Release notes from Factory release 2.00.100 to Factory release 2.01.101

ARP

• Better handling when sending many messages to non-existant locally connected targets

BGP

• Shutdown more cleanly on profile disabling
• Log which AS we are rejecting if it doesn't match
• Fix incorrectly reported exports with multiple tables in play
• Remove inaccurate/confusing status text
• Fix potential crash with flappy routes and multiple peers
• Avoid some potential crashes with repeated config updates

CLI

• Add filtering by table to "show bgp peer/summary" and "show route nexthop"

Config

• Disable legacy time server (port 37) by default
• Make it easier to find banner background option
• Some improvements to demo mode

CQM

• Improve inter-CPU handling for very large numbers of CQMs
• Increase number of pings that can be bulk loaded
• Treat graph names consistently case sensitively
• Allow automatic ping graphs to be configured for DHCP entries
• Correct UDP checksum for shared shapers and add status page

DHCP

• Improve handling of locked entries
• Fix crash when serving certain requests
• Add support for the "rebinding" state in client
• Send server ID when in SELECTING state
• Allow DHCP6 client to be configured directly (not via RA)

Diagnostics

• Add config option to dump some of the stack on certain classes of crash
• Improve mutex acquisition timeout diagnostic
• Report contextual panics from additional CPUs in some instances

DNS

• Fix race that could (very rarely) result in mangled packets whilst relaying

Ethernet

• Fix crash in ethernet stall error condition handling

FB105

• Improve speed of obfuscation
• Fix rare crash

Firewall

• Improve efficiency of firewall timeouts
• Add obfuscation options
• Fix race on one sided session reuse
• Increase priority of firewall event processing task

HA

• Fix for handling special packets and other tunnels within HA L2TP tunnels

Internal

• Fix caching issue responsible for rare crashes
• Tweak scheduler to try and avoid rare thread starvation conditions on single core platforms
• Use interrupts to change LED state

IPv6

• Fix issue with duff broadcast address in some RAs

L2TP

• Add speed settings to L2TP local authentication
• Config option for L2TP IPv6 tunnels without a checksum
• Avoid rare crash fetching status
• Add option to send Operator-Name on a per <incoming> basis
• Support specifying the source IP for payload traffic

Logging

• Log L2TP RADIUS errors to the RADIUS debug log (instead of the system one)
• Add a log for a user's events (currently logins)
• Report hardware watchdogs to support
• Log slow config load functions to sys debug
• Log bootloader upgrades
• Improve detail in some logs
• Shorten TCP connection timeout for email logs
• Change VRRP not found to debug

Manual

• Explain the 2 types of defaulting in the XSD
• Improve layout slightly
• Remove some out of date screenshots
• Improve LACP standby explanation

MQTT

• Fix retained message handling timeouts
• Fix a couple of rare crashes
• Drop oversize QOS0 messages
• Correct sending retain to clients only for old retained messages not new ones after subscription established
• Fix where subscriptions could get overwritten in some cases
• Fix CPU spikes that can grow with uptime

NTP

• Use MD5 hash for refid for IPv6 time sources

OS

• Fix rare caching issue
• Fix caching related crash
• Handle devices that don't respond to unicast ARP (Starlink) more gracefully
• Additional type of watchdog for catching rogue high priority threads

Ping

• Don't crash when we cannot create ping from config (because too many have already been bulk loaded)

PPPoE

• Add an additional profile to prevent responding to PADI messages
• Allow omitting of automatic caller-id end
• Show the acname correctly in status
• Report PPPoE info more reliably on L2TP sessions page

Profiles

• Allow control switches to be set from the menu (and allow them to be locked for sensitive ones)

RADIUS

• Drop legacy AOR AVP number
• Fix issue with RX shapers and CoA
• Make status mechanism more in line with other services

Routing

• Fix loop detection in source IP determination
• Add debug user command for dumping internal state of routing
• Fix bug that could cause routes to transiently appear as NULL in the forwarding table

Sampling

• Fix rare crash when changing interface config as a sample is taken

SNMP

• Fixes for L2TP SNMP

Software upgrade

• Add button for downloading latest software without rebooting

Strack

• Fix crash due to wraparound optimisation

TCP

• Add option for TCP stealth mode for the FireBrick itself (without using the firewall)

Telnet

• Fix rare crash when quickly creating multiple telnet sessions
• Add task stat clear command

VOIP

• Improve logging

VRRP

• Show time in a given state

Watchdog

• Fix issue with monitoring of NET CPUs that could result in a lack of debug info
• Additional context for rare watchdog

Web UI

• Add DNS cache state status (DEBUG only)
• Make the status page clearer during reboots
• Modify layout approach to avoid a couple of strange looking edge cases
• Allow an additional level of submenus
• Allow menus to be expanded and collapsed via JS
• Scroll tables in x if they don't fit in the page
• Reorganise the menu entries
• Add button for clearing flash penalties (debug user)
• CSS hinting tweaks
• Add a page for unit info
• Put intro text in page header
• Ensure profile switches show up to date status over config change
• Fix issue where test/save buttons could appear twice after repeated config test edits
• Reword software upgrade page
• Optionally group control switches in menu
• Accept connections from "trusted" (but not "allowed") hosts during ACME renewal
• Group profile buttons on home page
• Fix issue that could cause live logging to use CPU excessively
• UI tweaks

Release notes from Factory release 1.60.010 to Factory release 1.61.010

Certificates

• Avoid panic on reboot if FB private key gets deleted

Config

• Enforce list max occurrences limits for all config items

CQM

• Small change to SVG to make loss/latency squared off like png

DHCP

• Treat a profile on a DHCP config entry with a restriction consistently with other config profile usage.

DHCPv6

• Various improvements (especially in the client)
• Make DHCPv6 work better with larger prefixes
• Allow larger server DUIDs

Ethernet

• Share MAC address on VLAN 0 between bootloader and app for each port

IKE

• Send out of band error when INIT request negotiation fails

IPv6

• Improved reliability of RA handling

MQTT

• Bigger MQTT messages
• Additional options on MQTT external
• MQTT crash fix
• Sending cleaner CONNACK for error cases

PPP

• Bug fix for issues with PPP client corrupting subnets

PPPoE

• Increase number of allowed PPP sessions (and fix crash loading configs with more than 20)

RADIUS

• Juniper ERX ingress/egress policy name in RADIUS server
• Correct defaulting of RADIUS server settings

Web UI

• Improve layout on XML edit page
• Improve button placement on system info pages
• Explanation added regarding TCP stress test blob output
• Further improve XML edit and reduce vertical height of top bar
• Make XML download links look like links
• Add line numbers to XML editor
• Reject paths with extraneous middle segments
• Various UI improvements
• Add a config option to prevent refreshing the CQM image lists
• Make graphs on the image list page clickable
• Editor - fix colour picker with 3 digit hex colours
• Force text colour in buttons to black (apparently ipads can default it to white)
• Warn on most pages when config is no longer valid

Release notes from Factory release 1.58.111 to Factory release 1.59.000

ACME

• ACME error reporting could get garbled message in some error cases

DHCP

• Changed some DHCP server logging to be JSON format (same as used for MQTT)

FB105

• Fix rare crash with FB105 tunnel bonding during configuration change

IPsec

• Fixed a problem with validation of peer certificate
• Fixed handling of out-of-order IKE fragments
• There is a new attribute peer-eaplist available on an IKE connection config item which enables the allowed EAP usernames to be specified.
• Improve EAP diagnostic logging and fix minor problem with message ID number checking
• Further improvements to EAP processing and error logging

L2TP

• Configured outgoing L2TP sessions now respect the bgp setting in the config

MQTT

• Added listener for FireBricks/# topic
• Changed MQTT mapping field names and fixed incorrect help text

OSPF

• OSPF marked experimental as it has some minor issues.

RADIUS

• Some additional RADIUS server settings, matching, added mqtt logging and changed log format to JSON, for working with some WiFi kit

Serial

• Eliminate rare crash in serial rx handling

TLS

• Improved stream handling in TLS to avoid occasional race conditions causing crashes

VoIP

• Improve logging when bulk carrier import fails

Release notes from Factory release 1.57.010 to Factory release 1.58.111

Certificates

• Removed expired DST Root CA X3 certificate

CLI

• Added CLI command to view port status

Config

• Allow numeric value with 0x prefix in config

DHCP

• DHCP client will now attempt to renew leases when ports go down and come back up. This will automatically reconfigure the subnet if plugged into a different network.
• Added mac-local test in DHCP pool
• Improved DHCP allocation logging and MQTT logging

Diagnostics

• Add diagnostic command and status page for buffer usage
• Include uptime information in automatic crash reports
• Log highest buffer users in case of exhaustion

Ethernet

• Improve setting of default port config on startup (may be faster startup in some cases)

IPsec

• Increase max number of simultaneous IKE/IPsec connections
• Fixed problem with IKE message fragmentation causing connection failures with some clients
• Fixed occasional "Response not pending" panic.

L2TP

• Added session-timeout to L2TP incoming

MQTT

• Simple MQTT message mapping option
• Improvements to MQTT broker (better error reports and sanity checks)
• MQTT payload pattern match
• Correct mapped MQTT messages erroneously setting retain
• Made IP a link on mqtt status
• MQTT mapping connection linking (e.g. for retained)
• Fix outgoing mqtt bug
• Started some MQTT v5 handling (a config option, experimental, not recommend yet)

OSPF

• Correct OSPF checksum issue for certain auth types

Profiles

• Added profile test for "DHCP allocated"
• Nicer web socket based profile control switches.
• MQTT profile control fixed
• Minor change, only sending MQTT if corresponding payload set (even if empty)

Serial

• Improve reliability of config import via serial

TLS

• Improve server authentication security and work around problems with some servers by using the signature algorithm extension.
• Fix TLS connection failover
• Added TLS stateless session resumption - without this newer versions of some browsers were very slow to load FB web pages
• Issue with TLS resume keys used over a s/w upgrade fixed

Web UI

• Fix setup wizard JS

Release notes from Factory release 1.56.010 to Factory release 1.57.010

ACME

• Allow specifying of the source IP for ACME requests

BGP

• BGP tags for static routes

Certificates

• Fix problem with cross-signed certificates causing IPsec connection issues with Windows clients

Config

• Allow delayed automatic upgrades

DHCP

• DHCP option to force broadcast offer/ack to address edge case with some APs and devices

Ethernet

• Fix over zealous ether damping

HTTP

• Fixed issue where http client (e.g. ping graph download, etc) gets non 2XX response causing later problems

IPsec

• Increase internal packet buffer size to help with IKE certificates
• Fixed IP pool leakage
• An IKE session was sometimes shown in waiting state as well as connected.
• Further IPsec tweak to avoid losing connection in some circumstances
• Add workaround to avoid repeated reauthentications when peer is StrongSwan and mode is immediate
• Fix bad config status entry after deleting a live connection
• Implemented IKE fragmentation to improve authentication with long certificate chains

L2TP

• Slightly faster outgoing L2TP connect (proxy auth sent)
• Handle incoming local match password check for PAP

PPPoE

• Issue with some PPPoE sessions restarting on config change

Routing

• Default source IP per routing table

Shaping

• Additional control on shapers (burst limit in ms)

TLS

• Added support for simple TLS clients with limited storage
• Minor memory leak in TLS client fixed

VRRP

• Make VRRP clearer when used with profiles (status page and manuals)

Web control pages

• Configurable intro text and links on login page
• Web access security update

Web UI

• Add ethernet counters to web
• Show which type of app upgrade would be initiated
• Show some context lines in live logging view

Release notes from Factory release 1.54.101 to Factory release 1.56.010

• Fix bug in ASN.1 length encoding

Config

• Additional options for finer control of source filtering setting
• Additional help text for L2TP

CQM

• Graphs used to show a damping level even when damping not in use (i.e. l2tp damping not set), removed

DHCP

• Added "circuit" to the matching rules for DHCP server IP pool (circuit being Agent Info option 82 circuit sub option 1)

FB105

• Change internal IP config for FB105 to allow IPv6 internal IPv6 to be set

HA

• Some issues with invalid tunnel packets logging when using L2TP HAL
• HAL did not work well if one of the links was rate limited
• Increased number of HA sets to 7
• Added additional hal-log for debug logging of HAL

IPv6

• Slight change to SLAAC RA client default localpref so global addresses preferred

L2TP

• Improved logging for incoming L2TP sessions so more obvious which config used
• Minor changes to some L2TP config attribute names, and updates to manual
• Correct logic on L2TP point to point speed controls on outgoing tunnel
• Don't override manual shaper speeds on point to point L2TP where no speed is received from calling end
• OSPF issues with incoming L2TP config fixed
• L2TP tx/rx speed of -1 recognised and ignored
• Issue with DOS limit on outgoing L2TP fixed

Manual

• Clarifed that config access on web interface also needs user "admin" level

PPP

• Tweaked PPP handling when far end wants to talk IPV6CP and we were not planning to. We now negotiate.

PPPoE

• L2TP PPPoE BRAS mode now picks up payload-table from L2TP config.

SNMP

• Integer values were sometimes misreported

Web control pages

• Setup wizard bug when IPv6 defined

Web UI

• Minor changes, allowing some javascript to be embedded
• Experimental feature added to allow js-url in config (for when logged in, trusted IP, non password entry pages)
• Tweak XML edit so that a zero login timeout does not fail if XML config edit is longer than 5 minutes

Release notes from Factory release 1.53.000 to Factory release 1.54.101

ACME

• ACME status for certificates shows when last error happened.
• Make ACME status clear at start up if clock not set yet
• Fix ACME error status to show time of error

BGP

• Add Refresh buttons to BGP UI status page

CLI

• show configuration now allowed (redacted) at "view" level

Config

• Improved syntax checking of numeric fields
• Separate logging for http client accesses
• Added new config access level (demo) allowing test but not commit/save config.

Config editor

• Tweak to config edit to make default values more obvious

DHCP

• Improve lease expiry when the FireBrick does not know the correct time

Ethernet

• Improve DoS detection and logging of ethernet damping

HTTP

• HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

Internal

• Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
• In some circumstances Watchdog panics may report incorrect thread - fixed.
• Improve diagnostics if a "CPU1 stuck" error occurs.

IPsec

• Avoid crash related to IPsec config logging settings when FB is under heavy load

IPv6

• Handling of 6in4 (protocol 41) packet receipt from ethernet is now controlled on a per interface setting defaulting to FALSE
• Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

L2TP

• Configurable PPP timeout values per tunnel
• Additional logging on config change
• Fix payload table logic on local auth incoming L2TP sessions
• Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

LACP

• Prevent unnecessary continuous packet exchange

Logging

• Avoid harmless unexpected interrupt log messages

Manual

• Additional documentation on IPv6 prefix delegation and SLAAC

PPP

• Tweak LCP restart timing for very slow latency links

Profiles

• Profile ping of local gateway by ping 0.0.0.0

SNMP

• Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

TLS

• Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
• Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
• Improve TLS session end - avoid occasional crashes/lockups.
• Fix a couple of TLS issues causing problems with ACME and downloading large pages
• Finally fixed TLS issue
• Extra diagnostics added to help with occasional TLS crashes

VRRP

• Incorrect error message for ID clash in VRRP, fixed

Web UI

• Improve UI status reporting for bgp, including ability to filter routes list

Release notes from Factory release 1.52.010 to Factory release 1.53.000

ACME

• Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
• Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
• Tweak to ACME to allow for additional challenges for a few seconds

Certificates

• Make certificate domain name checking case-insensitive

Config editor

• Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).

DHCP

• Lease expiry times were incorrect when lease acquired before time had been set

DNS

• DNS relay limit check

IPsec

• Provide SNMP status info for IPsec
• Fix crash when [id] is used in graph name of a waiting connection
• Show EAP identity (username) in log messages and UI status, and allow it in graph names

IPv6

• Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

L2TP

• Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!

PPP

• New PPP debug log/dump format options

PPPoE

• PPPoE did not install IPv4 DNS if explicit routes set, fixed
• PPPoE Calling ID prefix appended with VLAN and/or MAC

TCP/UI

• Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

• Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).

Release notes from Factory release 1.49.000 to Factory release 1.50.000

ACME

• Minor improvements to ACME - handling some extra order status responses

BGP

• Additional debug for ignored updates

CQM

• Added more stats (total bytes/packet/drops) to CQM XML

Crypto

• PKCS#8 formats now fully accepted and served for RSA and DSA keys

Diagnostics

• Fix TCP download test (was always saying 0 bytes loaded)

DNS

• Changed DNS logic so not simply fallback="true" but fallback-table defined. This means multiple table DNS will default not to fall back now.

General

• Slight performance improvements

IPsec

• Fix duplicate connection problem after roadwarrior client switches from wifi to 3G
• Fix Roadwarrior problems - IPv4 NAT not working and IPv6 routing failing on Apple clients

IPv6

• Changed ICMPv6 (ND/NA) source address in some cases to match scope

L2TP

• Allow L2TP matched incoming sessions to set payload-table
• Added colours to tunnel and session status

Logging

• Fix possible syslog buffer overrun

Pcap

• Improved pcap "self exclude" to only exclude the actual TCP session traffic of the dump, not all traffic to/from the IP of the browser as before

PPPoE

• Minor change to PPPoE timeout logic - could be disrupted by frequent profile changes

RADIUS

• Platform RADIUS server ERX parameters now tagged if part of tagged response

Routing

• Impove some logic where table 0 has no routes and totally mapped via rule-sets (e.g s/w upgrades, etc)

Telnet

• Option to configure custom telnet prompt

TLS

• Fix lockup at end of stream on TLS connections

VRRP

• VRRP low-priority mode (e.g. for profile off) caused flapping

Web control pages

• User setting to hide "save" button in config edit (i.e. has to do "test" first).
• Added Content-Language to avoid some browsers offering to translate control pages
• CSS update
• Adjust initial timeout to allow for slow TLS handshake

Release notes from Factory release 1.48.101 to Factory release 1.49.000

BGP

• Added startup delay for sending BGP announcements to make for cleaner reboots when used as part of a part

Config

• Tweaked factory default LAN firewall rule to allow from FireBrick to LAN (needed for VoIP)
• Removing Ethernet port config now sets port back to default settings

CQM

• Tweak graph logic - was not working if only selecting ave or max latency to show on SVG

FB105

• Fix internal-ip on fb105 tunnels routing

HTTP

• Changed HTTP redirect logic to better handle cases where some port mapping is used in front of the web control pages

IPv6

• Added DNSSL (search list) to RA settings on subnet

L2TP

• Minor change to handle low buffer scenarios better

Logging

• Fixed UTC timestamp on logs (was local time with Z suffix, sorry)

PPPoE

• PPPoE can now be linked to physical port for direct connection to modem - resetting the port when PPPoE goes down (fixes bug in some modems)

SNMP

• Various SNMP updates
• bgp and l2tp now support SNMP treewalk
• Vendor-specific SNMP for BGP and L2TP reorganized to follow standard table construction. ***NOTE*** this will affect customers using SNMP with BGP/L2TP
• Add CPU buffer free counts to SNMP statistics

VoIP

• Tweak for REFER logic, allow refer to match user details with no password (i.e. check IP)

VRRP

• Corrected VRRP v3 checksum - UPGRADE BACKUP ROUTERS FIRST

Watchdog

• Watchdog detection of CPU1 failure (CPU1 stuck) modified to allow recovery, hopefully giving better diagnostics

Web control pages

• New css for mobile use
• Fix wizard when email specified as it caused save error
• New control of whether logs on web/cli include system logs or not (default not, except for "default" log after factory reset)
• Config edit not working when clock not set, fixed.
• Recovery config edit now prompts to save even when no changes as it is not the "live" config
• Minor improvements to web control pages (extra classes, etc)

Web UI

• Add TCP throughput diagnostic

Release notes from Factory release 1.46.100 to Factory release 1.47.100

Authentication

• Interface can be marked "wan" to consider it not local for "local-only" access controls
• Added advice on printing and storing QR code in case phone fails

BGP

• New "grey hole"community tag for IBGP to pass blackhole routes that have no-fib set, so routes get to EBGP for external blackhole announcements
• More info on BGP peers

Config

• Config editor did not show advanced selected option entries that are blank if without Show all

Config editor

• Adjust timing on config edit as firefox keeps saying edited by someone else

CQM

• More slight tweaks - edge case of SVG for unknown CQM graph (i.e. blank graph) with title text enabled caused a crash...
• Slight changes to SVG (slightly bigger) to add id to some fields and include off image (cropped) data to allow some post processing (e.g. merging graphs)
• CQM SVG now includes option for markers on the tx/rx lines like the old PNGs did - by popular demand, CSSable.
• SVG CQM graphs did not show "damping"

DHCP

• DHCP client Class and Client-Identifier now configurable
• Minor tweaks to DHCP server as per RFC6842 (correctly returning client ID)

Internal

• Fix incorrect flash log replay output at system startup
• Minor change to low buffer checks for TCP management interfaces and L2TP

L2TP

• PPP LCP restart if not negotiated after 30 seconds and an LCP restart has not been tried already
• Added RADIUS Framed-IPv6-Prefix
• Option to mark an L2TP session as isolated, i.e. not allowed to pass directly from another L2TP session
• Added relay-local-ip config for L2TP to control the IP used for relaying connections, and extra debug info
• Tweak behaviour if all RADIUS servers not responding
• Malformed L2TP packet could cause crash

LEDs

• Ensure LEDs start up in cycling (knightrider) mode

Logging

• Syslog missing NILVALUE for structured data
• Some additional logging for impossible packet headers requiring split for MTU
• Tweak to delayed logging (email) so it may send on controlled shutdown

Manual

• Corrected explanation of trusted, local-only, and allow controls in manual
• Updates to manual covering scripted access and special URLs

Ping

• Show ping/traceroute response coming back on wrong table

PPPoE

• PPPoE was not handling priority tagged VLAN packets well
• Tweak to PPPoE client back-off when connections start but don't complete

Profiles

• Profiles now allow checking of outgoing L2TP tunnel state

Routing

• Changed linked routes display, e.g. for L2TP sessions, to be more logical

SNMP

• SNMP was not respecting profile setting

SVG

• Minor SVG tweaks to save space
• Extra info in SVG to aid post processing

Telnet

• Fix instructions on telnet config import. It ends with ^D or a line with just a dot on it

USB

• Remove unnecessary logging

Web control pages

• https support introduced. Should now support most modern browsers. Limited certificate management.
• Change of monospace font
• Dynamic status of ports
• Started work on initial config wizard
• Warning for config edited by someone else now advises IP and name of other user(s)
• Tidy layout of config edit for system settings
• Option to skip the setup wizard
• DHCP clear all unused now operates per interface
• Colour picker was not working for named colours (also, added "orange")
• Additional security related http headers added with sensible defaults
• Change ajax sync logic on config edit to be neater
• TLS: Added AEAD-GCM cipher suites - now get an "A" rating with Qualys SSL Labs test.
• Can now specify a list of possible certificates to be used for https in http config
• The logs page was not working when you only had one log target. Given system defaults to two to start, this is rare!
• Save button appearing on key press in a field, and not just when leaving field - so more obvious
• Slight re-order of the config to be a little easier to follow

Web UI

• More compact SVG for CQM and QR codes
• Status shows currently ntp status, i.e. reports if no time server set, DNS not working, etc.
• DHCP status now lists interfaces and shows per interface rather than all in one table