Release notes from Factory release 2.02.643 to Factory release 2.02.644

UI: Fix problem with clearing all Event actions in Log/Filter options.

Release notes from Factory release 2.02.638 to Factory release 2.02.643

UI: The time at which the page was generated is now displayed on each page. Default filename for config save now includes Firebrick name and date/time. Setup Log/Filter options now correctly displays the default filter setting. Wizard should only display when user has enough access to make suggested change. Fix UI misbehaviour when clicking on Save Config after login has timed out.

Tunnels: Incorrect source IP could be used in some cases, causing a tunnel to fail to establish.

DHCP: Client was incorrectly setting an SNMP server in config on Firebrick without reporting feature. Server running as a backup was incorrectly adding "Offered" entries to DHCP table. Host name in "Offered" entries was sometimes incorrect. DHCP traffic to FireBrick is now allowed through the default filter, so no explicit filters are required for operation of DHCP.

ARP:ARP responses using ethernet 802 frame format are now accepted.

Routing: Session tracking of ICMP sessions (eg PING) improved.

Fix poor performance and lockup problems following reception of invalid length ether packets.

Release notes from Factory release 2.02.637 to Factory release 2.02.638

Internal fix for compatibility with production labeller.

Release notes from Factory release 2.02.604 to Factory release 2.02.637

Introduction of new tunnel retiming code, which will be replacing the current tunnel reordering mechanism. The tunneling protocol version has been changed from V2 to V3 to include extra retiming information. If both ends of a tunnel are V3-capable, the Firebrick will automatically switch to V3 tunneling, and if tunnel bonding is in use, will retime the packets using the new information.
This release is fully compatible with the older V2 protocol, so can be safely used with FireBricks running pre-V3 software without the need for any configuration changes.
If desired, the old V2-style tunnel reordering can be forced even if both ends of the tunnel support V3.
Please note that this is work-in-progress, and further implementation changes are likely before this is fully released. Any feedback would be gratefully received. There is some new information shown on the tunnel set statistics page; this is primarily for diagnostics, and is not particularly useful for the end-user. The UI web pages have been extensively reviewed for this release. A few improvements to the UI have been incorporated, and several minor bugs fixed.
Changes include:
follows HTTP spec more closely;
HTML 4.01 strict compliance, with lower-case tags;
Fully customizable background colour;
improved login page (can now enter user CR password CR);
improved selection on session table page;
tidied Internet Explorer .png file transparency problem workaround (not needed for IE7);
failed login now logs out previous user;
handling of redirects and refreshed pages improved;
DNS servers can be cleared by saving blank entries;
Tooltips for icons and entry move options now displayed correctly in IE;

This release incorporates several enhancements, fixes and tidying up of the UI:

Throughput improvement:
A change made to the ethernet driver in the Folclinda release to improve tunnel performance had the unfortunate side-effect of reducing overall FireBrick throughput. The driver has been revamped yet again, and throughput and performance under load is now much improved.
An experimental option to allow the setting of a back-to-back packet transmit limit has been added on the setup ports page. The default setting (5) works well. Note that this option (and other CPU port settings on the setup ports page) are likely to be removed soon. Please check that you are using the defaults (input throttle off; pause disable off; back-to-back 5) unless you know what you are doing!

Tunnels:
Tunnel parameters are now forced to be consistent across a tunnel set.
Problems with a single tunnel (not in a set) and connecting to Linux tunnel implementation fixed.

Experimental (V3) bonded tunnel retiming:
The ethernet throughput improvements have resulted in improved behaviour of the original (V2) tunnel reordering mechanism, while the hoped-for improvements using the new V3 retiming have not yet materialised. Version 2 packet reordering is therefore now the default; version 3 must be explicitly selected. Note that users of Folclinda or Gemma beta releases should check their settings after upgrade, as the sense of the flag controlling V2/V3 reordering has been reversed.
There have been some V3 retiming changes: the thresholds controlling the latency adjustments are now parameterisable, and packets waiting to be sent now have their timing adjusted when a latency adjustment occurs.

UI changes:
Login mechanism improved - login returns to calling page after successful login, and when logged out with no access login page is displayed.
Introduction of use of POST method for UI actions causing FB state change. Style of the UI is consequently being changed to use forms/buttons rather than links for actions which have any effect on the brick operation or configuration.
Default custom user colour made a slightly lighter shade of grey.
Main page quick configure items are now left-aligned.
Fixed display of some blank table cells showing up with IE.
Improved UI for speed lane control and session display.
Fixed display of some pages with Opera browser (table cells lacking borders).
Saving the log in text form to a file now gives dialog box for file destination. Also it is now possible to save without clearing the log.

Miscellaneous:
Dynamic log display now detects TCP error/closure at remote end.
Very long log lines are no longer discarded.
Added extra LED setting options. These may be useful to enable a particular FireBrick situated with others to be identified.
Saved config file no longer has random data causing successive saves to differ.
Short ether packets padded with nulls rather than junk. [Solves a problem with a Juniper router, which was erroneously rejecting ping packets with non-null padding.]
DHCP bug fix (hopefully fixes occasional lease table corruption).
"VLAN 0" no longer appears in logging (it was causing some confusion).
Internal TCP stack improved - sessions to/from the brick terminate more cleanly, and out-of-order data arrival is supported making transfers faster when packets are dropped.
Port monitoring "Block normal traffic" option fixed (was not blocking traffic if the monitoring port belonged to an interface with one or more other ports).
Added connection timeout mechanism to TCP (mitigate UI loss due to faulty client or DoS attack).
ICMP destination unreachable error now distinguishes between host and network. Further UI improvements:
Conversion of status-changing links to use forms and POST completed. This has entailed the redesign of some parts of the UI.
The UI "look" has been adjusted to give near-identical presentation with Internet Explorer, FireFox and Opera.
Link to on-line documentation added to all pages.

Other changes:
DHCP bug fixes: lease table could get out of order, causing offering of wrong IP (subsequently retracted before being assigned); Correct IP source address on NAK packets.
Internal TCP stack closes connection cleanly, discarding unwanted input (previously could timeout and/or reset).
dologin and logt URLs repaired. Bug fixes:
A problem with ARPs on configurations using VLANs resulting in occasional dropped packets has been fixed.
A problem where routing of tunnel envelope traffic did not follow the routing parameters set in the tunnel configuration, and with tunnel UDP port 1 traffic sometimes appearing as two separate sessions in the session table has been fixed.
A problem in the internal TCP stack which could cause UI pages to display corrupted when a dropped packet caused a fast retransmit has been fixed.

Stealth changes:
New stealth pass-through options have been added for non-IP traffic and/or VLAN traffic, in addition to the IPv6 pass-through option. VLAN passthrough does not require the VLAN feature. Note that these settings are independent of the global stealth disable option.
A warning is displayed on the subnet page if a subnet is flagged as stealth but stealth is globally disabled.
With 5-port feature, a warning is displayed if stealth is enabled but the WAN and LAN interfaces are not both configured.

Other changes:
A setup delay time option has been added to ping-mode profiles. When set non-zero, the profile will not become active until an unbroken sequence of ping replies has been seen for the specified time.
A ping-mode profile that is also dependent on another profile will now not issue pings if replies would not affect the profile state. (i.e. a profile with an AND-dependency on another will not ping when the other profile is inactive, and one with an OR-dependency on another will not ping when the other is active.)
A UDP service has been added which will enable FireBrick throughput to be more easily measured. This needs to be used in combination with a client application which is not yet available.
The number of tunnel sets available with tunnel bonding has been increased to 15.
The Login and help links are no longer displayed on the login page.
Fixed a problem where ping profiles with timeout set to 1 second were erroneously timing out.

Previous fix to routing had broken some session matching - hopefully we've got it right this time! Please upgrade to this version if you have loaded Joost. UI:
The log can now be viewed (using an explicit URL .../log) during firmware upgrade when the FireBrick is requesting a new UI file.
The IPgroup and Portgroup pages have been improved, and now allow changes to be made as well as additions and deletions.
The Setup log/filter options page layout has been improved.
Wording on the features page when no contact can be established with the features server has been improved.
The ARP table now displays unknown MACs as blank, not 000000000000.
The MAC table display was sometimes reporting the wrong interface when port monitoring was in operation.
The "wizard" advisory warnings now warn if subnets have been configured but stealth is still enabled.
When a subnet shares the same interface, VLAN and IP range as an earlier subnet in the subnet table, it is now flagged as being an "extension" of the earlier subnet. [It is often useful to duplicate subnet entries in this way, eg to enable multiple DHCP allocation pools, IP aliases or alternative gateways to be specified.]

Routing:
Uplink bonding has been modified to allow bonding over two or more different interfaces (useful for 5-port configurations).
Up to 8 uplink bonding gateways may now be specified.
There has been some rearrangement of the internal router logic. This is unlikely to affect normal operation, but could affect unusual configurations.

DHCP:
Minor modifications have been made to DHCP. In particular, when a client requested renewal of an allocation, the reply was sometimes broadcast when it should have been unicast to the requesting client. This was upsetting some clients, causing them to repeatedly request renewal.

VRRP:
An implementation of VRRP (Virtual Router Redundancy Protocol) has been added. The Bonding feature is required in order to use this.

ARP:
Gratuitous ARPs are now sent whenever a change to a subnet which could affect the MAC address being used occurs, or whenever a subnet becomes live. A sequence of gratuitous ARPs over a few seconds are sent - this helps with devices (typically switches) where ports appear to become live a short while before the device actually begins to respond to traffic.
The same MAC is now used for all subnets sharing the same interface, VLAN and IP range (ie the first subnet and all its extensions - see UI changes above).
The common MAC and gratuitous ARP changes should help configurations with routers which do not regularly refresh their ARP tables. Unfortunately we know of at least one popular router which also ignores gratuitous ARPs, so in some cases a subnet change may still require routers to be rebooted.
A debug log entry is now made when MAC renewal of an active IP fails.

Other changes:
If an ICMP echo request (ping) has the Don't Fragment bit set, the reply will also be marked don't fragment.
When tunnel packets are sent on an interface which has multiple IPs, the destination IP used by remote end is now used by default as the source IP.
A problem which could cause a factory reset during startup if the brick rebooted unexpectedly has been fixed. This could have been the cause of the occasional loss of configuration seen after uploading new software.
Several efficiency improvements have been made, which should reduce CPU workload, and should improve stability and in some cases throughput.
A factory reset now disables debug logging. Fixed minor problem preventing deletion of filter table entries.
Added new tunnel bonding option to inhibit exclusion of first packet in a session from the bonding. The handling of packet fragments has been improved - they now participate fully in session tracking. This means they will be treated in the same way as unfragmented packets when filter, routing, mapping rules etc. are processed, so can be NATed or address mapped. This should improve performance, and also avoid problems with configurations using NATing where fragmentation cannot be avoided - eg VPNs. The distribution of traffic across bonded tunnel sets should also improve where there is significant fragmented data.

The checkbox for excluding the first packet of a bonded tunnelled session from special treatment which was added with Maraike has been fixed - it was not working correctly when a UI option setting other than "None" had been selected for number formatting.

The debug log output following an unexpected reboot now indicates which task was running at the time of failure. Fixes a problem with relaying DNS introduced with Norbart.

Release notes from Factory release 2.02.594 to Factory release 2.02.604

Fixed a problem where changes to setup security settings for the filters, users, tunnels, profiles and routes entries were ineffective. Improved checking of uploaded software and config files. Fixed problem preventing ports connected to certain makes of switch from re-establishing after parameter changes or a line test. Port Throttle and B/Limit options now work as intended. Corrected tunnel status checking, which was causing tunnels to appear to be up before keepalives had been exchanged in both directions. Added Date header to email messages. New "local information" feature allowing user-specifiable text and links to be displayed on the main menu page, configurable from setup page. Note that this is an experimental feature which may be changed or removed before the next factory release. Comments and suggestions are welcome.

Number of users increased to 25 (with extra features installed).
Advisory text displayed following factory reset, or on first use of brick, reinstated (had been accidentally removed in the 2005-10-08 Geertruid release).
Some warnings of possible config errors are now displayed in prominent text (red on white).
GRE protocol can now be selected on portmap page when using default user interface view of protocols.
Change to tunnel bonding to avoid mis-balanced tunnel output for a short period after a tunnel becomes active.
A timeout can now be set for ping-scanning profiles - default is ten seconds. Note that previously the timeout was five seconds and could not be altered.
Email made more resilient.
TCP/IP sessions to/from the fireBrick now correctly use MTU 576 to avoid possible packet fragmentation. New diagnostics flags added for development use only. One-minute packet count statistics no longer displayed to debug log. Moving a subnet which was set as the main default gateway or the subnet for routing syslog mesages now works correctly. Tunnel MTU is set back to default of 576 on erasing a tunnel. Tunnel state changes can be selected for logging on an individual tunnel basis. DHCP improvements: DHCP INFORM request is responded to; Interaction with ARP mechanism to check for in-use IP improved; A host with a single restricted entry for one IP can now swap from one MAC to another keeping the same IP even if old allocation is not released - this is useful when changing between wired and wireless connections.

ARP mechhanism: Improved efficiency of VLAN and multiple subnet handling.

Internal TCP stack: Efficiency improvements - download of UI pages and upload/download of config and software images is faster. Tidier end to TCP sessions. Follows RFCs more closely in error situations.

Miscellaneous: Display of session and DHCP tables much faster; Tunnel reorder stats display improved; Minor improvements to the port line test facility - mostly in UI reporting.

New features: Experimental 8Mbit throttle for internal switch to CPU data path - this is to aid investigation of bonding issues, and may give improved performance in some situations; Port monitoring facility added - one or more of the five switch ports may be configured to monitor all traffic on other selected ports.

Bug fixes: Change of subnet now correctly restarts DHCP client; In pseudo-gateway bonding, a gateway specified using a subnet was incorrectly used when the subnet was disabled by profile; Tunnel reordering now correctly gives up after 100ms when waiting for late packet (previously could take from 100-200ms before packet was assumed lost); Unwanted cacheing in some browsers (particularly FireFox) causing confusing behaviour on some pages (particularly login) should no longer occur. This release has a redesigned ethernet driver which may improve performance in some scenarios where occasional packet drops occurred. It has not been extensively tested, so should be used with caution. The experimental internal CPU port input throttle option should no longer be necessary, and should be unchecked for best throughput.
A minor omission in the status counters display has been fixed. Note that this release will show a non-zero "in undersize" core count - this is expected, and not an error. Counters on status page now displays a consistent 1-second snapshot.
The LAN/WAN Reverse setting on the Port setup page was not working (on bricks without the 5-Port feature) - fixed.
A problem with TCP window sizes causing config saves to time out with Internet Explorer has been fixed.
Further ajustments to ethernet driver code.
The MAC provided by the FB when sending Proxy ARP replies is now the same one as used for the corresponding subnet (when the requestor matches a subnet). Fixed update problem with In/Out port traffic counts on status page.
Fixed problem with DHCP occasionally offering in-use IPs.
Disabling ports no longer prevents them from being used for factory reset.
Added "All" tick boxes for setting view and edit rights on user setup page.
DNS server setup now allows the setting of two DNS server IPs.
The Setup Special functions Factory Reset option now allows same selections as available with cable factory reset - DHCP and LAN/WAN swap.
For testing purposes - added ability to disable CPU pause flow control. Fixed portgroup edit page, which was showing new port ranges preset to start at 1 when using Internet Explorer.
Added diagnostics to check for correct operation of UI page generator.
Corrected error in user access checking when editing the security controls.
Fixed typo on features page. Avoid log corruption if FireBrick reboots while writing to the log.
Drop packets sent to incorrect FireBrick MAC (eg from routers with stale ARP caches).
Improve buffer handling to avoid FireBrick lockups/reboots if buffers become exhausted.
Factory Reset selecting DHCP and/or WAN/LAN reversal now sets Stealth operation off. (Note that we now recommend stealth off for all but the simplest of configurations).
Allow packets with protocol zero (previously could lose session slots).
Improve routing of ICMP error messages, and avoid making unnecessary sessions for them. This fixes some scenarios in which brick would continually reboot when sent an ICMP storm.
Error page (eg page not found message) now displayed using FireBrick page style.
Internal build changes: Introduce OEM CR variant. Minor improvement in efficiency of ARP table code. Fix spurious debug log message when viewing route table.
Internal fix - Factory init URL required by production labelling equipment reinstated. Added new logo for CR OEM variant.
Reduced size of WEN image files by removing unused icons.
Fixed crashing due to very long lines in log file.
DHCP client and server improvements - fixed minor deviations from RFC; improved detection of in-use IPs; reworded some log messages; fixed kill of DHCP lease when over 255 leases present.
Fixed non-detection of non-functional DNS server when both DNS servers specified.
Fixed minor cacheing pobblem when upgrading; also made style sheet cacheable.
Preserve user login info over software upgrade.

Release notes from Factory release 2.02.588 to Factory release 2.02.594

Firebricks would answet ARPs for 0.0.0.0. Fixed.
Tidy of some DHCP error messages.
Layout change on subnet page to make subnet more clearly an general parameter and not specifically for DHCP
Added DHCP "additional field" allowing a string tag to be sent from the DHCP server, e.g. 17 for boot path.
New DHCP additional string not working correctly, sorry... Fixed.
Updated style sheet on XT UI issue.
Following change to prevent Plus/SoHo code being loaded, Plus/SoHo configuration loads were also being rejected. Fixed. DHCP ranges consisting of a single IP were in some situations being mishandled, and not offered to the client. Fixed. Fixed stack usage diagnostic following reboot/panic. Added counter for rx overruns to statistics. RoHS modification for production control. Fixed problem with shaping rule matching - source port setting was being ignored.

Release notes from Factory release 2.02.583 to Factory release 2.02.588

Corrected warning tune disable so that it does work when not disabled.
Slight tidy on labels on some buttons.
Added ALT tages to icons in addition to existing TITLE tags on the links.
Moving a subnet did not adjust subnets referenced in mapping rules, fixed.
Moving a subnet did not adjust subnets in new bonded uplink rules, fixed.
Fix to obscure error message in log when a user attempts access from an interface they are not allowed - applied to nobody user, or a logged in user if they lose access from the interface they are using. The error message was jibberish.
Changed to a login attempt with no user or password entered simply re-presents login screen and makes no log entry. previously it said bad login but did not log it.
Added IP6 WAN/LAN passthrough option to stealth settings.
It appears that the 105 would allow loading of the Plus and SoHo code, which then killed the brick. This has been fixed from this release. Do not attempt to load Plus or SoHo code in to a FireBrick 105.

Release notes from Factory release 2.02.570 to Factory release 2.02.583

Addition option to not reorder UDP packets sent on bonded tunnel set. This is because recoder can mean small delays (a few hundred ms) when packets are dropped, which can adversely affect some UDP traffic (e.g. VoIP).
Made the QOS option also remove the traffic from the reodering process.
Setting ping profiles down a tunnel with a dynamic far end point could cause the routing rules to take precidence on startup rather than fixing to route via the tunnel. Fixed.
Increased internal buffering.
Routing to an explicit subnet without saying an explicit gateway but where that subnet has a gateway defined now take priority over the default gateway which was previously applied if the same interface as the chosen subnet.
Further slight adjustment on gateway routing as the default gateway may set a subnet with no actual gateway (as set up by DHCP) and the move made in the last beta to change this caused it no longer to look up the subnet gateway - now it checks for this in using the default gateway.
Added GRE to "standard" protocol selection.
Test build - no significant changes - please ignore.
Change for IE users (MSIE 5.5 upwards) to allow correct viewing on icons.
Wizard removed as mostly out of date. May be reintroduced later
Fix to Latest beta - it was showing the "Update quick settings" button on IE even where there were none.
Option to disable the login error warning music - in setup/UI options.
Bonded uplink improved. Now allows 6 real gateways. Gateways have profiles to allow fallback. Gateways can reference subnets and use their defined gateway rather than having to be entered as an IP address (ideal for use with DHCP).
Prospective factory release.
Includes new XT OEM issue.
Revised default security level on factory reset for "config load/save" to level 1 not level 8
Factory note: if re-loading from Talorcan, manually factory init once s/w loaded as config security level changed.

Release notes from Factory release 2.02.543 to Factory release 2.02.570

Setting an explicit gateway in the tunnel target interface did not work, fixed
Change to ping profiles - now ping every second, and show "DOWN" after 5 seconds of no response. So much more responsive.
Adjusted tunnel keep alives when sending traffic so sent every second at least.
Changed ping timeout to 10 seconds before "Down".
Adjustment for routing to specific subnets in tunnels/ping/syslog packets so general routing rules for the same interface do not override per-subnet explicit gateways.
Explicit gateway on tunnels also correctly.
Changed ping no response time back down to 5 second.
Additional debugging information on ping profile logs.
Removed extra ping debug - seems to be working fine.
Change to ping/syslog when directed to specific tunnel - routing rules no longer override.
Fixed bug where an interface (w.g. LAN) was shown as up even when the only ports are disabled but have link.
New fallback option on ports - allows two ports to work as main and fallback to the same switch network.
Some ethernet port reconfiguration (enable/disable, b/w limit, throttle, long, fallback) no longer force a renegotiation on the port.
Ethernet port status now shows if port is disabled.
Profiles now have a No-Log optio which stops logging of change of state from pinging for that profile.
Moving subnets adjusts other config entries referring to interface specific subnets so that they remain correct, however this was not the case for the newer interface specific entries for tunnels, or syslog messages. Corrected.
Bug in explicit routing on tunnel/profile/syslog where sending to a specific subnet without gateway specified could cause traffic to be misrouted.
Timestamps logged on session table.
Better session tracking of changes to profile pings, tunnels and syslog.
Session table has option for TCP without any traffic to the firebrick port 80 - i.e. the firebrick admin pages themselves.
Adjusted case where change of MAC on unsolicited ARP "announce" can flush cache.
Allowed packet reordering on bonded tunnels even when no shaping feature on FireBrick. Should only be used with some form of shaping, either independant, or at least at the far end brick.
Session start time shown (after clock set) for sessions that started before the clock was set, rather than blank.
Subnet list now shows gateway as well, reflecting the greater importance of the subnet specific gateway in routing
Tunnel sets now sequencing packets even when only one active tunnel - allows tunnel sequence stats are receiving end, showing lost packet stats
Tunnel state change events now a separate logging control option, specifically to allow notification of tunnels going down.
Change to config for tunnels - easier options for keep alive sending, and option to authenticate only on keep alives.
Note that the new tunnel state logging does not get used for tunnels in "timeout" state, where the Up/Down is still logged to debug.
Added new option on profiles for monitoring tunnel state
Minor correction - profiles showed tunnel state option even when tunnels not installed!
Made it so that the time matrix on a profile affects when the manual controlled profiles are shown on the login page.
Memory initialisation correction - tunnel bonded set code with reordering could crash and even factory reset on start up in some cases.
Made default for tunnels to have "Fix" ticked.
Kill link on session (TCP exclude web admin) showed all TCP after killing session, fixed.
Fixed issue where pings to a generic interface with explicit gateway made a new session for each ping.
Case where first packet on a timeout keep alive tunnel where far end sends keep alives all the time could be unsigned when it needed to be, fixed.
Changed "auto" keep-alive on tunnels to "normal"
Changed so that logging to the tunnel state log rather than debug depends on whether far end indicates it is (old bricks) sending keep alives, or (new bricks) is in "master" or "auto with fixed IP far end". I.e. it logs if the tunnel state is expected to stay up all the time.
Made it easier to see if tunnel up/down by colour coding.
Changed timeouts on tunnel keep alives so that compatible with older tunnels that would send 10 second keep alives is some data if flowing. Now 5 seconds of no packets or 10 seconds of no keep alive packets before down.
Updated the inactivity timeout for tunnels on no traffic to 12 seconds not 10 - as pluses seem to be a bit slow.
Reordering on bonded tunnels was not working correctly and so giving slow performance as of betas from yesterday - fixed.
Extra tunneling debug stats.
Made bonded tunnel reorder buffers much larger - jitter on BT lines is more than expected - also added time limiting on reorder buffer to handle occasional dropped packets better.
Error in reordering logic for bonded tunnel sets meant some packets could be incorrectly delayed, affecting performance.
Added separate config security level setting so that upgrading software and saving/loading config can be different security settings. This makes it possible to have a user that can do s/w upgrades and save configs but not load configs or do anything else - ideal for remote scripts. For existing bricks config load/save is set to the same security level as s/w upgrade. The default for factory init for config is 8.
Bonded tunnel sets with one or more inactive tunnels could cause problems with reordering performance - fixed
Correction to extra debug.
Reduced number of tunnel sets to 10
Slight efficiency improvements
Change order of options on tunnel entry page, and slight change of wording.
CHanged tick box for the authentication only on keep alives to be "full authorisation" so all packets signed when ticked.
Work on reordered bonded tunnel sets now ready for use
Corrected typo in tunnel page
Improved debug stats
Factory note: Oisin changed config security level - build with Janneke or later and factory init before labelling.

Release notes from Factory release 2.02.537 to Factory release 2.02.543

Added Expires, Date, and Last_modified headers to try and avoid caching issues.
Date option Full changed to Text, and Full added as option showing day of week as well.
ARP flush for announce - fixed, and tested
Change to handling of ARP announce. Only flushes if a change of MAC. Only logs of flushes. Checks VLAN/subnet match as well. Continues processing of packet (for stealth, etc).
Less debug logging for routing to tunnels that are currently down.
Added tunnel set bias
Tunnel fallback was causing some disruption when used with bonded sets and reordering - fixed
Ooops, previous beta you could not edit the tunnels. Fixed
Do not use this version with reordering on bonded tunnel sets.
List of mapping rules did not show which tunnel traffic was mapped to when mapping to specific tunnel. Display bug only, actual settings still applied. Fixed.
Make the tunnel set packet reorder option only available if Shaping feature also installed as trying to use reorder without shaping the external link is not sensible.

Release notes from Factory release 2.02.525 to Factory release 2.02.537

DHCP client does not accept itself as a gateway (D-Link DSL-300T routers send this for some reason) Minor cosmetic tidy to some of the config screens when accessed without write permissions.
Change to UI for tunnel bonding - now select a set number for all tunnels in same set - more intuitive. Do not downgrade below this s/w release after upgrading if you use bonded tunnels.
Change UI for tunnels now showing per tunnel in and out stats, as well as additional debug stats for packet reordering on tunnel sets
Change to pick up ARP announce broadcasts and flush the ARP cache (rather than use the broadcast which could be bogus). Good for use with VRRP.
Some tunnel optimisation.
Previous beta was not working on more than two tunnels bonded, fixed.
Updated tunnel packet reorder debug stats
Corrected repeated version names, sorry
Correction to some tunnel handling when tunnels down (introduced in latest beta releases)
Tidy of presentation of tunnel set packet reordering information
More packet re-order stats
More tunnel reorder work - reorder buffering not yet ready
Corrected bug whereby tunnels did not fall back cleanly on failure within sets (introduced in latest betas)
Tunnel set packet reordering option added (experimental)
Corrected bug in tunnel set reorder code causing fragmented tunnel packets to break slowing permformance.
Note that reordering is still experimental
Tunnel set reordering was actually fighting with traffic shaping as the outgoing sequence was set before shaping was applied. Fixed - now sequences after shaping applied.
Do not use this version with reordering on bonded tunnel sets.
A bonded tunnel going half down (Up/down) would not cause it to be removed from the bonded set hence causing packet loss (which would then fight the packet reordering causing delayed packets). Fixed.
Using bounce to answer pings was meant to delay the replies. It seems this was broken at some point and so ping replies were not delayed. Fixed.

Release notes from Factory release 2.02.516 to Factory release 2.02.525

Added new option for tunnels so that the source address used for NAT or FireBrick originated traffic can be defined. If undefined then the NAT will use an IP from the far end FireBrick.
Modified DHCP server to allow arbitrary range if used with /32 subnet (normally range is constrained to subnet).
. Minor tidy of tunnel control UI
Minor change to "DHCP invalid" comment on subnet control page when used with /31 or /32 subnets
Minor change to subnet control page
Changed page heading on tables to be left aligned rather than a centred caption (helps with wide IPgroup tables for example)
Changed display of ip/port group lists so table does not get stupidly wide - stops at 20 entries so you select to see the full list.
Added DHCP response UDP checksum as some devices were not happy with non checksum UDP even though valid (notably the WFT-E1 on EOS-1DsMkII), same for UDP time response.
Change to tunnels so that (like ping and syslog) the target interface and gateway IP can be specified if required
Made wording of target interface, source IP, and gateway consistent on syslog, profiles and tunnels
If an explicit route (in routing rules, or set in syslog, profiles, tunnels) is to a specific subnet with no gateway set and the subnet has a DHCP gatewayt defined, then that gateway is used. This is tested just before application of the default gateway.
Note that a DHCP client allocated a gateway will already set the DHCP gateway for that subnet, so can be used with above rule to allow routing to a DHCP client interface without knowing the gateway it will use.
Minor change that the system wide default gateway IP is not set if setting to a DHCP subnet as the gateway from the subnet itself can be implicitely used.
Correction that if the DHCP client is a different interface from the default gateway it is not changed, unless it has no gateway IP defined and it references a general ethernet interface or references an ethernet subnet which has no gateway defined.
Change in config on setup as setting gateway to blank rather than typing "none" did not set gateway!
Change so that DHCP requests are issued as soon as first port on an interface becomes active
Made I/f column on subnets indicate (red/green) if the interface is active (any ports connected)
Made the use of a subnet specific gateway after checking the default gateway, so default gateway can be to a subnet without specifying a gateway itself.

Release notes from Factory release 2.02.472 to Factory release 2.02.516

One more route in non-extras release making 5 plus subnets and default gateway.
One more profile in extras release making 100 plus fixed profiles.
Moved factory default top make subnets the first routing rule.
Correction to help text
Bug in LED cycling lights - not always change to/from this to showing port state.
Session list now has separate "kill" link at end rather than clicking on protocol.
Session list now also shows gateway in each direction, if any.
Session list now shows "Stealth" rather than S/R.
DHCP list now has separate "kill" link rather than clicking on interface.
DHCP list now has headings on table.
Ping profiles to an explicit ethernet subnet sets the source IP to that of the subnet before running through routing rules.
Ping profiles now have an option source IP setting.
Some internal changes for ATE.
Minor changes to load shared routes to correct an anomoly when routing to multiple tunnels
Added a debug message for DHCP client mode
Packet counter diagnostic stats added, 1 minute interval
Tunnel stats only applicable when tunnel feature installed
Added new options for setting routing and source address for syslog messages
Minor adjustments to diagnostic packet stats
Removed panic code 4D
Withdrawn Dropped internal diagnostic for ethernet loopback as giving misleading results
Changes in some debug messages, and fix of obscure issue with certain unexpected ping replies being misrouted.
Update that should fix tunnel lock up issue. OK, really fixing the tunnels this time...

Release notes from Factory release 2.02.430 to Factory release 2.02.472

Fixed speed lane selection so as not to try and show the extra interface names for 5 PORT or Tunnel when not installed.
Updated IP Wizard to set DHCP client on WAN side correctly.
Some internal changes related to some feature key handling.
Fix display on port map which was showing a range when it should not be.
Internal changes to TCP stack - no impact on normal usage. (RST packets sent with odd sequence numbers)
Internal change to self test on ethernet interface.
Minor change to config upload when uploading WAN/LAN reversed config.
Installing 5 port would sometimes create incorerct port assignments until rebooted.
Changes to re-route on profiles.

• Will now force re-route of pings from the firebrick (which may make no difference if explicit interface specified in ping profile).
• Will reroute traffic destined for tunnels (non NAT)

Tunnel bonding will now send the initial packet for any new session via the specified tunnel in the routing and not pick an alternative (unless the initial tunnel is down). Subsequent packets then bond. This helps with return traffic if far end is not bonding in the same way. Load balance routing can be used to spread initial packets.
Tunnel bonding will pick an alternative tunnel, even for start of session or QOS selected packets if the tunnel picked is down and alternatives exist.
Fixed case where routed traffic to broadcast destinations (directed broadcast) could generate ICMP errors if rejected by filters, which is invalid.
Changed login sequence to better work with firefox
Added "special" link in setup for factoryinit, reboot, etc.
Changed some links to work with lynx
Tunnel list shows near end IP now if set.
Factory reset link fixed
DHCP list on 5 port when less than 5 ports configured did not show all interfaces allocaing DHCP addresses
Added facicon
INternal change - better checking on UDP packet headers for traffic to the FireBrick
Saving a log while tracking it could cause the log output to be corrupted