Release notes from version 2.01.101 to 2.02.007

ACME

• Allow letsencrypt without specifying an email address (assuming agreed elsewhere)

ARP

• Make queued packets be more likely to be recent (and thus useful)
• Clear out stale entries more efficiently

BGP

• Don't wait for shutdown time if sessions are not established
• Fix rare crash on ignored BGP updates

CQM

• Slightly faster bulk ping loading
• Don't keep updating layout whilst loading many graphs

DHCP

• Fix crash when repeatedly exercising certain paths through DHCPv6

Ethernet

• Turn off ports that aren't in any port group

Firewall

• Add options for using TTL as part of firewalling decisions
• Fix errors around session timer rollover
• Bugfix for display of PCP sessions

HTTP

• Support chunked transfer encoding in client

IP

• Don't report incorrect source address when sending ICMP messages

IPsec

• Fix rare crash on disconnection

Internal

• Improved checking when freeing internal memory

LACP

• Disable LACP on ports not in a portgroup
• Improve layout of LACP diagnostic

Logging

• Prevent syslog-email holding up config changes under certain circumstances

MQTT

• Clean up after closures in a more timely manner
• Fix session counting issue when TCP fails to accept
• Support for large packets

NTP

• Respect table default source IP

OS

• Improve diagnostics for certain classes of deadlock
• Delay automatic upgrades until at least 10 mins after boot
• Don't clear image penalties on successful shutdown
• Fix rare watchdog
• Force hard reboot when booting block 0 (bootloader)

OSPF

• Try to remove some potential races

PPPoE

• Show MAC address for server and client
• Correctly remember our own PPPoE IP when configured from RADIUS

Ping

• Only accept correct ping replies as valid responses to a ping

Profile

• Initialise state when profile becomes (or ceases being) a control switch
• HomeAssistant auto config for switch and binary sensor
• Fix potential race when saving profile switch state
• Add option to allow any reply (not just ping response) to count for ping profiles

Routing

• Fix rare crash when changing routes for subnets
• Improve layout for routing diagnostic tool

SIP

• Improve response handling

Strack

• Fix total active sessions count

TCP

• Improvements
• Avoid rare deadlock in internal TCP code

TLS

• ECDSA support
• Fix incorrect object identifier for SHA224

Telnet

• Fix crash in telnet

VoIP

• Improve preauth opt out settings
• Improve handling of NATted signalling
• Improved diagnostics and potential fixes for watchdog

Web UI

• Add tab completion to XML editor
• Show larger traffic graphs on ports page
• More reliable HTTP POST handling in some error circumstances
• Report last port up/down time
• Fix IPv6 peer address in BGP compare
• Add filtering to firewall
• Show free buffer count in buffer statistics report
• Improve display of bonded routes
• Fix display of bootloader upgrades
• Fix uploading of small images (e.g. 9000 AUX builds)
• Improve wording and display of reboot delay time and countdowns
• Improve error reporting when config upload fails in editor
• Fix QR display when creating OTP
• Add LACP status for debug users
• Filtering on L2TP sessions page
• Update FireBrick website link
• Avoid truncating long routing diagnostic output

Release notes from version 2.00.100 to 2.01.101

ARP

• Better handling when sending many messages to non-existant locally connected targets

BGP

• Shutdown more cleanly on profile disabling
• Log which AS we are rejecting if it doesn't match
• Fix incorrectly reported exports with multiple tables in play
• Remove inaccurate/confusing status text
• Fix potential crash with flappy routes and multiple peers
• Avoid some potential crashes with repeated config updates

CLI

• Add filtering by table to "show bgp peer/summary" and "show route nexthop"

CQM

• Treat graph names consistently case sensitively
• Allow automatic ping graphs to be configured for DHCP entries
• Correct UDP checksum for shared shapers and add status page

Config

• Disable legacy time server (port 37) by default
• Make it easier to find banner background option
• Some improvements to demo mode

DHCP

• Improve handling of locked entries
• Fix crash when serving certain requests
• Add support for the "rebinding" state in client
• Send server ID when in "selecting" state
• Allow DHCP6 client to be configured directly (not via RA)

DNS

• Fix race that could (very rarely) result in mangled packets whilst relaying

Diagnostics

• Add config option to dump some of the stack on certain classes of crash
• Improve mutex acquisition timeout diagnostic

FB105

• Improve speed of obfuscation
• Fix rare crash

Firewall

• Improve efficiency of firewall timeouts
• Add obfuscation options
• Fix crash due to code optimisation
• Fix race on one sided session reuse

HA

• Fix for handling special packets and other tunnels within HA L2TP tunnels

IPv6

• Fix issue with duff broadcast address in some RAs

Internal

• Tweak scheduler to try and avoid rare thread starvation conditions

L2TP

• Add speed settings to L2TP local authentication
• Config option for L2TP IPv6 tunnels without a checksum
• Avoid rare crash fetching status
• Add option to send Operator-Name on a per basis
• Support specifying the source IP for payload traffic

LACP

• Hot standby mode selection for wider switch compatibility

Logging

• Log L2TP RADIUS errors to the RADIUS debug log (instead of the system one)
• Add a log for a user's events (currently logins)
• Report hardware watchdogs to support
• Log slow config load functions to sys debug
• Log bootloader upgrades
• Improve detail in some logs
• Shorten TCP connection timeout for email logs
• Change VRRP not found to debug

MQTT

• Fix retained message handling timeouts
• Fix a couple of rare crashes
• Drop oversize QOS0 messages
• Global option to send retain flag to clients (default on).
• Correct sending retain to clients only for old retained messages not new ones after subscription established
• Fix where subscriptions could get overwritten in some cases
• Fix CPU spikes that can grow with uptime

Manual

• Explain the 2 types of defaulting in the XSD
• Improve layout slightly
• Remove some out of date screenshots
• Improve LACP standby explanation

NTP

• Use MD5 hash for reference ID of IPv6 time sources

OS

• Handle devices that don't respond to unicast ARP (Starlink) more gracefully
• Additional type of watchdog for catching rogue high priority threads

PPPoE

• Add an additional profile to prevent responding to PADI messages
• Allow omitting of automatic caller-id end
• Show the acname correctly in status
• Report PPPoE info more reliably on L2TP sessions page

Ping

• Don't crash when we cannot create ping from config (because too many have already been bulk loaded)

Profiles

• Allow control switches to be set from the menu (and allow them to be locked for sensitive ones)

RADIUS

• Drop legacy AOR AVP number
• Fix issue with RX shapers and CoA
• Make status mechanism more in line with other services

Routing

• Fix loop detection in source IP determination
• Add debug user command for dumping internal state of routing
• Fix bug that could cause routes to transiently appear as NULL in the forwarding table

SNMP

• Fixes for L2TP SNMP
• Fix bug which can occur when encoding zero values

Sampling

• Fix rare crash when changing interface config as a sample is taken

Software upgrade

• Add button for downloading latest software without rebooting

TCP

• Add option for TCP stealth mode for the FireBrick itself (without using the firewall)

Telnet

• Fix rare crash when quickly creating multiple telnet sessions
• Add task stat clear command

VOIP

• Tweak wording of security-replies registration warning and add context to manual
• Improve logging

VRRP

• Show time in a given state

VoIP

• Handle NAT RTP more cleanly when far end is silent and not sending RTP packets
• Add additional ways to detect anonymous calls for telephony operators
• Fix rare issue with RTP packets from 0.0.0.0

Watchdog

• Additional context for rare watchdog

Web UI

• Add DNS cache state status (for debug users)
• Make the status page clearer during reboots
• Modify UI layout to avoid a couple of strange looking edge cases
• Allow an additional level of submenus
• Allow menus to be expanded and collapsed interactively
• Scroll tables horizontally if they don't fit in the page
• Reorganise the menu entries
• Add button for clearing flash penalties (debug user)
• CSS hinting tweaks
• Add a page for unit info
• Put intro text in page header
• Ensure profile switches show up to date status over config change
• Fix issue where test/save buttons could appear twice after repeated config test edits
• Reword software upgrade page
• Optionally group control switches in menu
• Accept connections from "trusted" (but not "allowed") hosts during ACME renewal
• Group profile buttons on home page
• Fix issue that could cause live logging to use CPU excessively
• UI tweaks

Firewall

• Increase priority of firewall event processing task

Release notes from version 1.61.010 to 2.00.100

• Rework apps to run efficiently on the FB9000 platform - this is a major rework that may impact all platforms
• Internal code changes to slightly improve performance

ARP

• Recover faster from certain subnet changes
• Slightly improve ARP queue timeout handling for entries that do not resolve but are in constant use.

BGP

• Shutdown timeout - be tolerant of negative NTP adjustments
• Add profile to peer list in config editor
• Check that peers define unique connections
• Improvements to graceful restart
• Improve connection handling
• Fix issue with GET method for new SNMP OIDs
• Additional states for shutdown and preshutdown in new OIDs
• Add prefix limit info to SNMP
• Include held routes in the count of imported prefixes
• Improvements and bugfixes
• Intersperse connection handling better

CQM

• Calculate times for XML output the same way as for images
• Handle extremely low ping latencies better

Config

• Added auto-backup-url to config to POST changed config
• Improve config patch mechanism
• Fix "*" parsing for port ranges

DNS

• Prevent forwarding of other types for overridden DNS entries

Ethernet

• Allow assignment of specific MAC addresses to subnets and interfaces

Firewall

• Only ARP targets in overlapping subnets if we would allow traffic to them
• Improve source IP selection when NAT is targetting overlapping subnets
• Add more detail to firewall diagnostic

IPsec

• Remove path by which eap-user restrictions could be evaded by some clients

IPv6

• Advertise a /64 for PD SLAAC (even if the delegated prefix is larger)
• Introduce a list of ra-subnet-template on interfaces to allow setting of options for RA generated subnets (replaces ra-client)
• Prevent prefix delegation on linked interfaces (including by implicit defaults)
• Fix issue with RA and ignore_dns that can cause subnets to be recreated

Internal

• Improve resource utilisation of streams

L2TP

• Corrected handling of Framed-IPv6-Address as interface address in RADIUS
• Add calling/called station IDs to L2TP session status
• Fix crash with packets claiming different lengths in different ways
• Allow IPv6 DNS to be overridden via RADIUS
• Don't kill tunnels immediately when profiling off incoming
• Report the correct number of packets for TX and RX

LACP

• Advertise additional links as standby when it makes sense to do so
• Put secondary links in hot standby when speed limited by hardware
• Handle badly behaved link partner better

Logging

• Increase internal logging capacity

MQTT

• Reconnect faster on "external" config changes and improve status
• Fix issue where tx is available late

Manual

• Add more commands to the manual
• Improve MIB appendix

OSPF

• Fix crash when config changed repeatedly very rapidly

PPPoE

• Fix typo on PPP status page
• Don't accept PPPoE inbound connections if the matching incoming is profiled off
• Log sending the PADR

Pcap

• Make labels on pcap form slightly better
• Support multiple IPs and ranges in the filtering

Profiles

• Add uptime test to allow staggered starting of services
• Evaluate conditions when adding (to avoid flapping without careful choice of initial)

Routing

• Remove 6to4 (2002:) IP mapping
• Add tunnel IDs to routing diagnostic summary
• Avoid sending packets with potentially inappropriate source IPs (applies to overlapping subnets mainly)
• Force immediate reconsideration routes when related gateways have expired

SNMP

• Add system memory utilisation to SNMP
• Make buffer statistics reflect new reality (that most buffers are in a global pool)

TCP

• Improve preempting of TCP connections in the timewait state
• Limit accept queues more consistently
• Reduce resource usage when in TIME-WAIT

TLS

• Add connection count to 1 second stats

VRRP

• Take notice of the profile on the parent interface

VoIP

• Improve how VOIP logging reads

Web UI

• Improve profile switch behaviour when clicked fast repeatedly
• Config option to change colours of user interface
• Add buttons to config editor for reordering items in ordered lists
• Darker background for select multiple selections
• Avoid underflow when showing number of seconds remaining for config test (cosmetic)
• Added warning that config save is recommended
• Tidy up config edit page
• Improve layout of BGP buttons
• Show reboot now option when shutting down
• Wrap lines in XML editor on first load
• Buttons to delete flash blocks as a DEBUG user
• Click on headings to sort status tables
• Provide load indicator on Status page
• Suppress iphone phone number autodetection (so it doesn't pick up the serial number)
• Add arrows (ascending and descending) to sorting
• Record txnodesc more like other ethernet stats
• Add ability to view old configurations and boot alternative images to flash contents (as DEBUG)
• Reorder ping form
• Tweak upload styling
• Show route diagnostic in prefix order

Config

• Small improvements to the auto backup feature to make it nicer

Release notes from version 1.60.010 to 1.61.010

CQM

• Small change to SVG to make loss/latency squared off like png

Certificates

• Avoid panic on reboot if FB private key gets deleted

Config

• Enforce list max occurrences limits for all config items

DHCP

• Treat a profile on a DHCP config entry with a restriction consistently with other config profile usage.

DHCPv6

• Various improvements (especially in the client)
• Make DHCPv6 work better with larger prefixes
• Allow larger server DUIDs

Ethernet

• Share MAC address on VLAN 0 between bootloader and app for each port

IKE

• Send out of band error when INIT request negotiation fails

IPv6

• Improved reliability of RA handling

MQTT

• Bigger MQTT messages
• Additional options on MQTT external

PPP

• Bug fix for issues with PPP client corrupting subnets

PPPoE

• Increase number of allowed PPP sessions (and fix crash loading configs with more than 20)

RADIUS

• Juniper ERX ingress/egress policy name in RADIUS server
• Correct defaulting of RADIUS server settings

VoIP

• Subtle change to message handling in VoIP (getting actual 408 response to INVITE)
• CLI settings not always passing through

Web UI

• Improve layout on XML edit page
• Improve button placement on system info pages
• Explanation added regarding TCP stress test blob output
• Further improve XML edit and reduce vertical height of top bar
• Make XML download links look like links
• Add line numbers to XML editor
• Reject paths with extraneous middle segments
• Various UI improvements
• Add a config option to prevent refreshing the CQM image lists
• Make graphs on the image list page clickable
• Editor - fix colour picker with 3 digit hex colours
• Force text colour in buttons to black (apparently ipads can default it to white)
• Warn on most pages when config is no longer valid

MQTT

• MQTT crash fix
• Sending cleaner CONNACK for error cases

VoIP

• Allow addition Privacy header options

Release notes from version 1.59.000 to 1.60.010

CLI

• Show thread stats for longer sample period

DHCP

• Improved controls over DHCP logging

DHCP/DNS

• Additional "latest IP allocated" DNS name for DHCP - see auto-dhcp-new in DNS settings

DHCPv6

• Simple DHCPv6 client mode (experimental)

Diagnostics

• Provide info about HTTP connections for debug users on web and telnet

HA

• Fix HA groups D-G
• Improve handling of HA bonded tunnels with extremely mismatched latency (seconds)

HTTP

• Be more tolerant of lack of Content-length in HTTP client

IP

• Use the table's default source IP in more places

IPv6

• Interface setting ra-client now default if wan set, else not default
• Interface setting now define PD (prefix delegation), default if wan/ra-client/ra not set

L2TP

• Respect table setting for MTU calculation for outgoing and relayed L2TP connections
• Put serial number in calling station ID if unset (temporary change)
• Add mechanism for advising LAC of tx speed when needed
• Put serial number in calling station ID if explicitly set to ''

Logging

• Fix issue with emailed logs - were sending to last MX not first, and leaving TCP open causing issues if too many emails sent

MQTT

• Added MQTT console

RADIUS

• Added allow list for RADIUS CoA requests as alternative to host IP match
• Add logging on RADIUS match
• Added top level IP allow check on RADIUS
• Faster RADIUS failover (and updated documentation)

VoIP

• Limit email addresses for recording to 2000 chars

Web UI

• Add details of L2TP states session states on tunnel status pages
• Show which tables session tracking is active on in UI
• Fix looping causing loss of UI if TCP stress test fails

DHCPv6

• Updated IPv6 SLAAC/RA logic to allow control of extra flags and simple ethernet side DHCPv6 server

PPP

• Handle missed PAP reply on PPP

Release notes from version 1.58.111 to 1.59.000

ACME

• ACME error reporting could get garbled message in some error cases

FB105

• Fix rare crash with FB105 tunnel bonding during configuration change

IPsec

• Fixed a problem with validation of peer certificate
• Fixed handling of out-of-order IKE fragments
• There is a new attribute peer-eaplist available on an IKE connection config item which enables the allowed EAP usernames to be specified.
• Improve EAP diagnostic logging and fix minor problem with message ID number checking
• Further improvements to EAP processing and error logging

L2TP

• Configured outgoing L2TP sessions now respect the bgp setting in the config

MQTT

• Added listener for FireBricks/# topic

RADIUS

• Some additional RADIUS server settings, matching, added mqtt logging and changed log format to JSON, for working with some WiFi kit

TLS

• Improved stream handling in TLS to avoid occasional race conditions causing crashes

VoIP

• Improve logging when bulk carrier import fails

DHCP

• Changed some DHCP server logging to be JSON format (same as used for MQTT)

MQTT

• Changed MQTT mapping field names and fixed incorrect help text

OSPF

• OSPF marked experimental as it has some minor issues.

Release notes from version 1.57.010 to 1.58.111

CLI

• Added CLI command to view port status

Certificates

• Removed expired DST Root CA X3 certificate

Config

• Allow numeric value with 0x prefix in config

DHCP

• DHCP client will now attempt to renew leases when ports go down and come back up. This will automatically reconfigure the subnet if plugged into a different network.
• Added mac-local test in DHCP pool

Diagnostics

• Add diagnostic command and status page for buffer usage
• Include uptime information in automatic crash reports
• Log highest buffer users in case of exhaustion

Ethernet

• Improve setting of default port config on startup (may be faster startup in some cases)

Firewall

• Added option to set DSCP

IPsec

• Increase max number of simultaneous IKE/IPsec connections
• Fixed problem with IKE message fragmentation causing connection failures with some clients
• Fixed occasional "Response not pending" panic.

Logging

• Additional debug in this alpha, as some people have seen 409 errors on web interface

MQTT

• Simple MQTT message mapping option
• Improvements to MQTT broker (better error reports and sanity checks)
• MQTT payload pattern match
• Correct mapped MQTT messages erroneously setting retain
• Made IP a link on mqtt status
• MQTT mapping connection linking (e.g. for retained)
• Fix outgoing mqtt bug

OSPF

• Correct OSPF checksum issue for certain auth types

Profiles

• Added profile test for "DHCP allocated"
• Nicer web socket based profile control switches.

TLS

• Improve server authentication security and work around problems with some servers by using the signature algorithm extension.
• Fix TLS connection failover
• Added TLS stateless session resumption - without this newer versions of some browsers were very slow to load FB web pages

VoIP

• Double VOIP capacity limits
• Double number of simultaneous call recordings
• Tweak outgoing registrations for SIP servers that mash up the registered Contact rather than just using it as is.
• Fixed issue with very long SIP registrations using IPv6 addresses

DHCP

• Improved DHCP allocation logging and MQTT logging

L2TP

• Added session-timeout to L2TP incoming

MQTT

• Started some MQTT v5 handling (a config option, experimental, not recommend yet)

Profiles

• MQTT profile control fixed
• Minor change, only sending MQTT if corresponding payload set (even if empty)

TLS

• Issue with TLS resume keys used over a s/w upgrade fixed

VoIP

• Added a simple BLF report state via MQTT

Release notes from version 1.56.010 to 1.57.010

ACME

• Allow specifying of the source IP for ACME requests

BGP

• BGP tags for static routes

Certificates

• Fix problem with cross-signed certificates causing IPsec connection issues with Windows clients

Config

• Allow delayed automatic upgrades

Ethernet

• Fix over zealous ether damping

HTTP

• Fixed issue where http client (e.g. ping graph download, etc) gets non 2XX response causing later problems

IPsec

• Increase internal packet buffer size to help with IKE certificates
• Fixed IP pool leakage
• An IKE session was sometimes shown in waiting state as well as connected.
• Further IPsec tweak to avoid losing connection in some circumstances
• Add workaround to avoid repeated reauthentications when peer is StrongSwan and mode is immediate
• Fix bad config status entry after deleting a live connection
• Implemented IKE fragmentation to improve authentication with long certificate chains

L2TP

• Slightly faster outgoing L2TP connect (proxy auth sent)

MQTT

• Experimental MQTT broker function added
• Added profile switch control over MQTT (config will change in next alpha)
• Fix crash in configurations where will topic is set, but not will message

PPPoE

• Issue with some PPPoE sessions restarting on config change

Routing

• Default source IP per routing table

Shaping

• Additional control on shapers (burst limit in ms)

TLS

• Added support for simple TLS clients with limited storage
• Minor memory leak in TLS client fixed

VoIP

• Fix error handling unusual SIP packets
• Allow IPv6 addresses in "recording-server" configuration

Web UI

• Add ethernet counters to web
• Show which type of app upgrade would be initiated
• Show some context lines in live logging view

DHCP

• DHCP option to force broadcast offer/ack to address edge case with some APs and devices

L2TP

• Handle incoming local match password check for PAP

VRRP

• Make VRRP clearer when used with profiles (status page and manuals)

Web control pages

• Configurable intro text and links on login page
• Web access security update

Release notes from version 1.55.111 to 1.56.010

• Fix a bug in the flash logging, which could cause logging to stop working after a while
• Fix bug in ASN.1 length encoding

DHCP

• Added "circuit" to the matching rules for DHCP server IP pool (circuit being Agent Info option 82 circuit sub option 1)

ETUN

• Add tx/rx packet stats

IPsec

• Additional logging and status information for roaming pools
• Add manually triggerable IKE clearing

L2TP

• Issue with DOS limit on outgoing L2TP fixed

PPPoE

• New option to pick up speed from connect message to set egress rate on PPP (ideal for bonding)

Web control pages

• Setup wizard bug when IPv6 defined

CQM

• Graphs used to show a damping level even when damping not in use (i.e. l2tp damping not set), removed

VoIP

• Additional debug

Release notes from version 1.53.000 to 1.54.101

ACME

• Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
• Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
• Tweak to ACME to allow for additional challenges for a few seconds
• ACME status for certificates shows when last error happened.
• Make ACME status clear at start up if clock not set yet
• Fix ACME error status to show time of error

BGP

• Add Refresh buttons to BGP UI status page

Certificates

• Make certificate domain name checking case-insensitive

DHCP

• Lease expiry times were incorrect when lease acquired before time had been set
• Improve lease expiry when the FireBrick does not know the correct time

Ethernet

• Improve DoS detection
• Improve DoS detection and logging of ethernet damping

Firewall

• Minor change to handling of clashing UDP sessions for better VoIP NAT logic

HTTP

• HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

IPsec

• Provide SNMP status info for IPsec
• Fix crash when [id] is used in graph name of a waiting connection
• Show EAP identity (username) in log messages and UI status, and allow it in graph names

IPv6

• Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

Internal

• Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
• In some circumstances Watchdog panics may report incorrect thread - fixed.

L2TP

• Configurable PPP timeout values per tunnel

LACP

• Prevent unnecessary continuous packet exchange

PPP

• New PPP debug log/dump format options
• Tweak LCP restart timing for very slow latency links

PPPoE

• PPPoE did not install IPv4 DNS if explicit routes set, fixed
• PPPoE Calling ID prefix appended with VLAN and/or MAC

SNMP

• Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

Session tracking

• Change to default UDP timeout for UDP ports 80 and 443 to help QUIC

TCP/UI

• Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

• Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).
• Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
• Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
• Improve TLS session end - avoid occasional crashes/lockups.
• Fix a couple of TLS issues causing problems with ACME and downloading large pages
• Finally fixed TLS issue

USB

• Fix CLI "clear dongle" command
• Send packet filter setting when opening 4G dongle.
• Further 4G USB improvements - ensure DHCP-obtained IP address is refreshed on dongle insertion.
• Fix problems with multiple 4G dongles (when using a hub)
• Fix problem with dongle status not always showing correctly

VoIP

• RADIUS setting to explicitly set P-Asserted-Id needed for VoIP carriers

Web UI

• Improve UI status reporting for bgp, including ability to filter routes list

CLI

• show configuration now allowed (redacted) at "view" level

Config

• Improved syntax checking of numeric fields
• Separate logging for http client accesses
• Added new config access level (demo) allowing test but not commit/save config.

Config editor

• Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).
• Tweak to config edit to make default values more obvious

DNS

• DNS relay limit check

IPv6

• Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

Internal

• Internal changes that should not have any impact on operation

L2TP

• Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!
• Additional logging on config change
• Fix payload table logic on local auth incoming L2TP sessions
• Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

Manual

• Additional documentation on IPv6 prefix delegation and SLAAC

Profiles

• Profile ping of local gateway by ping 0.0.0.0

TLS

• Extra diagnostics added to help with occasional TLS crashes

VRRP

• Incorrect error message for ID clash in VRRP, fixed

Release notes from version 1.52.010 to 1.53.000

ACME

• Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
• Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
• Tweak to ACME to allow for additional challenges for a few seconds
• ACME status for certificates shows when last error happened.

Certificates

• Make certificate domain name checking case-insensitive

DHCP

• Lease expiry times were incorrect when lease acquired before time had been set
• Improve lease expiry when the FireBrick does not know the correct time

IPsec

• Provide SNMP status info for IPsec
• Fix crash when [id] is used in graph name of a waiting connection
• Show EAP identity (username) in log messages and UI status, and allow it in graph names

IPv6

• Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

Internal

• Scheduling changes to improve performance under heavy CPU load (eg crypto processing)

PPP

• New PPP debug log/dump format options
• Tweak LCP restart timing for very slow latency links

PPPoE

• PPPoE did not install IPv4 DNS if explicit routes set, fixed
• PPPoE Calling ID prefix appended with VLAN and/or MAC

TCP/UI

• Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

• Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).
• Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate

USB

• Fix CLI "clear dongle" command
• Send packet filter setting when opening 4G dongle.
• Further 4G USB improvements - ensure DHCP-obtained IP address is refreshed on dongle insertion.
• Fix problems with multiple 4G dongles (when using a hub)
• Fix problem with dongle status not always showing correctly

Web UI

• Improve UI status reporting for bgp, including ability to filter routes list

Config

• Improved syntax checking of numeric fields

Config editor

• Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).
• Tweak to config edit to make default values more obvious

DNS

• DNS relay limit check

L2TP

• Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!
• Additional logging on config change
• Fix payload table logic on local auth incoming L2TP sessions
• Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

Profiles

• Profile ping of local gateway by ping 0.0.0.0

Release notes from version 1.52.000 to 1.52.010

USB

• 4G dongles were not starting up correctly

Release notes from version 1.51.001 to 1.51.010

DHCP

• Revert minor change in DHCP/DNS which was causing problems

RADIUS

• ERX-Tunnel-Switch-Profile untagged even in tagged responses (for Talk Talk working)

Shaping

• Catch some edge cases in session tracking shaper set up that seem to cause a crash

Release notes from version 1.49.000 to 1.50.000

• Test build

BGP

• Additional debug for ignored updates

CQM

• Added more stats (total bytes/packet/drops) to CQM XML

Crypto

• PKCS#8 formats now fully accepted and served for RSA and DSA keys

DNS

• Changed DNS logic so not simply fallback="true" but fallback-table defined. This means multiple table DNS will default not to fall back now.

IPsec

• Fix duplicate connection problem after roadwarrior client switches from wifi to 3G
• Fix Roadwarrior problems - IPv4 NAT not working and IPv6 routing failing on Apple clients

IPv6

• Changed ICMPv6 (ND/NA) source address in some cases to match scope

L2TP

• Allow L2TP matched incoming sessions to set payload-table
• Added colours to tunnel and session status

PPPoE

• Minor change to PPPoE timeout logic - could be disrupted by frequent profile changes

Pcap

• Improved pcap "self exclude" to only exclude the actual TCP session traffic of the dump, not all traffic to/from the IP of the browser as before

RADIUS

• Platform RADIUS server ERX parameters now tagged if part of tagged response

Routing

• Impove some logic where table 0 has no routes and totally mapped via rule-sets (e.g s/w upgrades, etc)

TLS

• Fix lockup at end of stream on TLS connections

VRRP

• VRRP low-priority mode (e.g. for profile off) caused flapping

VoIP

• Separate carrier controls for P-Asserted-Identity, Remote-Party-Id, and Privacy on VoIP carriers. Change of defaults to send PAID and Privacy not RPID
• Added ACR (Anonymous Call reject) feature on telephone config
• Included User-Name in RADIUS auth for VoIP (from From header before @) if not otherwise set (based on config user/carrier)
• Interim release with correct AVP for SIP_AOR (122) as well as accepting incorrect one (121)

Web control pages

• User setting to hide "save" button in config edit (i.e. has to do "test" first).
• Added Content-Language to avoid some browsers offering to translate control pages
• CSS update
• Added kill on block/reject type sessions in session table

ACME

• Minor improvements to ACME - handling some extra order status responses

Diagnostics

• Fix TCP download test (was always saying 0 bytes loaded)

General

• Slight performance improvements

Logging

• Fix possible syslog buffer overrun

Telnet

• Option to configure custom telnet prompt

Web control pages

• Adjust initial timeout to allow for slow TLS handshake
• Added Content-Language to error page (meant to be all pages, fixed later)

Release notes from version 1.48.101 to 1.49.000

VRRP

• Corrected VRRP v3 checksum - UPGRADE BACKUP ROUTERS FIRST

BGP

• Added startup delay for sending BGP announcements to make for cleaner reboots when used as part of a part

HTTP

• Changed HTTP redirect logic to better handle cases where some port mapping is used in front of the web control pages

IPv6

• Added DNSSL (search list) to RA settings on subnet

PPPoE

• PPPoE can now be linked to physical port for direct connection to modem - resetting the port when PPPoE goes down (fixes bug in some modems)

SNMP

• Various SNMP updates
• bgp and l2tp now support SNMP treewalk
• Vendor-specific SNMP for BGP and L2TP reorganized to follow standard table construction. ***NOTE*** this will affect customers using SNMP with BGP/L2TP
• Add CPU buffer free counts to SNMP statistics

VoIP

• Tweak for REFER logic, allow refer to match user details with no password (i.e. check IP)

Web UI

• Add TCP throughput diagnostic

Web control pages

• New css for mobile use
• Fix wizard when email specified as it caused save error
• New control of whether logs on web/cli include system logs or not (default not, except for "default" log after factory reset)
• Config edit not working when clock not set, fixed.
• Recovery config edit now prompts to save even when no changes as it is not the "live" config

CQM

• Tweak graph logic - was not working if only selecting ave or max latency to show on SVG

Config

• Tweaked factory default LAN firewall rule to allow from FireBrick to LAN (needed for VoIP)
• Removing Ethernet port config now sets port back to default settings

FB105

• Fix internal-ip on fb105 tunnels routing

L2TP

• Minor change to handle low buffer scenarios better

Logging

• Fixed UTC timestamp on logs (was local time with Z suffix, sorry)

VoIP

• Tweak for REFER logic, allow refer to match carrier details as well as user credentials (reverted in next release)

Web control pages

• Minor improvements to web control pages (extra classes, etc)

Release notes from version 1.47.100 to 1.48.101

ACME

• ACME for Let's Encrypt for testing (you need to load a CA first, e.g the LE X3 intermediate)
• Install root certificates for use with Let's Encrypt and ACME
• Better error logging
• Full ACME system to work with Let's Encrypt

BGP

• Updates BGP refresh options including sending refresh request
• Additional BGP shutdown subcodes added

Config

• Config top level attributes now include username and ip of last update
• Config top level attributes now include serial number and version, but normal edit screen no longer has xmlns and xsi
• IP groups can now reference subnets by name (including DHCP client subnets)

Crypto

• New key generation logic in place for ACME and related functions
• Avoid crash soon after startup following auto key generation

Firewall

• Added a block/prefix mapping feature to firewall logic

Flash

• Fix incorrect detection of flash timeout on heavily-loaded system

IPv6

• Change some logic to reduce use of 2002:: 6over4 address usage as source addresses where possible

Internal

• Fix occasional lockup/crash during stream processing

L2TP/RADIUS

• Tweaks to expected timeouts on RADIUS (e.g. for L2TP or session steering) and change default to min timeout 2 seconds total
• More control of RADIUS timeouts for ad-hoc RADIUS from RADIUS response for L2TP session steering

Logging

• Change to outgoing email timeout (spam scans and the like can take a while) RFC5321 4.5.3.2

PPP

• Send NAK asking for MD5 on receipt of non MD5 CHAP request

RADIUS

• RADIUS client allowing fixed source-ip, and for ad-hoc L2TP steering uses L2TP source IP if set

VoIP

• Sending algorithm=MD5 when not set, even though that is default (test build)
• Fix nc to 1 as we don't store/re-use nonce values. Some systems don't just look for duplicates but actually expect a 1
• Not picking up media started until something that is not perfect silence is sent as some systems do that!
• Better handling of overlapping INVITE replies where server is very slow or over long latency links

Web control pages

• Change layout of rule-set
• Changed logic for self signed certificates, and made more transient in certificate store
• Limit number of self signed certificates to reduce clutter, and avoid possible "make millions of certificates" attacks

https

• Self signed certificates as fallback for initial set up via https

BGP

• Some additional debug for BGP

IP

• Increase pending ARP cache and drop if overloaded rather than sending spurious ICMP errors

Internal

• Additional stats for entropy collection

L2TP/RADIUS

• Improve outgoing L2TP handling where target is hostname

Logging

• Colour on web log not always correct

RADIUS

• Fix L2TP relay steering RADIUS min/max timeouts (5/20 not 20/5)

VRRP

• Config check for duplicate VRRP MAC in use on different interfaces

Release notes for version 1.47.100