition - NOTE: USING THIS MAY CHANGE MAC OF SUBNETS IN USE
Built 2012-12-06
Older factory release
1.20.001 (Yalena)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.19.001 to Factory release 1.20.001

  • Changed [not] to [inverted] in Profile logging text.

BGP

  • Note that the localpref default is 0 for network statements on this factory release.
  • Adjust next hop logic in presence of VRRP to avoid incorrect use of VRRP address in some route passing
  • Fix debug log of accepted prefixes on BGP, was showing garbage extra bits

CLI

  • Fix double line spacing on some command line output
  • Added a "show run" and "import config" in telnet/command line allowing dump and upload of raw XML.

Config editor

  • Moved css-url to http services config, will need editing as not automatically moved

CQM

  • Configurable latency Y axis
  • Ping only graphs (i.e. no throughput) now have standard deviation on ping timings
  • Minor change to default colours
  • Corrected showing of "off line" on graphs
  • Minor tweak on graphs
  • Setting Y axis latency in ms on graphs as part of URL

DNS

  • Malformed DNS packets could cause crash, fix

Factory reset

  • Change to "recovery" factory default to have separate LAN ports
  • Default timeserver set to ntp.firebrick.ltd.uk rather than pool.ntp.org

L2TP

  • Additional control over timeouts on L2TP
  • Changed default timeouts on outgoing L2TP client sessions - faster recovery and retry
  • Possible lockup and watchdog in cases of unresponsive RADIUS servers
  • Added quota (tx) to L2TP (as RAIDUS filter code Q)
  • Added quota (tx, or tx+rx) and terminate action to allow radius accounting on exceeding quota or session timeout
  • Added Filter-Id and Session-Timeout to all RADIUS updates, was just Start record, as some data can change dynamically
  • L2TP should now accept RADIUS CoA sooner - was not accepted until PPP negotiation had finished

Ping

  • Allow configuration of larger ping packets

PPP

  • Improvements to checking and timing in PPP processes
  • Slight change in PPP sequence numbering
  • Minor tweaks, including new accept-dns in dongle config
  • Improved debug / logging for PPP connections
  • Support PAP as client login on PPP
  • Adjusted retry timeouts on PAP/CHAP requests
  • Corrected PPP client PAP continuing to IPCP

PPPoE

  • Tweak to handle multiple service responses in PADO

Profiles

  • Improved logging after non state change profile
  • Date/time profile tests when not clock set assume initial state
  • Date/time profile tests now have comment field in config

Web control pages

  • New layout for ping and traceroute allowing XML export
  • traceroute and ping no reporting a "firewalled" response if seen, rather than just unreachable
  • Web interface showing system name on title if trusted IP

XML config

  • Fix factory reset config
  • Changed XSD duration to an FB type that uses saner syntax [[HH:]MM:]SS
Built 2012-10-10
Older factory release
1.19.001 (Wilhelmina)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.18.001 to Factory release 1.19.001

  • Factory release needed for chipset variant at factory
  • Allowing larger config files

Internal

  • Support alternative ether controller

L2TP

  • Incorrect fragmentaion of locally generated IPv6 packets sent via L2TP, fixed

OSPF

  • Started work on OSPF

RADIUS

  • RADIUS auth request sending NUl CUI as per RFC4372

VoIP

  • In some cases, e.g. no configured password, voip could crash. Fixed

Web control pages

  • autocomplete off on entry for OTP data
  • Moved Log to separate main menu entry

XML config

  • Final XSD validation tidy
Built 2012-09-15
Older factory release
1.18.001 (Vanessa)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.17.001 to Factory release 1.18.001

  • Draft documentation included in releases

BGP

  • New filter option to check for community present in a route
  • Showing BGP route details shows additional community tags as well
  • Fix for BGP config where local IP is DHCP, meaning BGP did not start up unless a local-id was set
  • Fix BGP import/export filtering which only considered first match rule
  • Allow use of pad on BGP peer if add-own-as set, even on ibgp
  • new use-vrrp-as-self (default true) means the next hop used in BGP will use an appropriate VRRP address if possible
  • Ignored received announcments treated correctly as a withdrawal
  • Corrected BGP ingress filtering to allow detagging the standard community tags
  • Made BGP next hop logic consider routes to dead end and to network as non feasible (previously they were feasible but could not route)
  • Fixed config to only allow one list of import and one list of export rules under bgp peer, as only first in list was checked anyway

Config editor

  • Tweak class for cqm images in css

CQM

  • Fix for long term shapers which only worked if sharing of shaper was set
  • Graphs show min and max rate limit per hour now
  • More corrections on long term shaper logic
  • Long term shapers were not actually applying the shaper limit, it seems, even if worked out correctly
  • Changed min line on graph to be dotted

DHCP

  • Fix for possible lock up causing watchdogs in some cases
  • Internal change to try and resolve issue where DHCP has been seen to cause a lock up and watchdog on some systems

DNS

  • DNS resolver no longer caching SOA as it was not expanding the MNAME/RNAME fields correctly
  • DNS server now ignores expired DHCP allocations

Ethernet

  • Added layer 2 interface mapping function (map port/VLAN to port/VLAN directly no session track or firewall)

FB105

  • Updating the FB105 tunnel config did not always have immediate effect

Firewall

  • Crash in some cases where traceroute via mapped address, fixed

Internal

  • Improved watchdog error reporting
  • Further improvement to watchdog panic diagnostic

IP

  • Added ARP/ND link state test to work at subnet level
  • Made Wake on LAN a separate diagnostic and linked to DHCP
  • Internal change to avoid possibility of recursive tunnelling overrunning buffer space

IPv6

  • Fix for ND responses for FE80::/10 LL addresses matching our MAC prefix (we answered all requests even if specific MAC not in use)
  • Adjusted routing for FE80::/10 so all interfaces are equal metric to locate LL endpoints

L2TP

  • Change relayed L2TP session stats to be consistent with non relayed by counting only IP and not LCP, etc.
  • L2TP status showing an accounting session ID even when not using RADIUS accounting, useful for pcap
  • Better status report for back to back sessions
  • Correct NSN RADIUS parameters in platform RADIUS

PPP

  • Adjusted LCP restart logic to restart LCP if far end persists in restarting
  • Allow far end to refuse magic number negotiation

PPPoE

  • Linked status page from PPPoE to L2TP

SNMP

  • Added some IfXEntry SNMP values

VoIP

  • Added contact header in REGISTER response
  • Possible fix on some issues with ring group logic

VRRP

  • Changed default startup delay to 60 seconds as usually more sensible and should not cause any harm

Web control pages

  • Set larger input box size on web diagnostic tools
Built 2012-06-02
Older factory release
1.17.001 (Uriana)
Config:XSD Doc

Release notes from Factory release 1.16.001 to Factory release 1.17.001

  • Updated documentation

BGP

  • Corrected AS list in show routes to handle multiple sequences (was showing with no separator)

CLI

  • Fix obscure race condition which may cause panic when logging to command line (console).

Config

  • Removed redundant fast-reboot options

CQM

  • Corrected URL processing for CQM where using x=value/x=value type syntax
  • Change to ping scan and cqm polling functions to be more aligned to real time seconds, ready for when we do NTP fully

DHCP

  • Corrected tool tips on Kill/Unlock

Internal

  • More details in thread statistics report

L2TP

  • RFC4818 Delegated-IPv6-Prefix support added - see RADIUS documentation for how this is used.
  • Complex bug with IPv6 routed via IPv6 gateway that is routed via an L2TP over IPv4 and generating an ICMP error causing a crash - fixed

Logging

  • Removed unused log types for SNMP trap (will move to profiles) and SMS (may be added later)

NTP

  • Added option to set ntp poll rate, will be removed/changed when we do NTP fully.

Profiles

  • Clarified wording for and, or, and not, tests in profiles
  • Clarified meaning of timeout and recover as times not number of tests

RADIUS

  • Reinstated platform RADIUS accounting handling and relay (missing since 1.13.111)

VoIP

  • Second call in a queue is not getting ringing to caller - fixed

Web control pages

  • Added layout for config edit for l2tp incoming and outgoing
  • New CSS - especially on config edit pages
Built 2012-05-12
Older factory release
1.16.001 (Titania)
Config:XSD Doc

Release notes from Factory release 1.15.001 to Factory release 1.16.001

BGP

  • Colours on BGP status on web page

DNS

  • DNS resolver negative caching handling and tweaks to handle VoIP DNS lookups where CNAME used
  • Corrected negative caching timings

L2TP

  • Added RADIUS option to avoid LCP restart on mismatched MRU
  • Corrected sending MTU in RADIUS auth (could be sent twice in some cases)
  • Allowing up to 64 byte CHAP challenge size in proxy auth

Logging

  • Better wording for missed log entries

Ping

  • Not trying to print reverse DNS on ping command while waiting DNS response

PPPoE

  • Issue with IPv6 DNS servers not working on a second PPPoE client connection if same as previous

RADIUS

  • RADIUS accounting refernce could change some time after reboot depending on clock setting, fixed
  • Fix buffer leakage if RADIUS servers time out

Time

  • Added very simple sanity check to SNTP clock setting, and logging to right place
  • Logging IP from which clock was set

UI/CLI

  • Added hard reboot option

VoIP

  • Possible issue with hunt groups messing up after call transfer fixed
  • Reduced some of the debug
  • SRV handling for VoIP

Web control pages

  • Avoid unnecessary invocation of bootloader when system reboot is requested
Built 2012-04-27
Older factory release
1.15.001 (Sophia)
Config:XSD Doc

Release notes from Factory release 1.14.001 to Factory release 1.15.001

BGP

  • Route refresh capability announced and refresh request handled
  • Minor adjustment in graceful restart logic (not yet advertised)
  • Fixed long delay rebooting when BGP active

Config

  • Fixed factory default config for dns host name my.firebrick.co.uk - this means a new factory release of code.
  • Corrected parsing of an IP using final :: in place of :0 (i.e. seemed to have too many colons)
  • Not generating initial or trailing :: on IPv6 addresses where only one block replaced

Ethernet

  • Avoid spurious port down messages at startup.

Firewall

  • Routes to VRRP addresses now treated as to "self" not to "unknown" as previously
  • Session table display indicates if incomplete as output was interrupted.

Flash

  • Image priority tagging removed. Flash contents display shows penalty but no longer priority.
  • Change to flash block allocation strategy to spread block usage.

L2TP

  • Changed DHCPv6 served timing for L2TP

VoIP

  • Mute on a snom caused a call drop due to loss of media, changed to send reinvite same as if on hold
  • Validation of allow lists in config save for VoIP
  • Tweak to send record route back correctly on dialogue responses

VRRP

  • Fix issue if two separate VRRP configs used with same VRID one for IPv4 and one for IPv6

Web control pages

  • Format of manual image upload UI page changed in line with auto update.
Built 2012-04-21
Older factory release
1.14.001 (Rhea)
Config:XSD Doc

Release notes from Factory release 1.13.001 to Factory release 1.14.001

  • Change to persistent data storage logic and timing

BGP

  • Correct BGP route tie break where one route has MED set and one does not. No MED set is now treated as MED 0 correctly

Firewall

  • Possible case where session tracking code could crash fixed

L2TP

  • Changed IPv6 padding to be more generic padding of any packet that looks too short and under 73 bytes so works with IPv6 over LCP on BT 20CN lines

PPPoE

  • Config change losing external PPPoE IPv6 address from routing
  • Fixed IPv6 prefix delegation timeout issue

Profiles

  • Fixed bug - a ping profile with no routing to send the ping was causing buffer loss
  • Possible problem in ping profiles could result in a watchdog failure

RADIUS

  • Corrected RADIUS tagging on NSN parameters in platform radius.

VoIP

  • Added experimental VoIP feature
  • SIP registreations now persist over reboot
  • RTP payload type mapping added
  • Ends calls on reboot
  • Added ring group support - ringing all phones at once
  • Fixed crash if extn not defined on telephone users
  • Fixed ring group calling
  • Fix simultaneous answering of called (cross of 200 and CANCEL)
  • Registrations could cause crashes if CSeq wrong, fixed
  • Fixed some bugs (affecting grandstream and linksys phones)
  • No auto s/w upgrade if calls in progress
  • Adedd reboot when free logic
  • Tested with IPv6 on gigaset, and some bug fixes.
  • Added internal caller ID (extn number)
  • Fixed but in sent Call-ID causing issues
  • 141 prefix setting withheld now
  • New config fields for carrier work added - not implemented yet
  • Fixed registrations that use a host name, such as A&A SIP2SIM service
  • Allow list checking on incoming call match to carriers
  • Matching incoming carrier calls based on To address
  • Incoming carrier auth challenge and checking
  • Incoming CLI from carrier
  • Supports call diversion on SIP handset
  • Added call limits options
  • Added call transfer functions (blind, and attended)
  • Software upgrade from web pages now does reboot when free when manually uploading code
  • Made logging of REGISTER messages separate to aid debugging
  • Added control of source-ip for outbound registrations
  • Sending of messages from same IP as was used as target of incoming registrations to keep some phones happer
  • Added some NAT detection and handling at SIP level - not yet on media level
  • Improved low level parsing of some syntax variants
  • Software upgrade now doing reboot when free on picking new code available
  • Improved final status when ringing multiple phones
  • Outgoing number formatting for carrier
  • Corrected some of the SIP escaping
  • Initial ring group queue logic (simply doing ring all)
  • Improved VoIP status on web pages
  • Ring group logic including strict, cyclic, random, oldest, and all, cascade or sequence modes.
  • Faster handling of group progression where phones are busy/DND
  • Added BLF handling for snom phones
  • Fixed "ringing" state on BLF
  • Added more detail on subscription status
  • Fixed BLF to work when using a different one of the FireBricks IPs for subscription
  • Call pickup/steal added
  • Added display name to ring groups
  • Added BLF on steal prefix
  • Bugfix in SIP subscriptions if invalid data sent
  • Added display name on carrier
  • Empty and invalid SIP messages could cause a crash, fixed
  • Subscription / Registration expiry bug fix
  • Fixed profile on ring groups, and also 404 if nobody to ring
  • Call hold tone
  • Call time on VoIP status
  • Colour background on call list status
  • Colour background on other data on VoIP status
  • Crash in some call transfer cases fixed
  • Obscure bug in some cases on complex ring groups would fall back to ringing all, fixed
  • Ignoring silly almost empty SIP packets from gigaset (some NAT thing)
  • Allow redirect of group calls if got as far as ringing even if redirect set false as this is a manual redirect
  • Call transfer and redirect now calling using the carrier selected for the phone doing the transfer/redirect not the original caller
  • SIP INFO processing for DTMF
  • Incoming number handling for carriers
  • ACK generation on delayed response to closed call
  • Fix crash case - looks related to hunt groups calling numbers for which users are not yet registered
  • Fix for call transfer problems
  • Increased number of carriers as often back to back with telephone users
  • Outgoing carrier picking for external calls from hunt group using calling carrier
  • Pickup was not working for a ringing call
  • Transfer to ringing hunt group not working
  • Added reason on CANCEL and BYE in some cases
  • Race condition on call transfer can cause call to get stuck, fixed
  • Corrected handling of Replaces header in REFER where escaping some characters
  • Corrected handling of 100 Trying response on outgoing registration so we can register against asterisk
  • Updated to handle OPTIONS from a carrier (e.g. asterisk)
  • Added tag= on From for calls out via carrier, oops
  • Changed for registration reply that does not contain explicit Expires header (e.g. sipgate)
  • Changed domain on From and Call-ID
  • Added handling of a 407 proxy auth request as well as 401
  • Tweak for seq advance on INVITEs after 401/407 (asterisk was unhappy with reuse)
  • Added more detail as a CDR log entry
  • More CDR log tweaks
  • Media detect logic added
  • Made call related logs more consistent, always starting with call ID
  • Corrected start time ms on CDR log
  • Media loss detection improved
  • Incorrect call time on status page
  • Additional debug for NAT

Web control pages

  • Session list copes better if you stop the browser while displaying
  • Typo in web config for dns-host/block
Built 2012-04-05
Older Beta release
1.13.090 (Quito)
Config:XSD Doc

Release notes from Factory release 1.13.001 to Beta release 1.13.090

  • Change to persistent data storage logic and timing

BGP

  • Correct BGP route tie break where one route has MED set and one does not. No MED set is now treated as MED 0 correctly

Firewall

  • Possible case where session tracking code could crash fixed

L2TP

  • Changed IPv6 padding to be more generic padding of any packet that looks too short and under 73 bytes so works with IPv6 over LCP on BT 20CN lines

PPPoE

  • Config change losing external PPPoE IPv6 address from routing
  • Fixed IPv6 prefix delegation timeout issue

Profiles

  • Fixed bug - a ping profile with no routing to send the ping was causing buffer loss

VoIP

  • Added experimental VoIP feature
  • SIP registreations now persist over reboot
  • RTP payload type mapping added
  • Ends calls on reboot
  • Added ring group support - ringing all phones at once
  • Fixed crash if extn not defined on telephone users
  • Fixed ring group calling
  • Fix simultaneous answering of called (cross of 200 and CANCEL)
  • Registrations could cause crashes if CSeq wrong, fixed
  • Fixed some bugs (affecting grandstream and linksys phones)
  • No auto s/w upgrade if calls in progress
  • Adedd reboot when free logic
  • Tested with IPv6 on gigaset, and some bug fixes.
  • Added internal caller ID (extn number)
  • Fixed but in sent Call-ID causing issues
  • 141 prefix setting withheld now
  • New config fields for carrier work added - not implemented yet
  • Fixed registrations that use a host name, such as A&A SIP2SIM service
  • Allow list checking on incoming call match to carriers
  • Matching incoming carrier calls based on To address
  • Incoming carrier auth challenge and checking
  • Incoming CLI from carrier
  • Supports call diversion on SIP handset
  • Added call limits options
  • Added call transfer functions (blind, and attended)
  • Software upgrade from web pages now does reboot when free when manually uploading code
  • Made logging of REGISTER messages separate to aid debugging
  • Added control of source-ip for outbound registrations
  • Sending of messages from same IP as was used as target of incoming registrations to keep some phones happer
  • Added some NAT detection and handling at SIP level - not yet on media level
  • Improved low level parsing of some syntax variants
  • Software upgrade now doing reboot when free on picking new code available
  • Improved final status when ringing multiple phones
  • Outgoing number formatting for carrier
  • Corrected some of the SIP escaping
  • Initial ring group queue logic (simply doing ring all)
  • Improved VoIP status on web pages
  • Ring group logic including strict, cyclic, random, oldest, and all, cascade or sequence modes.
  • Faster handling of group progression where phones are busy/DND
  • Added BLF handling for snom phones
  • Fixed "ringing" state on BLF
  • Added more detail on subscription status
  • Fixed BLF to work when using a different one of the FireBricks IPs for subscription
  • Call pickup/steal added
  • Added display name to ring groups
  • Added BLF on steal prefix
  • Bugfix in SIP subscriptions if invalid data sent
  • Added display name on carrier
  • Empty and invalid SIP messages could cause a crash, fixed
  • Subscription / Registration expiry bug fix
  • Fixed profile on ring groups, and also 404 if nobody to ring
  • Call hold tone
  • Call time on VoIP status
  • Colour background on call list status
  • Colour background on other data on VoIP status
  • Crash in some call transfer cases fixed
  • Obscure bug in some cases on complex ring groups would fall back to ringing all, fixed
  • Ignoring silly almost empty SIP packets from gigaset (some NAT thing)
  • Allow redirect of group calls if got as far as ringing even if redirect set false as this is a manual redirect
  • Call transfer and redirect now calling using the carrier selected for the phone doing the transfer/redirect not the original caller
  • SIP INFO processing for DTMF
  • Incoming number handling for carriers

Web control pages

  • Session list copes better if you stop the browser while displaying
Built 2012-03-13
Older factory release
1.13.001 (Pandora)
[Breakpoint]
Config:XSD Doc

Release notes from Factory release 1.12.002 to Factory release 1.13.001

  • Increased memory buffer to allow larger code to be uploaded - breakpoint release needed to ensure existing units can load later code

CQM

  • Added additional checkings on CQM shaper sharing to allow for erroneous negative traffic counts

Web control pages

  • Changed graphics for rule lists in firewall - more flowchart like
  • Fixed incorrect showing of "New" when a list of objects is full
Built 2012-03-07
Older factory release
1.12.002 (Ophelia)
[Breakpoint]
Config:XSD Doc

Release notes from Factory release 1.11.004 to Factory release 1.12.002

Config

  • New option on subnet controls if DNS is accepted when acting as DHCP client (default true, obviously)
  • Change of attribute name in dns local records
  • Corrected cqm share-interface on web config to only list ethernet interfaces

CQM

  • Adjusted handling for mismatched speed shared shapers when all reaching limits to balance dropped packets in ratio to share of speed
  • Added Y scale fixing on CQM graphs (Y option)

DHCP

  • Added interface name on DHCP server logging

DNS

  • Local DNS not working for EDNS0 queries including internal lookups, fixed

Factory reset

  • Factory default no longer does RA for 2001:DB8:: subnet. Quickstart guide being changed to match

IP

  • Changed broadcast restriction on subnet to only effect externally sourced packets

IPv6

  • Fix default arp timeout on RA client and PD subnets
  • Adjusted IPv6 neighbour announce to set O flag on link local addresses

L2TP

  • Changed source filtering controls of L2TP to allow traffic even if the L2TP route is lower metric (split bonded lines)
  • Changed L2TP to not announce connected routes until IPCP/IPV6CP completes, and added to debug log
  • Added ip-over-lcp to local auth options for inbound L2TP
  • Slightly faster PPP negotiation on L2TP
  • Corrected error code for "Received PPPoE Active-Discovery Terminate from client"
  • pcap of L2TP sessions from start was impacting the negotiation - fixed
  • Changed LNS DHCPv6 code to handle more than one requested PD and serving in order from RADIUS/config

Ping

  • Allow payload size to be specified in ping config and when setting up a ping graph dynamically
  • Allow routing table to be specified in UI graph ping setup
  • Prevent dynamic ping start/stop affecting a configured ping

PPP

  • PPP LCP restart on unexpected IPCP, IPV6CP, CHAP or PAP

PPPoE

  • ip-over-lcp on PPPoE now defaults to "auto" which means it is set if it receives IP over LCP
  • Fixed BRAS L2TP/PPPoE mode to correctly cope with ip-over-lcp setting
  • Added MAC address to PPPoE logging
  • Fixed debug logging of PPP negotiation in PPPoE BRAS mode
  • Faster PPP negotiation PPPoE
  • Better error reporting on PADT messages
  • Cleaner PPPoE shutdown in BRAS mode on reboot (not accepting PADI after shutdown starts)
  • Fixed bug in L2TP/PPPoE/BRAS mode when session ID exceeded 255
  • Added first stages of PPPoE prefix delegation for IPv6 for testing (not yet doing IA or DNS, just PD)
  • Changed pd-interface on PPPoE to default to "auto" meaning interfaces without existing RA serving prefixes
  • Fixed PPPoE/DHCPv6 to handle more than one prefix delegation correctly
  • Handling local IPv6 by DHCPv6 on PPPoE
  • Handling IPv6 DNS by DHCPv6 on PPPoE
  • IPv6 DNS by DHCPv6 on PPPoE now addig /128 route consistent with IPv4 DNS
  • PPPoE/DHCPv6 PD times requested now more sensible, not infinite
  • Further PPPoE timing improvements
  • Corrected lifetime on router announcement from prefix delegation - was sending infinite
  • Better handling where no IA returned in DHCPv6 but PD is returned
  • Corrected log and log debug operation for PPPoE
  • Additional security checking on DHCPv6 client used in PPPoE
  • PPPoE not working if no IPv6, doh, fixed

Web control pages

  • Changed http access controls so that trusted IPs are allowed even when not on local subnet
  • Added payload size to ping command
  • Corrected copyright date now we are in 2012
  • Added Wake-on-LAN option to Ping and link from DHCP web pages
  • Much more description and instructions on OTP/OATH settings page
  • Added kill and refresh to PPPoE status page
  • Changed to allow an interface to be defined with no subnets (now that PD could be the source of a subnet)
  • Improve error message on null image file upload
  • Improve layout of Graph PNG page
  • Improved help text on dhcp server settings
  • Login page shows your IP
  • Diagnostics access check default to using your IP that is accessing the web pages
Built 2012-03-07
Older factory release
1.12.001 (Narcissa)
[Withdrawn]
Config:XSD Doc
This release has been withdrawn.

Release notes from Factory release 1.11.004 to Factory release 1.12.001

Config

  • New option on subnet controls if DNS is accepted when acting as DHCP client (default true, obviously)
  • Change of attribute name in dns local records
  • Corrected cqm share-interface on web config to only list ethernet interfaces

CQM

  • Adjusted handling for mismatched speed shared shapers when all reaching limits to balance dropped packets in ratio to share of speed
  • Added Y scale fixing on CQM graphs (Y option)

DHCP

  • Added interface name on DHCP server logging

DNS

  • Local DNS not working for EDNS0 queries including internal lookups, fixed

Factory reset

  • Factory default no longer does RA for 2001:DB8:: subnet. Quickstart guide being changed to match

IP

  • Changed broadcast restriction on subnet to only effect externally sourced packets

IPv6

  • Fix default arp timeout on RA client and PD subnets
  • Adjusted IPv6 neighbour announce to set O flag on link local addresses

L2TP

  • Changed source filtering controls of L2TP to allow traffic even if the L2TP route is lower metric (split bonded lines)
  • Changed L2TP to not announce connected routes until IPCP/IPV6CP completes, and added to debug log
  • Added ip-over-lcp to local auth options for inbound L2TP
  • Slightly faster PPP negotiation on L2TP
  • Corrected error code for "Received PPPoE Active-Discovery Terminate from client"
  • pcap of L2TP sessions from start was impacting the negotiation - fixed
  • Changed LNS DHCPv6 code to handle more than one requested PD and serving in order from RADIUS/config

Ping

  • Allow payload size to be specified in ping config and when setting up a ping graph dynamically
  • Allow routing table to be specified in UI graph ping setup
  • Prevent dynamic ping start/stop affecting a configured ping

PPP

  • PPP LCP restart on unexpected IPCP, IPV6CP, CHAP or PAP

PPPoE

  • ip-over-lcp on PPPoE now defaults to "auto" which means it is set if it receives IP over LCP
  • Fixed BRAS L2TP/PPPoE mode to correctly cope with ip-over-lcp setting
  • Added MAC address to PPPoE logging
  • Fixed debug logging of PPP negotiation in PPPoE BRAS mode
  • Faster PPP negotiation PPPoE
  • Better error reporting on PADT messages
  • Cleaner PPPoE shutdown in BRAS mode on reboot (not accepting PADI after shutdown starts)
  • Fixed bug in L2TP/PPPoE/BRAS mode when session ID exceeded 255
  • Added first stages of PPPoE prefix delegation for IPv6 for testing (not yet doing IA or DNS, just PD)
  • Changed pd-interface on PPPoE to default to "auto" meaning interfaces without existing RA serving prefixes
  • Fixed PPPoE/DHCPv6 to handle more than one prefix delegation correctly
  • Handling local IPv6 by DHCPv6 on PPPoE
  • Handling IPv6 DNS by DHCPv6 on PPPoE
  • IPv6 DNS by DHCPv6 on PPPoE now addig /128 route consistent with IPv4 DNS
  • PPPoE/DHCPv6 PD times requested now more sensible, not infinite
  • Further PPPoE timing improvements
  • Corrected lifetime on router announcement from prefix delegation - was sending infinite
  • Better handling where no IA returned in DHCPv6 but PD is returned
  • Corrected log and log debug operation for PPPoE
  • Additional security checking on DHCPv6 client used in PPPoE

Web control pages

  • Changed http access controls so that trusted IPs are allowed even when not on local subnet
  • Added payload size to ping command
  • Corrected copyright date now we are in 2012
  • Added Wake-on-LAN option to Ping and link from DHCP web pages
  • Much more description and instructions on OTP/OATH settings page
  • Added kill and refresh to PPPoE status page
  • Changed to allow an interface to be defined with no subnets (now that PD could be the source of a subnet)
  • Improve error message on null image file upload
  • Improve layout of Graph PNG page
  • Improved help text on dhcp server settings
  • Login page shows your IP
  • Diagnostics access check default to using your IP that is accessing the web pages
Built 2012-02-27
Older factory release
1.11.004 (Melissa)
Config:XSD Doc

Release notes from Factory release 1.10.001 to Factory release 1.11.004

BGP

  • Some extra debug for tracking next hop issues on bgp
  • Fix to pass on IPv4 tunnel in BGP for Ipv6 tunnel routes as 2002::/16 prefix endpoint
  • Adjusted RR logic on BGP to avoid incorrect messing with next hop decision
  • Changed BGP to silently ignore routes where we are already the next hop
  • BGP change to still process withdraw in same packet as silently ignored routes (typically if using route reflectors)
  • Added peer level export-med to set MED on exported routes (unless explicitly set in export filter) as this is commonly the only export filter
  • Made local routes (apart from dead-end) take priority over equivalent BGP originated routes
  • Changed ttl-security option to be 1 to 127, and use -ve as meaning force TTL sending and no checking
  • Added import-localpref at peer level as a common global setting on EBGP links
  • Obscure race condition on BGP shutdown could cause a crash

CLI

  • Fix telnet timeout on users setting timeout 0 to not logout
  • Implement several readline-style line-editing sequences
  • Add two more control sequences - Ctrl-T and Alt-T

Config

  • Fix where config did not detect overlapping port groups unless actually used in an interface
  • Documented that a login timeout of 0 means no timeout but not in ip-group users
  • Mandatory port on interface. Missing port on interface picks first port else creates a fatal error

CQM

  • Some cases graphs could be duplicated if using long names or odd characters, fixed

DHCP

  • Added new lock and unlock feature on DHCP allocations
  • Added ability to manually set the name of DHCP allocations

DNS

  • Added new feature under services/dns to allow local DNS responses including based on DHCP

Factory reset

  • Changed so factory reset is DHCP client on WAN and DHCP server on LAN
  • Changed factory reset to have my.firebrick.co.uk as local DNS for the firebrick itself

FB105

  • Changes to better handle packet reordering issues on bonded tunnels
  • Added tunnel set statistics clear button on status page
  • Removed table from FB105 tunnel route sub object as not meaningful

Firewall

  • Fixed firewall check code (web and command line) - was confused for more than the most basic checks
  • Changed default for firewall where target unknown or nowhere to be "ignore" not "drop". This is important for pre-DHCP client connections from the brick

General

  • Various additional debugging code added

IPv6

  • Adjust handling of RA client to cope when more than one RA has same SLLA (e.g. VRRP) from different hosts

L2TP

  • Added more debug logging on L2TP tunnels, especially relating to relaying
  • Removed table from L2TP tunnel client route sub object as not meaningful

Logging

  • Improved formatting of replay from previous run flash log on boot up

PPPoE

  • PPPoE server (BRAS mode) was broken, fixed
  • Added return of Relay-Session-Id received in PADO to PADR sent
  • Adjusted PPPoE logging so as not to fill logs with requests that are not for us
  • Removed table from PPP route sub object as not meaningful

SNMP

  • Fix BGP and L2TP SNMP stats where values 128 to 255 and 32768 to 65535 reported as negative

Web control pages

  • Fix issue with some links on Chrome viewing BGP peers
  • Typos fixed in config
  • Change to try and stop a factory reset config from claiming to have been changed whilst editing
  • Incorrect HTML typo fixed in some tables
  • Tidy layout of platform radius controls
  • Tidy help on rule log settings
  • Correct various typos
  • Changed filenames for XML save to be more sensible
  • Clearer warning of active sessions on reboot and s/w upgrade pages
  • Fixed case where showing tables of information not right if a list of routes also shown
  • Extra info shown on BGP status
  • "Up to date" may have been erroneously displayed on Software Upgrade page - fixed.
  • First config save from factory reset was not working, fixed
  • New factory reset mode using port 1+3 to go back one config
  • Added new System submenu
  • Hovering on a link now underlines it
  • Some more colours on tables
  • Fix links for ND entries that upset some browsers
  • Web status pages can now be seen by users with access level >= USER
  • Button to clear thread tick counts added to thread statistics page (for users with ADMIN access)
  • Additional logic for getting L2TP session data using circuit ID in URl
Built 2012-02-25
Older Beta release
1.11.001 (Lycia)
[Withdrawn]
Config:XSD Doc
This release has been withdrawn.

Release notes from Factory release 1.10.001 to Beta release 1.11.001

BGP

  • Some extra debug for tracking next hop issues on bgp
  • Fix to pass on IPv4 tunnel in BGP for Ipv6 tunnel routes as 2002::/16 prefix endpoint
  • Adjusted RR logic on BGP to avoid incorrect messing with next hop decision
  • Changed BGP to silently ignore routes where we are already the next hop
  • BGP change to still process withdraw in same packet as silently ignored routes (typically if using route reflectors)
  • Added peer level export-med to set MED on exported routes (unless explicitly set in export filter) as this is commonly the only export filter
  • Made local routes (apart from dead-end) take priority over equivalent BGP originated routes
  • Changed ttl-security option to be 1 to 127, and use -ve as meaning force TTL sending and no checking
  • Added import-localpref at peer level as a common global setting on EBGP links
  • Obscure race condition on BGP shutdown could cause a crash

CLI

  • Fix telnet timeout on users setting timeout 0 to not logout
  • Implement several readline-style line-editing sequences
  • Add two more control sequences - Ctrl-T and Alt-T

Config

  • Fix where config did not detect overlapping port groups unless actually used in an interface
  • Documented that a login timeout of 0 means no timeout but not in ip-group users
  • Mandatory port on interface. Missing port on interface picks first port else creates a fatal error

CQM

  • Some cases graphs could be duplicated if using long names or odd characters, fixed

DHCP

  • Added new lock and unlock feature on DHCP allocations
  • Added ability to manually set the name of DHCP allocations

DNS

  • Added new feature under services/dns to allow local DNS responses including based on DHCP

Factory reset

  • Changed so factory reset is DHCP client on WAN and DHCP server on LAN
  • Changed factory reset to have my.firebrick.co.uk as local DNS for the firebrick itself

FB105

  • Changes to better handle packet reordering issues on bonded tunnels
  • Added tunnel set statistics clear button on status page
  • Removed table from FB105 tunnel route sub object as not meaningful

Firewall

  • Fixed firewall check code (web and command line) - was confused for more than the most basic checks
  • Changed default for firewall where target unknown or nowhere to be "ignore" not "drop". This is important for pre-DHCP client connections from the brick

IPv6

  • Adjust handling of RA client to cope when more than one RA has same SLLA (e.g. VRRP) from different hosts

L2TP

  • Added more debug logging on L2TP tunnels, especially relating to relaying
  • Removed table from L2TP tunnel client route sub object as not meaningful

Logging

  • Improved formatting of replay from previous run flash log on boot up

PPPoE

  • PPPoE server (BRAS mode) was broken, fixed
  • Added return of Relay-Session-Id received in PADO to PADR sent
  • Adjusted PPPoE logging so as not to fill logs with requests that are not for us
  • Removed table from PPP route sub object as not meaningful

SNMP

  • Fix BGP and L2TP SNMP stats where values 128 to 255 and 32768 to 65535 reported as negative

Web control pages

  • Fix issue with some links on Chrome viewing BGP peers
  • Typos fixed in config
  • Change to try and stop a factory reset config from claiming to have been changed whilst editing
  • Incorrect HTML typo fixed in some tables
  • Tidy layout of platform radius controls
  • Tidy help on rule log settings
  • Correct various typos
  • Changed filenames for XML save to be more sensible
  • Clearer warning of active sessions on reboot and s/w upgrade pages
  • Fixed case where showing tables of information not right if a list of routes also shown
  • Extra info shown on BGP status
  • "Up to date" may have been erroneously displayed on Software Upgrade page - fixed.
  • First config save from factory reset was not working, fixed
  • New factory reset mode using port 1+3 to go back one config
  • Added new System submenu
  • Hovering on a link now underlines it
  • Some more colours on tables
  • Fix links for ND entries that upset some browsers
  • Web status pages can now be seen by users with access level >= USER
  • Button to clear thread tick counts added to thread statistics page (for users with ADMIN access)
  • Additional logic for getting L2TP session data using circuit ID in URl
Built 2012-01-24
Older factory release
1.10.001 (Katya)
Config:XSD Doc

Release notes from Factory release 1.09.001 to Factory release 1.10.001

CQM

  • Correct for rare race condition leading to multiple graphs of same name

Flash

  • Avoid flash fragmentation by deleting old images if necessary before saving new image.

L2TP

  • Since 1.08.007 RADIUS timeouts could cause RADIUS servers to "clog up" and stop doing any RADIUS, fixed
  • Added min-retry as a minimum session time before retrying an outgoing L2TP connection (default 10 seconds)
  • New platform RADIUS logic

Shaping

  • Fix incorrect handling of (legacy) tx-interval on shaper
Built 2012-01-18
Older factory release
1.09.001 (Jacynth)
Config:XSD Doc

Release notes from Factory release 1.08.001 to Factory release 1.09.001

BGP

  • Vendor specific SNMP for BGP status

DHCP

  • Clear DHCP command now allows range/prefix to clear multiple entries
  • Option to kill a DHCP allocation from web interface (DHCP status) now
  • Change handling of BOOTP to operate as a REQUEST not DISCOVER so causing allocation of lease

L2TP

  • Better "clear l2tp all", depending on speed of RADIUS accounting
  • Vendor specific SNMP for L2TP status

PPP

  • Added IP over LCP sending option to PPPoE code

SNMP

  • SNMP now has extra logical interfaces which are all named shapers in order, including relevant stats for a shaper.
Built 2012-01-09
Older factory release
1.08.001 (Isadora)
[Breakpoint]
Config:XSD Doc

Release notes from Factory release 1.07.001 to Factory release 1.08.001

  • Auto upgrade software not done if new software already in flash, stops a crash causing a loop.
  • Better error message on ip group name syntax check
  • Added link to upload new config on factory reset screen
  • Added link to upload new config on soft factory recovery screen

CLI

  • Changed show [bgp] route command to list where each route is directed.
  • Allow abort by pressing a key on the show routes command.
  • Tidied show dhcp command

CQM

  • CQM graphs now in alphabetic order
  • Shaper sharing system
  • Session based graphs should not persist if not used for a bit more than a day
  • Hourly rate line on CQM graphs

DHCP

  • Internal change to handling of DHCP server when searching for a suitable IP

FB105

  • Made payload-table consistent - now defaults to 0 not to "same as table"
  • Convertor making more sensible names for things like "24-7"
  • Not picking FB105 endpoint as our IP if cross table tunnel - picks any IP from a subnet on same table
  • FB105 cross table tunnel source IP correction when internal IP defined

Firewall

  • Change to logic where packet could go to multiple subnets on different interfaces. New interface "multiple" can check this, but default action in such cases now is to ignore the packet and send ARPs. New action "ignore" available.
  • Changed logic more so all timed out ARPs on multiple interfaces is now "unknown", and default action for "unknown" is "drop"
  • Improved traceroute through mapped IPs
  • Additional logging on re-routing during session tracking
  • Explicit action accept in rule was not overriding a default action of DROP for originally NOWHERE routes
  • Further change so default action not allow only if no rule matches.

L2TP

  • Made payload-table consistent - now defaults to 0 not (in some cases) "same as table"
  • Faster session clearing when using clear all
  • IP over LCP sending as RADIUS controlled flag (filter C)
  • Increased L2TP sessions to 250
  • Not picking L2TP endpoint as our IP if cross table tunnel - picks any IP from a subnet on same table
  • Added return of Proxy-State in platform RADIUS response
  • Added Tunnel-Medium-Type (IPv4/6) in platform RADIUS response
  • Added optional Juniper Context-Name response in platform RADIUS response (for BT 20CN session steering)
  • Added username hash based Tunnel-Preference in platform RADIUS response
  • Recognise BT specific "Subscriber provisioning failed" error and send clear cause 15 on RADIUS
  • More options for ordering the response on platform RADIUS
  • Faster LCP conf req on l2tp connect with no LCP
  • Additional debug added in L2TP/RADIUS code

PPP

  • IP over LCP rx handling added. I.e. LCP with code 4X or 6X assumed to be IP.
  • Buffer exhaustion handling in ppp fix crash risk

Profiles

  • initial state of profile with set="..." now uses that setting not initial="..." value

RADIUS

  • Fix platform radius proxy state return issue affecting relayed platform radius

Web control pages

  • Added reboot link to web pages, in "status" section for ADMIN level or higher
  • Added VRRP masters count to pre-shutdown message for reboot and s/w updates
  • Fix bug showing FB105 tunnels up when not, in pre-shutdown message for reboot and s/w updates
  • Added new form for pcap dumping to file from browser (/pcap/)

XML

  • XML checking recognises that an empty list is not valid on a mandatory attribute
  • XML checking no longer reports issues with schemaLocation - they are now ignored
Built 2011-11-15
Older factory release
1.07.001 (Hermia)
Config:XSD Doc

Release notes from Factory release 1.06.001 to Factory release 1.07.001

  • Does not auto update and reboot if in factory reset recovery state

CLI

  • New show routes command not BGP specific
  • Show dhcp command layout fix

DHCP

  • DHCP client sets /32 routes for DNS servers provided

Factory reset

  • Made factory default have NAT set on the 10.0.0.X subnet

FB105

  • Shows associated routes on FB105 tunnel status
  • Added graph on web view of fb105 tunnel status if a graph set

Firewall

  • Some better checking for warning about blank firewall rules

L2TP

  • Change of field name (username) not preserving old field (user-name) in l2tp-relay, fixed
  • Pressing a key on telnet command "clear l2tp all" stops clearing lines.
  • Support for RADIUS Framed-IP-Netmask mapped to L2TP PPP IPCP NETMASK (144)
  • L2TP client mode asks for DNS on PPP
  • Config change was unnecessarily restarting some L2TP sessions
  • L2TP failed tunnel timeout reduced from 5 minutes to 1 minute
  • L2TP error response on duplicate tunnel ID to try and manage restart case better
  • Better logging of unexpected L2TP SCCRQ
  • Issue with L2TP clients when no hostname and no local system name configured

Web control pages

  • Using web interface diagnostics/routing could cause a crash
  • Showing associated routes on subnets, dongles, PPPoE, etc.
Built 2011-11-02
Older factory release
1.06.001 (Gemini)
Config:XSD Doc

Release notes from Factory release 1.05.001 to Factory release 1.06.001

  • Additional stats for sessions per second started
  • Added memory usage to one second stats
  • Allow multicast packets to be passed through switch
  • Possible obscure issue with DHCP server code fixed - probably only when default dhcp server user (i.e. ip not set)
  • Added new show status command on telnet, and reformatted web status page

CQM

  • Bug if graphs trying to scale to just under 4Gb/s, showed scaled at bottom end in error. Fixed.
  • Not including old (off screen) rate changes in max scale on graphs

DHCP

  • Additional options in DHCP client
  • Changed DHCP server to serve bricks IP as DNS server allowing it to relay, unless explicit servers set in config

Dongle

  • Colour on dongle status
  • Default if no route= set to also set /32s to DNS servers as well as default route
  • Dongle reporting negotiated DNS servers in status

Ethernet

  • Changed autoneg setting on ethernet ports to default to false if manually setting speed or duplex and not 1G

FB105

  • FB105 tunnel status reporting half-up status correctly
  • Changed logging to only log fatal errors (such as no source Ip or no route) once until next works
  • Added additional recursion detection for FB105 tunnels
  • Config of ports used in FB105 tunnels, and update to config convertor to match
  • Reduced repetition of receive related warnings on identifyable tunnels

Firewall

  • Internal adjustment to session tracking hashing functions
  • Additional sanity check to pick up if someone tries adding a blank rule to a rule-set (typically by mistake)
  • Rule set logic for checking tables when previously having table changes in another rule-set may not have been correct
  • Diagnostic for firewalling not correctly handling non table 0 rule checks
  • Checking for blank rules refined to allow rules just settting nat or tables

L2TP

  • Changed L2TP logging so relay sessions have same logging as incoming session at the time
  • L2TP config change was clearing tunnels if not using a hostname setting
  • Changed logic for logging L2TP to try and ensure relayed sessions log correctly
  • L2TP relay was dropping first packets exchanged
  • Periodic RADIUS accounting was incorrectly showing timestamp less any current dropped packets which could cause a slight discrepancy
  • Outgoing L2TP option ready for initial testing
  • Final LCP TERM sent not logged correct field length in PPP dump, though sent correctly.

Logging

  • Session track counter in log-stats
  • Log email sending retry logic changed
  • Added much more debug for log-debug for logging email sending
  • Added additional information to emailed logs

Ping

  • Ping graphs can now use a host name

PPPoE

  • Default if no route= set to also set /32s to DNS servers as well as default route

RADIUS

  • L2TP RADIUS for PAP was using cleartext password as message auth (16 byte), changed to random.

VRRP

  • Deleting an interface which VRRP master caused a crash

Web control pages

  • Improved lists of objects with sub objects present in config editor
  • General change to css, layout and menus, and new options for menu/banner controls
  • Extra information on DHCP client status page (subnets)
  • Change to allow you to stay logged in when clock first sets
  • Added ethernet port status to web status page
  • Home page shows if system name is not set is this really should always be set, but is not actually a mandatory field
Built 2011-09-22
Older factory release
1.05.001 (Filippa)
Config:XSD Doc

Release notes from Factory release 1.03.001 to Factory release 1.05.001

BGP

  • Stopped announce of FE80::/10 when subnet has bgp="true"
  • No longer logging full BGP packet when discarded due to !allow-own-as or allow-only-their-as
  • Added additional per peer counters for ignored and filtered incoming updates

CLI

  • The show flash log command is now available to admin users
  • Added new command line to clear data pages in flash

Diagnostics

  • Tidy up the traceroute command to allow more than one attempt per hop, and some bug fixes
  • Access list check (command and web UI)
  • New firewall/session diagnostics (command line and web UI)

Factory reset

  • Made factory default have local-only set true on http access
  • Removed factory default for restricting access to firebrick itself by firewall as access list controls now much better

FB105

  • Various corrections to config convertor for latest releases
  • Improved fb105 config conversion for VLAN handling

Firewall

  • log-no-match on rule-sets should not log even if accept/continue, if there is no other logging set
  • Subtle change in logic for session NAT to/from brick when routing table override in rule-set

Logging

  • Possible fix to issue causing occasional unexplained crashes
  • Bug where viewing logs on web pages could cause crash, fixed
  • Removed hex dump debug log of DHCPv6 - as cluttred interface debug logs and better done using pcap

Manual

  • Started work on additional information for config documentation

Ping

  • Fixing interface based pings on startup not always working

PPPoE

  • Additional logging of PPPoE PAP/CHAP response message even if failed

Services

  • Added new access check for local-only on services. IMPORTANT - defaults to true for telnet, dns, timed, so you will need to set to false if you want remote access to these

SNMP

  • snmp was not access locked to routing table, fixed

Web control pages

  • Removed WebSite link as caused confusion, and made footer have link to FB website
  • Added configurable links on home page and fb105 conversion
  • Added optional CSS URL allowing customisation of control pages
  • Session list allows selection by protocol first
  • Added ping/traceroute on web interface
  • Ping and traceroute now separate diagnostics
  • Show route now on web diagnostics menu
  • New session kill link on session table (web UI), and session kill command
  • Web config edit has more information shown now, and change to some spacing.
  • Missing titles on lists of blackhole and nowhere routes
  • Config edit was not able to add / change shaper-override (profile based shaping logic)
Built 2011-09-19
Older Beta release
1.04.002 (Electra)
Config:XSD Doc

Release notes from Factory release 1.03.001 to Beta release 1.04.002

CLI

  • The show flash log command is now available to admin users
  • Added new command line to clear data pages in flash

Diagnostics

  • Tidy up the traceroute command to allow more than one attempt per hop, and some bug fixes
  • Access list check (command and web UI)
  • New firewall/session diagnostics (command line and web UI)

Factory reset

  • Made factory default have local-only set true on http access
  • Removed factory default for restricting access to firebrick itself by firewall as access list controls now much better

FB105

  • Various corrections to config convertor for latest releases
  • Improved fb105 config conversion for VLAN handling

Firewall

  • log-no-match on rule-sets should not log even if accept/continue, if there is no other logging set
  • Subtle change in logic for session NAT to/from brick when routing table override in rule-set

Manual

  • Started work on additional information for config documentation

PPPoE

  • Additional logging of PPPoE PAP/CHAP response message even if failed

Services

  • Added new access check for local-only on services. IMPORTANT - defaults to true for telnet, dns, timed, so you will need to set to false if you want remote access to these

SNMP

  • snmp was not access locked to routing table, fixed

Web control pages

  • Removed WebSite link as caused confusion, and made footer have link to FB website
  • Added configurable links on home page and fb105 conversion
  • Added optional CSS URL allowing customisation of control pages
  • Session list allows selection by protocol first
  • Added ping/traceroute on web interface
  • Ping and traceroute now separate diagnostics
  • Show route now on web diagnostics menu
  • New session kill link on session table (web UI), and session kill command
  • Web config edit has more information shown now, and change to some spacing.
Built 2011-09-19
Older Beta release
1.04.001 (Electra)
[Withdrawn]
Config:XSD Doc
This release has been withdrawn.

Release notes from Factory release 1.03.001 to Beta release 1.04.001

CLI

  • The show flash log command is now available to admin users
  • Added new command line to clear data pages in flash

Diagnostics

  • Tidy up the traceroute command to allow more than one attempt per hop, and some bug fixes
  • Access list check (command and web UI)
  • New firewall/session diagnostics (command line and web UI)

Factory reset

  • Made factory default have local-only set true on http access
  • Removed factory default for restricting access to firebrick itself by firewall as access list controls now much better

FB105

  • Various corrections to config convertor for latest releases
  • Improved fb105 config conversion for VLAN handling

Firewall

  • log-no-match on rule-sets should not log even if accept/continue, if there is no other logging set
  • Subtle change in logic for session NAT to/from brick when routing table override in rule-set

Manual

  • Started work on additional information for config documentation

PPPoE

  • Additional logging of PPPoE PAP/CHAP response message even if failed

Services

  • Added new access check for local-only on services. IMPORTANT - defaults to true for telnet, dns, timed, so you will need to set to false if you want remote access to these

SNMP

  • snmp was not access locked to routing table, fixed

Web control pages

  • Removed WebSite link as caused confusion, and made footer have link to FB website
  • Added configurable links on home page and fb105 conversion
  • Added optional CSS URL allowing customisation of control pages
  • Session list allows selection by protocol first
  • Added ping/traceroute on web interface
  • Ping and traceroute now separate diagnostics
  • Show route now on web diagnostics menu
  • New session kill link on session table (web UI), and session kill command
  • Web config edit has more information shown now, and change to some spacing.
Built 2011-09-09
Older factory release
1.03.001 (Dimity)
Config:XSD Doc

Release notes from Factory release 1.01.001 to Factory release 1.03.001

Config

  • Changed default config - using LAN and WAN as interface and port group names and added more comments

FB105

  • Profile was not being considered on the sub object for routes
  • Convertor maps ipsrc from FB105 to internal-ip in fb105 tunnel set up

Firewall

  • Added log-no-match to rule-set to allow logging specifically for no-match cases.

L2TP

  • Changed to not debug log PAP passwords at all, but showing length of data sent (so length of password)

Logging

  • Documentation updated, and console log off/on commands now TROFF and TRON
  • log-starts logs start and stop of stats logging
  • Occasional crash in logging when lots of information is logged.

PPPoE

  • Profile was not being considered on the sub object for routes
  • Option to ignore supplied DNS servers on PPPoE

Profiles

  • Changed wording on logs for inverted profiles

Routing

  • Possible issue with watchdog failure being addressed

Web control pages

  • Heading on web logs saying which log report shown
  • Subnets listed in order
  • Colour coded display for status of FB105 tunnels
  • Layout changes on rule-sets
  • Icons redrawn
  • Changed page title to list name before serial
  • Manual s/w upgrade looks nicer now
  • Graph names as text on graphs list to allow searching in browser
  • Corrected icons for rule-set
  • Tweak factory reset menu
  • Additional per second stats for http access counts
  • Adjust timing on status check to try and ensure we see new s/w first time
Built 2011-09-09
Older Beta release
1.02.001 (Cressida)
[Withdrawn]
Config:XSD Doc
This release has been withdrawn.

Release notes from Factory release 1.01.001 to Beta release 1.02.001

FB105

  • Profile was not being considered on the sub object for routes
  • Convertor maps ipsrc from FB105 to internal-ip in fb105 tunnel set up

Firewall

  • Added log-no-match to rule-set to allow logging specifically for no-match cases.

L2TP

  • Changed to not debug log PAP passwords at all, but showing length of data sent (so length of password)

Logging

  • Documentation updated, and console log off/on commands now TROFF and TRON
  • log-starts logs start and stop of stats logging
  • Occasional crash in logging when lots of information is logged.

PPPoE

  • Profile was not being considered on the sub object for routes
  • Option to ignore supplied DNS servers on PPPoE

Profiles

  • Changed wording on logs for inverted profiles

Routing

  • Possible issue with watchdog failure being addressed

Web control pages

  • Heading on web logs saying which log report shown
  • Subnets listed in order
  • Colour coded display for status of FB105 tunnels
  • Layout changes on rule-sets
  • Icons redrawn
  • Changed page title to list name before serial
  • Additional per second stats for http access counts
Built 2011-09-04
Older factory release
1.01.001 (Bryony)
Config:XSD Doc

Release notes from Factory release 1.00.020 to Factory release 1.01.001

Config

  • Password now mandatory on user field, and error if blank and not using OTP
  • Changed time-out to timeout in firewall controls as consistent with reset of config
  • Added source= to rule-set rules and route-override rules
  • Added extra notes on localpref to explain highest value wins
  • Minor change to wording on web config
  • Added <blackhole.../> and <nowhere.../> as explicit routing objects rather than using <route.../> with no gateway.
  • as-path only on network object as was not in fact functional on route object

DHCPv6

  • Rebind handling corrected (was being ignored)

FB105

  • Corrected PCAP of IPv6 on FB105 tunnels
  • Added code to help avoid FB105 tunnel traffic via the same tunnel causing a crash
  • Timezone fixes on config convertor
  • Changing table attribute on fb105 tunnel settings was not taking immediate effect

Firewall

  • Rework of session tracking logs, including interface names, and various other layout changes
  • Corrected case of mapping traffic to the firebrick using NAT and a target redirect was not NATting
  • Cross table routing logic tweaked to pick up correct interfaces - should fix an issue where NAT not applied for PPP
  • Removed unnecessary NAT stage for locally sourced traffic

L2TP

  • Adjusted IPv6 RA for L2TP - now send periodically if IPv6 router solicitation previously received
  • Logging of CHAP accept/reject showed wrong length (correct length was being sent)

Logging

  • Emailed logs were re-sent on every config change, fixed
  • Changed syslog to use UDP non encrypted RFC5424 logging with microsecond precision. Affects all log lines as module name added
  • Added option to specify source IP for syslog messages

Manual

  • Corrected description of interface object

Pcap

  • PCAP giving better error messages

Ping

  • Ping setting on interface was not always starting the pings, and not stopped when config removed. Fixed

Profiles

  • Changed logic so "or" profile with no other settings and none of the "or" profiles match will fail not pass.
  • Corrected timeout/recovery logic
  • Added initial-state option on profiles
  • Profiles tracking ppp did not spot if a PPP went off because it was itself turned off by profile config
  • Changed logging for profiles so "still active" and "still inactive" logs are log-debug now

Routing

  • Correctly sending ICMP errors for dead end routes
  • Routing loop detection improvements
  • Minor change to internal routing/ARP cache functions to test a specific bug report.

Session tracking

  • Added set-reverse-graph to rules in rule-sets allowing the far side graph to also be set independantly from set-graph

Shaping

  • Bug when setting reverse graph by means of route-override causing graph not to be applied

Web control pages

  • Changed headings on config edit boxes
  • Changed the sequence when downloading new code
  • Automatically redirects to status page after a short delay when new s/w loaded
  • Less margins on web pages
  • Updated setting descriptive text in firewall rules
  • Made breadcrumbs larger and easier to read
Built 2011-09-01
Older Beta release
1.00.039 (Ariadne)
[Withdrawn]
Config:XSD Doc
This release has been withdrawn.

Release notes from Factory release 1.00.020 to Beta release 1.00.039

Config

  • Password now mandatory on user field, and error if blank and not using OTP
  • Changed time-out to timeout in firewall controls as consistent with reset of config
  • Added source= to rule-set rules and route-override rules
  • Added extra notes on localpref to explain highest value wins
  • Minor change to wording on web config

DHCPv6

  • Rebind handling corrected (was being ignored)

FB105

  • Corrected PCAP of IPv6 on FB105 tunnels
  • Added code to help avoid FB105 tunnel traffic via the same tunnel causing a crash
  • Timezone fixes on config convertor

L2TP

  • Adjusted IPv6 RA for L2TP - now send periodically if IPv6 router solicitation previously received

Logging

  • Emailed logs were re-sent on every config change, fixed
  • Changed syslog to use UDP non encrypted RFC5424 logging with microsecond precision. Affects all log lines as module name added

Manual

  • Corrected description of interface object

Profiles

  • Changed logic so "or" profile with no other settings and none of the "or" profiles match will fail not pass.
  • Corrected timeout/recovery logic
  • Added initial-state option on profiles
  • Profiles tracking ppp did not spot if a PPP went off because it was itself turned off by profile config
  • Changed logging for profiles so "still active" and "still inactive" logs are log-debug now

Routing

  • Minor change to internal routing/ARP cache functions to test a specific bug report.

Session tracking

  • Added set-reverse-graph to rules in rule-sets allowing the far side graph to also be set independantly from set-graph

Shaping

  • Bug when setting reverse graph by means of route-override causing graph not to be applied
Built 2011-08-17
Older factory release
1.00.020 (Zack)
Config:XSD Doc
This is the first release for this platform.
Built 2011-08-01
Older factory release
1.00.001 (Yves)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-07-19
Older factory release
0.11.002 (Xavier)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-07-19
Older Beta release
0.11.001 (Xavier)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-07-19
Older Beta release
0.10.003 (Walter)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-07-19
Older Beta release
0.10.001 (Vincent)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-07-18
Older factory release
0.09.002 (Ulysses)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-07-17
Older Beta release
0.09.001 (Theobald)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-07-08
Older factory release
0.08.049 (Sherlock)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-06-07
Older factory release
0.08.001 (Randolph)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-06-07
Older Beta release
0.07.005 (Quentin)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-06-03
Older Beta release
0.07.002 (Percival)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-06-03
Older Beta release
0.07.001 (Oswald)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.
Built 2011-05-27
Older factory release
0.06.061 (Nathan)
[Withdrawn]
Config:XSD Doc
This was a pre-release development build.

Recent versions only | Factory releases | Factory and Beta | Factory, Beta & Alpha