Release notes from Factory release 1.60.010 to Factory release 1.61.010

Certificates

• Avoid panic on reboot if FB private key gets deleted

Config

• Enforce list max occurrences limits for all config items

CQM

• Small change to SVG to make loss/latency squared off like png

DHCP

• Treat a profile on a DHCP config entry with a restriction consistently with other config profile usage.

DHCPv6

• Various improvements (especially in the client)
• Make DHCPv6 work better with larger prefixes
• Allow larger server DUIDs

Ethernet

• Share MAC address on VLAN 0 between bootloader and app for each port

IKE

• Send out of band error when INIT request negotiation fails

IPv6

• Improved reliability of RA handling

MQTT

• Bigger MQTT messages
• Additional options on MQTT external
• MQTT crash fix
• Sending cleaner CONNACK for error cases

PPP

• Bug fix for issues with PPP client corrupting subnets

PPPoE

• Increase number of allowed PPP sessions (and fix crash loading configs with more than 20)

RADIUS

• Juniper ERX ingress/egress policy name in RADIUS server
• Correct defaulting of RADIUS server settings

VoIP

• Subtle change to message handling in VoIP (getting actual 408 response to INVITE)
• CLI settings not always passing through
• Allow addition Privacy header options

Web UI

• Improve layout on XML edit page
• Improve button placement on system info pages
• Explanation added regarding TCP stress test blob output
• Further improve XML edit and reduce vertical height of top bar
• Make XML download links look like links
• Add line numbers to XML editor
• Reject paths with extraneous middle segments
• Various UI improvements
• Add a config option to prevent refreshing the CQM image lists
• Make graphs on the image list page clickable
• Editor - fix colour picker with 3 digit hex colours
• Force text colour in buttons to black (apparently ipads can default it to white)
• Warn on most pages when config is no longer valid

Release notes from Factory release 1.58.111 to Factory release 1.59.000

ACME

• ACME error reporting could get garbled message in some error cases

DHCP

• Changed some DHCP server logging to be JSON format (same as used for MQTT)

FB105

• Fix rare crash with FB105 tunnel bonding during configuration change

IPsec

• Fixed a problem with validation of peer certificate
• Fixed handling of out-of-order IKE fragments
• There is a new attribute peer-eaplist available on an IKE connection config item which enables the allowed EAP usernames to be specified.
• Improve EAP diagnostic logging and fix minor problem with message ID number checking
• Further improvements to EAP processing and error logging

L2TP

• Configured outgoing L2TP sessions now respect the bgp setting in the config

MQTT

• Added listener for FireBricks/# topic
• Changed MQTT mapping field names and fixed incorrect help text

OSPF

• OSPF marked experimental as it has some minor issues.

RADIUS

• Some additional RADIUS server settings, matching, added mqtt logging and changed log format to JSON, for working with some WiFi kit

TLS

• Improved stream handling in TLS to avoid occasional race conditions causing crashes

VoIP

• Improve logging when bulk carrier import fails

Release notes from Factory release 1.57.010 to Factory release 1.58.111

Certificates

• Removed expired DST Root CA X3 certificate

CLI

• Added CLI command to view port status

Config

• Allow numeric value with 0x prefix in config

DHCP

• DHCP client will now attempt to renew leases when ports go down and come back up. This will automatically reconfigure the subnet if plugged into a different network.
• Added mac-local test in DHCP pool
• Improved DHCP allocation logging and MQTT logging

Diagnostics

• Add diagnostic command and status page for buffer usage
• Include uptime information in automatic crash reports
• Log highest buffer users in case of exhaustion

Ethernet

• Improve setting of default port config on startup (may be faster startup in some cases)

Firewall

• Added option to set DSCP

IPsec

• Increase max number of simultaneous IKE/IPsec connections
• Fixed problem with IKE message fragmentation causing connection failures with some clients
• Fixed occasional "Response not pending" panic.

L2TP

• Added session-timeout to L2TP incoming

MQTT

• Simple MQTT message mapping option
• Improvements to MQTT broker (better error reports and sanity checks)
• MQTT payload pattern match
• Correct mapped MQTT messages erroneously setting retain
• Made IP a link on mqtt status
• MQTT mapping connection linking (e.g. for retained)
• Fix outgoing mqtt bug
• Started some MQTT v5 handling (a config option, experimental, not recommend yet)

OSPF

• Correct OSPF checksum issue for certain auth types

Profiles

• Added profile test for "DHCP allocated"
• Nicer web socket based profile control switches.
• MQTT profile control fixed
• Minor change, only sending MQTT if corresponding payload set (even if empty)

TLS

• Improve server authentication security and work around problems with some servers by using the signature algorithm extension.
• Fix TLS connection failover
• Added TLS stateless session resumption - without this newer versions of some browsers were very slow to load FB web pages
• Issue with TLS resume keys used over a s/w upgrade fixed

VoIP

• Double VOIP capacity limits
• Double number of simultaneous call recordings
• Tweak outgoing registrations for SIP servers that mash up the registered Contact rather than just using it as is.
• Fixed issue with very long SIP registrations using IPv6 addresses
• Added a simple BLF report state via MQTT

Release notes from Factory release 1.56.010 to Factory release 1.57.010

ACME

• Allow specifying of the source IP for ACME requests

BGP

• BGP tags for static routes

Certificates

• Fix problem with cross-signed certificates causing IPsec connection issues with Windows clients

Config

• Allow delayed automatic upgrades

DHCP

• DHCP option to force broadcast offer/ack to address edge case with some APs and devices

Ethernet

• Fix over zealous ether damping

HTTP

• Fixed issue where http client (e.g. ping graph download, etc) gets non 2XX response causing later problems

IPsec

• Increase internal packet buffer size to help with IKE certificates
• Fixed IP pool leakage
• An IKE session was sometimes shown in waiting state as well as connected.
• Further IPsec tweak to avoid losing connection in some circumstances
• Add workaround to avoid repeated reauthentications when peer is StrongSwan and mode is immediate
• Fix bad config status entry after deleting a live connection
• Implemented IKE fragmentation to improve authentication with long certificate chains

L2TP

• Slightly faster outgoing L2TP connect (proxy auth sent)
• Handle incoming local match password check for PAP

MQTT

• Experimental MQTT broker function added
• Fix crash in configurations where will topic is set, but not will message

PPPoE

• Issue with some PPPoE sessions restarting on config change

Routing

• Default source IP per routing table

Shaping

• Additional control on shapers (burst limit in ms)

TLS

• Added support for simple TLS clients with limited storage
• Minor memory leak in TLS client fixed

VoIP

• Fix error handling unusual SIP packets
• Allow IPv6 addresses in "recording-server" configuration

VRRP

• Make VRRP clearer when used with profiles (status page and manuals)

Web control pages

• Configurable intro text and links on login page
• Web access security update

Web UI

• Add ethernet counters to web
• Show which type of app upgrade would be initiated
• Show some context lines in live logging view

Release notes from Factory release 1.54.101 to Factory release 1.56.010

• Fix bug in ASN.1 length encoding

Config

• Additional options for finer control of source filtering setting
• Additional help text for L2TP

CQM

• Graphs used to show a damping level even when damping not in use (i.e. l2tp damping not set), removed

DHCP

• Added "circuit" to the matching rules for DHCP server IP pool (circuit being Agent Info option 82 circuit sub option 1)

Ethernet

• Improve performance when ports have a mixture of speeds (eg 1G and 100M)

ETUN

• Add tx/rx packet stats

FB105

• Change internal IP config for FB105 to allow IPv6 internal IPv6 to be set

HA

• Some issues with invalid tunnel packets logging when using L2TP HAL
• HAL did not work well if one of the links was rate limited
• Increased number of HA sets to 7
• Added additional hal-log for debug logging of HAL

IPsec

• Additional logging and status information for roaming pools
• Add manually triggerable IKE clearing
• Change internal IP config in IPSec to use single IP46Addr field

IPv6

• Slight change to SLAAC RA client default localpref so global addresses preferred

L2TP

• Improved logging for incoming L2TP sessions so more obvious which config used
• Minor changes to some L2TP config attribute names, and updates to manual
• Correct logic on L2TP point to point speed controls on outgoing tunnel
• Don't override manual shaper speeds on point to point L2TP where no speed is received from calling end
• OSPF issues with incoming L2TP config fixed
• L2TP tx/rx speed of -1 recognised and ignored
• Issue with DOS limit on outgoing L2TP fixed

Manual

• Updated manual for details of L2TP usage
• Clarifed that config access on web interface also needs user "admin" level

PPP

• Tweaked PPP handling when far end wants to talk IPV6CP and we were not planning to. We now negotiate.

PPPoE

• New option to pick up speed from connect message to set egress rate on PPP (ideal for bonding)
• L2TP PPPoE BRAS mode now picks up payload-table from L2TP config.

Routing

• Fix startup issue when using source-filter.

SNMP

• Integer values were sometimes misreported

VoIP

• Change to source_ip and auth_source_ip so one field for the IPv4 and/or IPv6
• VoIP caller directory with call screening controls
• Added display name to call recording leg (because useful to have now we have directory)
• Added config for how long before expiry we re-register to a carrier, and changed default to 30 seconds
• Fix issue with incoming CLI not set correctly in some cases
• Change incoming CLI processing to be transparent if not configured
• Minor tweak to allow REFER to authenticate on from matching user target URI
• Correct sending of P-Asserted-Id where configured to send to carrier and set explicitly (ie by RADIUS)
• Allow carrier to have specified IP and port as target regardless of proxy name
• Minor change to CLI logic on connecting calls
• Change to withheld CLI passing to recording server
• Additional debug

Web control pages

• Setup wizard bug when IPv6 defined

Web UI

• Minor changes, allowing some javascript to be embedded
• Experimental feature added to allow js-url in config (for when logged in, trusted IP, non password entry pages)
• Tweak XML edit so that a zero login timeout does not fail if XML config edit is longer than 5 minutes

XML

• New IP46Addr field allowing one IPv4 and/or one IPv6

Release notes from Factory release 1.53.000 to Factory release 1.54.101

ACME

• ACME status for certificates shows when last error happened.
• Make ACME status clear at start up if clock not set yet
• Fix ACME error status to show time of error

BGP

• Add Refresh buttons to BGP UI status page

CLI

• show configuration now allowed (redacted) at "view" level

Config

• Improved syntax checking of numeric fields
• Separate logging for http client accesses
• Added new config access level (demo) allowing test but not commit/save config.

Config editor

• Tweak to config edit to make default values more obvious

DHCP

• Improve lease expiry when the FireBrick does not know the correct time

Ethernet

• Improve DoS detection and logging of ethernet damping

Firewall

• Minor change to handling of clashing UDP sessions for better VoIP NAT logic

HTTP

• HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

Internal

• Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
• In some circumstances Watchdog panics may report incorrect thread - fixed.

IPv6

• Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

L2TP

• Configurable PPP timeout values per tunnel
• Additional logging on config change
• Fix payload table logic on local auth incoming L2TP sessions
• Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

LACP

• Prevent unnecessary continuous packet exchange

Manual

• Additional documentation on IPv6 prefix delegation and SLAAC

PPP

• Tweak LCP restart timing for very slow latency links

Profiles

• Profile ping of local gateway by ping 0.0.0.0

Session tracking

• Change to default UDP timeout for UDP ports 80 and 443 to help QUIC

SNMP

• Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

TLS

• Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
• Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
• Improve TLS session end - avoid occasional crashes/lockups.
• Fix a couple of TLS issues causing problems with ACME and downloading large pages
• Finally fixed TLS issue
• Extra diagnostics added to help with occasional TLS crashes

VoIP

• RADIUS setting to explicitly set P-Asserted-Id needed for VoIP carriers

VRRP

• Incorrect error message for ID clash in VRRP, fixed

Web UI

• Improve UI status reporting for bgp, including ability to filter routes list

Release notes from Factory release 1.52.010 to Factory release 1.53.000

ACME

• Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
• Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
• Tweak to ACME to allow for additional challenges for a few seconds

Certificates

• Make certificate domain name checking case-insensitive

Config editor

• Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).

DHCP

• Lease expiry times were incorrect when lease acquired before time had been set

DNS

• DNS relay limit check

IPsec

• Provide SNMP status info for IPsec
• Fix crash when [id] is used in graph name of a waiting connection
• Show EAP identity (username) in log messages and UI status, and allow it in graph names

IPv6

• Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

L2TP

• Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!

PPP

• New PPP debug log/dump format options

PPPoE

• PPPoE did not install IPv4 DNS if explicit routes set, fixed
• PPPoE Calling ID prefix appended with VLAN and/or MAC

TCP/UI

• Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

• Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).

Release notes from Factory release 1.49.000 to Factory release 1.50.000

ACME

• Minor improvements to ACME - handling some extra order status responses

BGP

• Additional debug for ignored updates

CQM

• Added more stats (total bytes/packet/drops) to CQM XML

Crypto

• PKCS#8 formats now fully accepted and served for RSA and DSA keys

Diagnostics

• Fix TCP download test (was always saying 0 bytes loaded)

DNS

• Changed DNS logic so not simply fallback="true" but fallback-table defined. This means multiple table DNS will default not to fall back now.

General

• Slight performance improvements

IPsec

• Fix duplicate connection problem after roadwarrior client switches from wifi to 3G
• Fix Roadwarrior problems - IPv4 NAT not working and IPv6 routing failing on Apple clients

IPv6

• Changed ICMPv6 (ND/NA) source address in some cases to match scope

L2TP

• Allow L2TP matched incoming sessions to set payload-table
• Added colours to tunnel and session status

Logging

• Fix possible syslog buffer overrun

Pcap

• Improved pcap "self exclude" to only exclude the actual TCP session traffic of the dump, not all traffic to/from the IP of the browser as before

PPPoE

• Minor change to PPPoE timeout logic - could be disrupted by frequent profile changes

RADIUS

• Platform RADIUS server ERX parameters now tagged if part of tagged response

Routing

• Impove some logic where table 0 has no routes and totally mapped via rule-sets (e.g s/w upgrades, etc)

Telnet

• Option to configure custom telnet prompt

TLS

• Fix lockup at end of stream on TLS connections

VoIP

• Separate carrier controls for P-Asserted-Identity, Remote-Party-Id, and Privacy on VoIP carriers. Change of defaults to send PAID and Privacy not RPID
• Added ACR (Anonymous Call reject) feature on telephone config
• Included User-Name in RADIUS auth for VoIP (from From header before @) if not otherwise set (based on config user/carrier)
• Interim release with correct AVP for SIP_AOR (122) as well as accepting incorrect one (121)

VRRP

• VRRP low-priority mode (e.g. for profile off) caused flapping

Web control pages

• User setting to hide "save" button in config edit (i.e. has to do "test" first).
• Added Content-Language to avoid some browsers offering to translate control pages
• CSS update
• Added kill on block/reject type sessions in session table
• Adjust initial timeout to allow for slow TLS handshake

Release notes from Factory release 1.48.101 to Factory release 1.49.000

BGP

• Added startup delay for sending BGP announcements to make for cleaner reboots when used as part of a part

Config

• Tweaked factory default LAN firewall rule to allow from FireBrick to LAN (needed for VoIP)
• Removing Ethernet port config now sets port back to default settings

CQM

• Tweak graph logic - was not working if only selecting ave or max latency to show on SVG

FB105

• Fix internal-ip on fb105 tunnels routing

HTTP

• Changed HTTP redirect logic to better handle cases where some port mapping is used in front of the web control pages

IPv6

• Added DNSSL (search list) to RA settings on subnet

L2TP

• Minor change to handle low buffer scenarios better

Logging

• Fixed UTC timestamp on logs (was local time with Z suffix, sorry)

PPPoE

• PPPoE can now be linked to physical port for direct connection to modem - resetting the port when PPPoE goes down (fixes bug in some modems)

SNMP

• Various SNMP updates
• bgp and l2tp now support SNMP treewalk
• Vendor-specific SNMP for BGP and L2TP reorganized to follow standard table construction. ***NOTE*** this will affect customers using SNMP with BGP/L2TP
• Add CPU buffer free counts to SNMP statistics

VoIP

• Tweak for REFER logic, allow refer to match user details with no password (i.e. check IP)

VRRP

• Corrected VRRP v3 checksum - UPGRADE BACKUP ROUTERS FIRST

Web control pages

• New css for mobile use
• Fix wizard when email specified as it caused save error
• New control of whether logs on web/cli include system logs or not (default not, except for "default" log after factory reset)
• Config edit not working when clock not set, fixed.
• Recovery config edit now prompts to save even when no changes as it is not the "live" config
• Minor improvements to web control pages (extra classes, etc)

Web UI

• Add TCP throughput diagnostic

Release notes from Factory release 1.47.010 to Factory release 1.47.100

L2TP

• Edge case where radius relay of tunnel could cause crash when using BRAS mode

Web control pages

• TLS: Added AEAD-GCM cipher suites - now get an "A" rating with Qualys SSL Labs test.
• Can now specify a list of possible certificates to be used for https in http config

Release notes from Factory release 1.44.000 to Factory release 1.45.001

DNS

• Possible rare quirk that could cause a DNS resolver to be ignored/blocked

Internal

• Improve OS interrupt scheduling to reduce possibility of panic under heavy load
• Change of default value in new ethernet interrupt code config to address possible latency issue under load

IPv6

• When turning off RA we were sending an RA making prefixes valid for infinity rather than 0

Profiles

• Forcing a config load which has a reference to non existent profile could cause a crash

Routing

• L2TP source routing check could, in some cases, cause a crash if routing for IP is primarily via different route (e.g. BGP) with L2TP as fallback

Web UI

• Packet dump was blocking other forms on web interface whilst running (error 409), fixed
• Allow certificate download if read access to config, and only show cert actions if available to user
• Removing 2FA could result in a crash, fixed
• Logging for http does not log every web page access on normal logging now, that is on debug logging

Release notes from Factory release 1.43.001 to Factory release 1.44.000

PPP

• Ignoring unknown PPP/LCP protocol reject now
• Closing PPP if IPv4 and IPv6 terminated or rejected

PPPoE

• Rework of service name matching and PADO/PADS response logic for PPPoE

Web UI

• Factory reset state not working due to new security measures means factory reset bricks cannot be configured via web interface, only telnet
• Fix individual DHCP kill button which was not allowing unexpired or locked entries to be killed, and correct typo!

Release notes from Factory release 1.42.100 to Factory release 1.43.001

Authentication

• Made web & telnet login prompt for OTP authenticator code so can be entered separately from password

DHCPv6

• Tested on Zen IPv6 PPPoE/DHCPv6 - addressed a number of issues, now working

Ethernet

• Improve ethernet receive processing and CPU load monitoring

Firewall

• Fix bug with session mapping using hash function, which sometimes did not pick any mapping
• Load balancing issue for firewalling when not using hashing

L2TP

• Additional RADIUS logging for RADIUS based steering

Sampling

• Introduce packet sampling (IPFIX/sFlow) [not yet documented]

SNMP

• Named shapers were not returning actual stats

VoIP

• Added config name to outgoing registrations as display name on contact
• Issue with outgoing registrations locking up indefinitely if ICMP errors received

Web UI

• Did not show new bootloader as available on status upgrades page
• New password change menu to simplify password change and to allow users without config save access to update their password
• Added QR code and suggested key to OTP set up
• New simpler OTP set up
• Removed OTP check on config recovery mode - given physical access needed and likely clock not set
• Cross site scripting checks on web forms

Release notes from Factory release 1.40.000 to Factory release 1.41.000

BGP

• New dead-end-community used to propagate routes within IBGP that are dead ends (e.g. nowhere or network)

Firewall

• Fix to NAT64 logic where target is nowhere/network

IPsec

• Decision on whether to send INITIAL_CONTACT notification was inverted
• Allow traffic selectors to be specified in config
• Fix scheduling problem which could cause IKE to lock up after prolonged use

IPsec/IKE

• Add option to enable traffic selector sent to peer to be constructed from specified routing

L2TP

• If RADIUS overwrites the proxy auth logic to change auth type then change proxy last LCP tx
• Change logic for dummy auth on L2TP to wait for LCP negotiation to complete before RADIUS allowing proxy LCP details to pass to relayed connection

Routing

• Changed internal routing logic for "next hop" based routes to be more efficient

Release notes from Factory release 1.39.000 to Factory release 1.40.000

ARP

• Minor tweaks to ARP timing

BGP

• Tweak next hop in some cases - review against RFC
• Show BGP sessions that are down by profile as shutdown in peers list
• Manual shutdown, albeit deprecated, was not working to close existing BGP sessions
• Simplified the XML for BGP status, all peers list as <peer.../> now.
• When originating routes from a 32 bit AS number via a 16 bit AS BGP session was not sending AS4_PATH
• BGP tweak, allow incoming BGP in IDLE state

CLI

• Command line completion could complete keyword arguments incorrectly

IP

• Allow UDP to VRRP address - used for DNS, and RADIUS, etc.

IPsec

• Fix crash when certificate named in connection is missing

L2TP

• Incoming L2TP config allow any table if table attribute not set
• Allow outgoing source IP setting on outgoing L2TP tunnels
• RADIUS directed session steering for L2TP needs to use the specified table
• Speed sanity check - do not believe L2TP speeds at or below 10kb/s as valid
• Don't close tunnel on an out of order control packet showing backwards Nr sequence
• Some more options for RADIUS to overwrite password on L2TP relay

Routing

• Improve route caching update on deep recursive routes changing

SNMP

• iso.3.6.1.2.1.31.1.1.1.1. (ifName) corrected as was a Counter64 not a String
• Corrected counters for broadcast and multicast packets to 32 bit
• Fix return ordering in bulk get requests; improve encoding of integer values

TCP

• Do not perform TCP MSS fixups on MD5-authenticated sessions

Web control pages

• Minor tweaks to status pages

Release notes from Factory release 1.38.001 to Factory release 1.39.000

CLI

• Add command output filtering capability to CLI (telnet and serial link)
• Fix crash in CLI when default logging is set to console
• The "show route" and "show routes" commands have been combined to avoid ambiguity; If '?' is used to output command details the command help info is displayed, unless all commands are listed

DHCP

• DHCP relay/remote server logic
• Tidy up DHCP logging messages
• Tweak for FireBrick as a DHCP client working via DHCP Relay Agents

DNS

• Timeout of long-latency replies from DNS servers was flawed.

Ethernet

• LACP send and receive/status
• LLDP send and receive/status
• Port trunking options (with or without LACP)

IPsec

• Minor change to help with diagnosis of occasional IKE crash
• Avoid crash when clearing a NATed connection
• Fix IKE crash when moving incoming connection to a config with no peer_id set
• Fix occasional crash after prolonged use.

L2TP

• Uplink speed control per connection
• Change to way hashes are handled for session steering

LACP

• Option to control the hashing used for trunking
• Default LACP mode is passive for non trunked ports as some switches are strange

NTP

• Better error logs for NTP / clock setting
• Better NTP back off logic
• Option for fast-retry for NTP until clock first set

PPP

• Better timing of PPP LCP when using dummy auth (no authentication)

PPPoE

• Tweak PPPoE Host-Uniq

Profiles

• Change to profiles use of and/or/not so these are tested on the "interval" rather than being immediate in some cases

Routing

• Adjust hash logic slightly

Web UI

• Kill link on web view of L2TP sessions/tunnels

Release notes from Factory release 1.37.002 to Factory release 1.38.001

Ethernet

• Don't log transmit queue full errors (txqfull) caused by physical port being down

IPsec

• IPSec upgrades and restructure
• Minor change to logging of IKE messages; fix crash on shutdown; suppress errors relating to multicast messages
• Fix crash during rekeying when heavily loaded; fix possible crash during setup if routing changes; check ESP padding more thoroughly
• Fix crashes caused by one-way packet drop when both peers have mode Immedaiate

VoIP

• Fix cases where tones not generated correctly such as ring tones, etc.
• Audio pass through correctly when ringing a group and one leg is providing early audio
• Allow RTP to quote IP6 and ::ffff:x.x.x.x format and treat as IP4

VRRP

• Correct issue with VRRP ARP replies in some cases

Release notes from Factory release 1.36.002 to Factory release 1.37.002

BGP

• Handle blackhole routes better - having an ingress and egress tag for blackhole routes
• BGP rule override of pad was not working
• Extra debug

Config

• Default user password generation now salted SHA256

Config editor

• Better handling of messages when test saving config with errors
• Turn off autocomplete on config editor as causing issues

DHCP

• Tweak DHCP server to use chaddr field not source MAC
• Tweak to DHCP to allow renew of IP where ARP shows MAC as matching either chaddr or source MAC of request
• Improved algorithm for selecting which restricted IP pools apply
• Added a bit of sanity check on DHCP renew/expiry values received
• Change DHCP retry to restart back off at expiry
• DHCP log of moving IPs between interfaces was crashing, fixed
• Extra debug counters for DHCP client

DNS

• Random DNS source port for additional security
• Incorrect ARCOUNT in cached responses when EDNS0 request used
• Possible race condition in DNS tracking

etun

• ETUN was ignoring profile settings - fixed

Firewall

• Allow match of "same network" by target-ip in 0.0.0.0/8-31, e.g. use 0.0.0.0/24 to match "same /24 as source IP". Same logic in reverse for source-ip check. Same logic for ::/32-127
• Layout change on firewall check

Flash

• Improve flash scheduling; should fix occasional "Bad end read" crashes.
• Fix another flash scheduling problem causing occasional crashes

IPsec

• Recognize repeated INIT requests
• Modify MSCHAPv2 to be compatible with MS Windows
• EAP MSCHAPv2 - return a new challenge after password failure, allowing interactive password reentry on Windows clients
• Add workarounds to allow interworking with OpenIKED
• Minor improvement to error response when there is no suitable proposal for the IKE SA
• Fix possible panic on shutdown
• Fix crash when certificate trust chain is incomplete
• Improvements to certificate storage, including fix for possible crashes after updating certificates.

L2TP

• Changed overload logic for unresponsive LNS to better handle when LNS is relayed/outgoing connections
• RADIUS auth sends original tx speed, not adjusted, which fixes issues when multiple authentication done on same connection
• Allow overwrite of existing User-Password in RADIUS auth response (for PAP and CHAP use on relayed tunnel connection)
• Relayed tx speed in connect info now reflects speed as updated by RADIUS, not original.
• Fatal tunnel sequence errors now close tunnel
• Tweak not to send ZLB in reply to message if the message causes a reply to be sent anyway
• Allow session to be marked blackhole routed ('D' filter)
• Added debug logging for DOS detection to show pps
• L2TP clearing of dead tunnels improved (some edge cases left tunnels never clearing)
• Internal stats cache clear on L2TP session start
• RADUIS Accounting to show Connect based on actual speed, not original L2TP speed
• Show when routes suppressed in L2TP session status
• Additional LCP control (data len) for screwy Samsung LACs that don't cope with zero len
• Send LCP TERM ACK reply when closing

L2TP/PPP

• Change to allow non auth incoming L2TP to send RADIUS to validate as a "dummy authentication"
• Stall (no reply) IPCP / IPV6CP if waiting on RADIUS, as can happen for dummy auth
• Better handling of proxied LCP negotiating no authentication

OSPF

• Initial testing for new OSPF code

Ping

• Ping diagnostics "loss" stats were including ICMP errors as well as correct responses

PPP

• Allow PPP LCP to negotiate unauthenticated (LCP rejecting AUTH)
• Don't do IPCP whilst waiting on RADIUS (relevant for null auth)
• PAP Ack/Nak with zero message now sends zero message len not zero data
• Checking proxy LCP now accepts stupid LACs that claim to neg longer PAP/CHAP LCP messages if they otherwise look OK

PPPoE

• Tweak PPPoE client to change Host-Uniq as some systems misbehave if always the same
• PPPoE was not authenticating, Fixed

Routing

• Next hop feasibility checking failed to spot when an Ethernet next hop stopped answering ARPs
• Next hop logging is now separate system log target

Stats

• One-second CPU stats output is now synchronized to UTC time

Tunnels

• Allow more than one etun tunnel to be defined, and allow etun over a usb ethernet port

VLAN

• Fix VLAN tagging problem

VoIP

• Fix missing resend of invite response if no ACK received, fixed
• Changed handling of retries to sequence through SRV records
• Tweak default nonce response on RADIUS auth challenged request to match automatic auth request

Web control pages

• Status/Subnets now shows the interface headings

Web UI

• Improve diagnostic if s/w upgrade fails

Release notes from Factory release 1.34.001 to Factory release 1.35.001

BGP

• Added import-filters and export-filters and named bgp rules to config
• Less agressive retry on BGP in some cases such as TCP connect failure
• Improved BGP status
• Withdraw of non existent route may cause parent route to be mistakenly withdrawn

Config

• Check each interface has a unique port/vlan setting. Invalid configs will still load on bootup but must be corrected before resaving.
• Storage and management of certificates and keys added (cannot be used effectively yet).

DHCP

• Improved DHCP clear command and added link to clear all old DHCP

Firewall

• Removed experimental EUI64 mapping (de-privacy IPv6 addressing) feature

Profiles

• Added setting for expected (good) state of a profile, showing as green in status if expected, and listed unexpected on home page
• Added profile to fixed ping graph config, and made ping on interface subject to interface profile
• Control switches no long show by default on NOBODY level users or those without full config access unless specifically listed in the control switch users

TCP

• Fix TCP session stalling on large fast transfers

VoIP

• Fix handling of 3XX SIP response from carriers
• Fix sending of 3XX SIP status on RADIUS response

Web control pages

• Added "add" to home page links list as order matters
• Changed list of radius steering settings to show "ip" in list as important field

Release notes from Factory release 1.32.000 to Factory release 1.33.000

BGP

• Delay BGP announce until FIB update started for route in question to minimise black holes
• Further work deferring BGP announce until routes in FIB
• Faster BGP withdrawal
• BGP export stats to count "default" when send-default is set
• Change of send-default restarts BGP session
• Change of send-no-routes correctly withdraws routes, no session restart
• Change to use-vrrp-as-self now correctly re-announces the changed next hop
• Possibly trigger happy BGP keep alive check when lots of peers, fixed
• Balance load better on rx traffic between peers

DHCP

• DHCP server now does not send default router, subnet, lease, renew, syslog, timed, ntpd, domain, domain-search, if there are manually configured response attributes for these
• DHCP server no longer no longer sends "name" attribute as host-name (12). Configure as an extra string attribute if required

Diagnostics

• Showing routes was truncating if too many routes - buffer size increased

Firewall

• Longer default start-delay on firewall rules (1 min)

General

• Better logging to flash of source of s/w load or reboot commands

Internal

• Adjust buffer pool sizes and thresholds to avoid buffer depletion
• More buffer count stats added to TCP

PPP

• Tweak to avoid resend of CHAP response to challenge if LCP restarted

Routing

• Avoid route updates hogging all CPU

TCP

• Improved congestion control and loss recovery
• Fix problem with TCP window calculation causing buffer overload

TCP/BGP

• Avoid BGP sessions being aborted by TCP if buffers run out

VoIP

• Handling inbound RFC based DTMF mixed with audio (non DTMF) at the same time (e.g. gigaset)

VRRP

• Delay VRRP startup while route updates pending
• Longer startup (uses configured delay when routes are updating)

Release notes from Factory release 1.31.000 to Factory release 1.32.000

BGP

• Making BGP keep-alives higher priority, in case of really heavy BGP load
• Fix race condition allowing BGP peer to vanish in rare conditions
• Improved BGP shutdown sequence announces lower priority before withdrawing routes on shutdown
• Shortened the BGP shutdown so it does not send the clears after the low-priority
• Added configuration of BGP shutdown logic

Ethernet

• Add new Ethernet DoS-detection parameters to config

General

• Several minor internal changes that should improve stability

Internal

• OS Stream and TCP restructure

IPsec

• Peer IP added to log messages

L2TP

• Fix for NAT via outgoing L2TP connection
• Crash if too many graphs created with L2TP
• RADIUS L2TP Relay for steering was sending zero length Proxy-State with is not value
• Outgoing tunnel did not come up / go down on profile change

Logging

• External syslog now only includes general system log messages if specifically configured to do so
• Fixed issue with logging causing occasional bad buffer address panics
• Improve logging efficiency and avoid dropped log messages
• Fixed http logging of graph URLs

PPP

• PPP challenge response resend on no accept/reject response

Routing

• Path/community fixed settings in routing config with multiple IPs listed caused error on memory allocation
• Improved checking for route loops

TCP

• Tidy TCP MSS handling. Allow minimum MSS to be as low as 200.
• Further TCP stack enhancements
• Fix windowing problem - possibly causing slow transfers
• Send window updates more often - improves BGP performance

VoIP

• Fix use of backup carrier which may have been calling in parallel
• Added routing table on Tx/Rx log lines
• Fix for working on routing tables other than zero
• Changed contact style in outbound registrations, uses IP literal now and no extra attributes on end
• Add profile to list of carriers in config

VRRP

• Fix bug in vrrp shutdown that was slowing down other shutdown processes

Web UI

• Show current stack usage as well as HWM in thread stats

Release notes from Factory release 1.30.001 to Factory release 1.31.000

• URLs fetched from the FireBrick for any reason now handle IP literals.
• Option for URL to GET before a controlled reboot - mainly to warn nagios

DHCP

• Minor tweaks to make NAK meet later RFCs

DNS

• DNS fallback (default on) allows use of other tables for local lookups within the firebrick

Ethernet

• Increased MTU to around 4k

Firewall

• Interface option to map IPv6 source address to one based on EUI64 from MAC

Internal

• Increase stack sizes and make route loop counter an error counter

IPsec

• IPsec status display now shows algorithms in use

L2TP

• Fix for steering RADIUS response - was causing RADIUS to lock up totally
• RADIUS options to control long term shapers for L2TP sessions

Logging

• Avoid crash when displaying logging using CLI
• Fix crash when displaying logs using colours

TCP

• Ongoing TCP improvements. Minor functional changes - mod to initial MSS calculation; TIME-WAIT time reduced.
• TCP restructuring to prepare for enhancements. Includes fix for failure to resend lost SYN introduced recently.
• Fix failure to send MSS option with SYN

VoIP

• Tweak to handle possible overrun on SIP messages
• Audio recording has DTMF in audio even if it arrives and is relayed as telephone events.
• Allow wildcard contact in deregistration
• Now sending periodic invite responses when trying/ringing/progress.
• Send call progress 183 once we have started connecting a call and 3 seconds have passed even if far side still at trying stage
• Accept privacy=no as well as the standard privacy=off in Remote-Party-ID to interwork with splicecom
• Not sending ACK to contact found in 4xx response
• Logging for VoIP messages relating to "calls" now includes REFER
• Fix response to REFER (was 404 not 200) when non RADIUS working
• Early call progress (at 3 seconds) now a configurable setting (default on)
• Option to send SIP headers in long version rather than compact version
• Tweak to ACK sending when response via proxy with Record-Route
• Additional nonce checking for replay attacks
• Nonce check on response even when using RADIUS (unless RADIUS did challenge)
• Tweak to handling of expiry on registrations
• Tweak nonce check - if no nonce, allow RADIUS auth to decide if to allow. Still checks nonce valid if present.
• Tweak initial 100 Trying response when waiting for RADIUS
• Avoid resend of INVITE after cancelled at 100 Trying, and not received 487 (i.e. ignore lack of 487) to avoid phantom calls
• Internal change to handling of incomplete responses to VoIP requests
• Initial 100 Trying waiting on RADIUS no longer tries to tag To: line as not establishing a dialogue (so, as per RFC).
• Addition log to log-sip-call to record linkage of call-ids

Web control pages

• Latest safari adds xmlns attributes on every element for no apparent reason, was breaking web config edit. Worked around

Release notes from Factory release 1.29.000 to Factory release 1.30.001

• Release candidate

Config

• Fix profile "traffic lights" in config edit (did not change state on some browsers)

Config editor

• Minor typos in config edit

Diagnostics

• Ping and Traceroute no accessible using GET as well as POST. GET assumes XML output
• Fixed crash when more than one ping or traceroute diagnostic was run concurrently

DNS

• DNS resolution and caching is now routing table specific
• DNS fallback option - for incoming requests if no server in required routing table relay to any DNS available - default true

L2TP

• Fix for race condition in RADIUS/L2TP causing crash

Logging

• New log-config setting in system to specifically log config changes

Ping

• Added ping stats to XML for ping/traceroute

PPPoE

• IPv4 local end would "stick" if changed from having IPv4 to not (i.e. IPv6 only)

Profiles

• Slight change to control switch graphic
• A new control switch profile will now start with the initial value.
• Control switches can now use and/or/not logic to enable them to be set or reset by other profile changes.

RADIUS

• Fix race condition

VoIP

• Added source ip option to bulk voip carrier config
• Added default source IPv4/6 for sending potentially authenticated SIP messages
• Added default source IPv4/6
• Better handling for failed calls where auth required and none available. Was continually retrying.
• Fix for RADIUS based REGISTER check where expires is on contact not its own header
• Handling missing contact in ACK
• Handle repeat failed auth on INVITE
• Limit retries on final BYE or CANCEL if unable to send
• Added direct URI for telephone user (called in addition to registered contacts)
• Corrected in-band DTMF generation logic, previously intermittent
• Added option for outgoing registrations to use a wildcard domain instead of a line= attribute
• Added some initial SNMP stats for VoIP (number of call legs and RADIUS based incoming registrations)

Web control pages

• Link to see DNS server details on IPv6 was broken URL on some browsers
• Minor change to control switch profile images to help colour blind users

Release notes from Factory release 1.28.000 to Factory release 1.29.000

• Release candidate for testing

Authentication

• Added manual section on OTP

DHCP

• Subnet list shows pending DHCP client subnets
• Typo in DHCP logs

DNS

• Min nxdomain of 10 seconds now

FB105

• Log (rather than crash) if a badly fragmented 105 tunnel packet is received

Firewall

• Some cases of setting multiple aspects of a session in one go did not force a re-evaluation of target route for new IP so could affect other tests and NAt checks

Internal

• Increase ethernet transmit max queue size to avoid packet drops during bursty transmissions.

IPsec

• Support all crypto key lengths when using manual keying. Avoid crash when IPsec is under heavy load.

L2TP

• Added Proxy-State on session steering RADIUS requests
• Added control of reply hostname on incoming L2TP connection
• Added default hostname (system name) on outgoing L2TP connections

NAT

• New chapter/section covering Network Address Translation

PPPoE

• PPPoE server (BRAS) handling of standard GEA Agent Remote ID and Circuit ID as called/calling and downstream speed setting
• PPPoE handling gerenal VLAN tagging
• Added text NAS-Port to RADIUS when using PPPoE "port{:vlan}/MAC"
• PPPoE did not handle VLAN priority tagging on inbound packets
• Some extra debug of unexpected PPPoE messages or fields

Profiles

• Profiles can now test an ethernet port status

RADIUS

• New section of manual explaining RADIUS client settings and timeouts

Routing

• New source-filter-table setting on interfaces to allow separate source filtering lists to be managed using routing tables

SNMP

• Updated manual to include FireBrick specific SNMP in appendix

TCP

• Add debug logging for aborted TCP sessions; avoid tcp timeout control upsetting TIMED_WAIT state.

VoIP

• Additional beep option for where "Record" button is used on snom phones
• Extra debug on call states
• Dynamic carriers existing would lose some non dynamic carriers on config load, fixed
• Fix shutdown delay
• Added option for controlling CLI format to telephones
• Added config for tones when no media for calls to a carrier
• Was sending invalid Via header for IPv6
• Picking up correct expiry when less than requested on outbound registrations but not sent Expires header (e.g. sipgate)
• Fixed possible crash on malformed SIP message
• Tweak to allow call steal from your own number, i.e. when multiple registered devices
• Adde option to re-map 404 error to a carrier
• Faster, and more concurrent outbound registrations - better handling of registration changes
• Fix for mixed sample size call recording (e.g. when 10ms one way and 20ms other)
• 415 unsuppported media response to reinvite with unknown media
• Possible stuck outgoing registrations fix
• Tweak to allow radius based SIP target to control domain on From header
• Added available buffer check on call set up
• Added additional named tones to defaults
• Changed auto registrations to use same realm in From as in To
• Sending RADIUS response for CLI of "Allowed" was not unsetting withheld flag
• CLI handling tweak
• Loading new register URL list clears proxy (from redirect) on change of config

Web UI

• Fix broken XML links in system status pages
• Add memory block usage to system status memory page (alpha releases only)

Release notes from Factory release 1.27.001 to Factory release 1.28.000

Bonding

• Minor change to bonding to minimize packet reordering on arrival

Config

• Removed profile from port groups as not used
• Replaced shutdown with profile on ethernet control settings
• Added "Test" option to config save to automatically revert if not properly saved within 5 minutes.

DHCP

• Added domain-search attribute, as it is specially coded

Diagnostics

• Temporary diagnostics added for tracking down odd problems

Firewall

• Load sharing (on route override and session tracking rules) now allows sharing to be based on hash of IPs rather than random

Internal

• Introduce new flash driver - currently for alpha builds only

IPsec

• Fix problem with local-ip not always taking effect.
• Fix crashes associated with NAT keepalives when sessions close
• Fix IPsec crash during session init when repeat message received
• Fix another IPsec corner case causing panic when IKE packets are dropped/repeated

L2TP

• Added option to allow relay RADIUS auth reply to specify relay to another RADIUS server for auth or session steering.
• Further minor tweak to bonding to improve re-order issues
• Adjusted L2TP to drop routes before sending accounting RADIUS

LEDs

• Knightrider pattern (displayed when no ports connected) was running too slowly

Logging

• Improve flash log replay at system startup. Should fix problem with non-detection and emailing of panic logs.
• Fix problem causing non-detection of panic message at system startup

Pcap

• pcap web interface allowing multiple select interfaces to match underlying capabilities

VoIP

• Changed aggregate call status handling to just be highest status, and removed group values
• Adjust to pick first priority on SRV even when DNS not cached (was falling back in such cases)
• Added de-registration on removal of carrier and on reboot
• Adjusted max-calls to a telephone to test before calling all registered devices, so they all get calls rather than only some when limited
• Edge case could mean incorrect count of dynamic VoIP registrations
• Minor tweak for RADIUS call leg log accounting - seemed to miss some STOP records.
• Imrpoved log for ICMP error

Release notes from Factory release 1.26.000 to Factory release 1.26.010

Config

• Made local-only optional again and default true for http services

FB105

• FB105 tunnels with non-default port setting were not working.

Profiles

• Converting a profile to a control-switch now sets control-switch to previous profile state when config loaded

VoIP

• Better handling of sip:user:pass@host syntax if pass contains unescaped @ symbol

Release notes from Factory release 1.25.010 to Factory release 1.25.101

BGP

• Changed default for vrrp-as-self on BGP config to be true if peertype is customer or transit (where vrrp used to maximise uptime in event of failure)

Firewall

• Changed session track logic to better handle spoofed TCP sessions
• Slight adjustment to some default session timeouts

L2TP

• Make Acct-Delay optional parameter in L2TP accounting, if not sent the packet is identical on resends making duplicates easier to spot in RADIUS server

PPPoE

• Closing PPPoE more cleanly on shutdown

RADIUS

• RADIUS being too agressive with retry times, and recording timeouts to quickly

Routing

• Added lightweight source filter option on interface: "blackhole" that checks source address is routeable to anything sensible, allowing blackhole routes to block source traffic

TCP

• TCP timeout improvements. Now less aggressive when recovering from packet drops, and in particular when faced with spoofed source TCP SYNs

VoIP

• RADIUS controlled calls sending invites before setting CLI
• CDR not being logged for outgoing calls
• RADIUS connected calls delayed up to a second starting call - fixed
• Edge case of malformed SIP reply causing call to stay in a Done/Wait stay indefinitely
• Issue with persistent data getting stuck with lots of duplicate registrations.
• Parser improved to allow for malformed packets causing watchdog
• UK CLI formatting generating duff SIP headers
• SIP URIs with no local part were treating host part as local, breaking CLI logic
• Change to RADIUS accounting, additional fields for SIP URIs and original Call-Id
• Race condition could fail to send a RADIUS STOP after a START sent if call immediately fails
• Added support for RADIUS DISCONNECT to clear calls in progress using Acct-Session-Id
• Incorrect matching of escaped characters in SIP headers causing issues with matching SIP replies
• Allow lists on VoIP config were not allowing named IP Groups
• Fixed crash caused with local VoIP registrations expiring

Release notes from Factory release 1.25.003 to Factory release 1.25.010

L2TP

• Fixed session inconsistency on relayed connections where relay fails
• Was constantly trying accounting RADIUS on all sessions every second if no RADIUS configured or responding
• relay-pick feature not quite right
• Odd case of tunnels/sessions clearing with negative timers, logic changed to avoid this

Logging

• Additional one second stats and change to the way counters are shown on them

TCP

• Reset TCP connection on seeing badly formatted options

VoIP

• Some cases of registrations getting duplicated/stuck, fixed

Web control pages

• Fix possible lock up under constant TCP port 80 attack, now recovers quickly

Release notes from Factory release 1.23.001 to Factory release 1.24.001

L2TP

• Changed default lockout timeout on relayed tunnels to 3 minutes
• Use graph setting on local termination L2TP/PPPoE using match

Logging

• Minor changes to default settings for system log messages

Routing

• Changed logic for next hop checks where gateway is on multiple subnets, where at least one of which does not answer ARPs causing route to be suppressed

Web control pages

• Changed web status pages to not show unused menus even in debug level user

Release notes from Factory release 1.19.001 to Factory release 1.20.001

• Changed [not] to [inverted] in Profile logging text.

BGP

• Note that the localpref default is 0 for network statements on this factory release.
• Adjust next hop logic in presence of VRRP to avoid incorrect use of VRRP address in some route passing
• Fix debug log of accepted prefixes on BGP, was showing garbage extra bits

CLI

• Fix double line spacing on some command line output
• Added a "show run" and "import config" in telnet/command line allowing dump and upload of raw XML.

Config editor

• Moved css-url to http services config, will need editing as not automatically moved

CQM

• Configurable latency Y axis
• Ping only graphs (i.e. no throughput) now have standard deviation on ping timings
• Minor change to default colours
• Corrected showing of "off line" on graphs
• Minor tweak on graphs
• Setting Y axis latency in ms on graphs as part of URL

DNS

• Malformed DNS packets could cause crash, fix

Factory reset

• Change to "recovery" factory default to have separate LAN ports
• Default timeserver set to ntp.firebrick.ltd.uk rather than pool.ntp.org

L2TP

• Additional control over timeouts on L2TP
• Changed default timeouts on outgoing L2TP client sessions - faster recovery and retry
• Possible lockup and watchdog in cases of unresponsive RADIUS servers
• Added quota (tx) to L2TP (as RAIDUS filter code Q)
• Added quota (tx, or tx+rx) and terminate action to allow radius accounting on exceeding quota or session timeout
• Added Filter-Id and Session-Timeout to all RADIUS updates, was just Start record, as some data can change dynamically
• L2TP should now accept RADIUS CoA sooner - was not accepted until PPP negotiation had finished

Ping

• Allow configuration of larger ping packets

PPP

• Improvements to checking and timing in PPP processes
• Slight change in PPP sequence numbering
• Minor tweaks, including new accept-dns in dongle config
• Improved debug / logging for PPP connections
• Support PAP as client login on PPP
• Adjusted retry timeouts on PAP/CHAP requests
• Corrected PPP client PAP continuing to IPCP

PPPoE

• Tweak to handle multiple service responses in PADO

Profiles

• Improved logging after non state change profile
• Date/time profile tests when not clock set assume initial state
• Date/time profile tests now have comment field in config

Web control pages

• New layout for ping and traceroute allowing XML export
• traceroute and ping no reporting a "firewalled" response if seen, rather than just unreachable
• Web interface showing system name on title if trusted IP

XML config

• Fix factory reset config
• Changed XSD duration to an FB type that uses saner syntax [[HH:]MM:]SS

Release notes from Factory release 1.17.001 to Factory release 1.18.001

• Draft documentation included in releases

BGP

• New filter option to check for community present in a route
• Showing BGP route details shows additional community tags as well
• Fix for BGP config where local IP is DHCP, meaning BGP did not start up unless a local-id was set
• Fix BGP import/export filtering which only considered first match rule
• Allow use of pad on BGP peer if add-own-as set, even on ibgp
• new use-vrrp-as-self (default true) means the next hop used in BGP will use an appropriate VRRP address if possible
• Ignored received announcments treated correctly as a withdrawal
• Corrected BGP ingress filtering to allow detagging the standard community tags
• Made BGP next hop logic consider routes to dead end and to network as non feasible (previously they were feasible but could not route)
• Fixed config to only allow one list of import and one list of export rules under bgp peer, as only first in list was checked anyway

Config editor

• Tweak class for cqm images in css

CQM

• Fix for long term shapers which only worked if sharing of shaper was set
• Graphs show min and max rate limit per hour now
• More corrections on long term shaper logic
• Long term shapers were not actually applying the shaper limit, it seems, even if worked out correctly
• Changed min line on graph to be dotted

DHCP

• Fix for possible lock up causing watchdogs in some cases
• Internal change to try and resolve issue where DHCP has been seen to cause a lock up and watchdog on some systems

DNS

• DNS resolver no longer caching SOA as it was not expanding the MNAME/RNAME fields correctly
• DNS server now ignores expired DHCP allocations

Ethernet

• Added layer 2 interface mapping function (map port/VLAN to port/VLAN directly no session track or firewall)

FB105

• Updating the FB105 tunnel config did not always have immediate effect

Firewall

• Crash in some cases where traceroute via mapped address, fixed

Internal

• Improved watchdog error reporting
• Further improvement to watchdog panic diagnostic

IP

• Added ARP/ND link state test to work at subnet level
• Made Wake on LAN a separate diagnostic and linked to DHCP
• Internal change to avoid possibility of recursive tunnelling overrunning buffer space

IPv6

• Fix for ND responses for FE80::/10 LL addresses matching our MAC prefix (we answered all requests even if specific MAC not in use)
• Adjusted routing for FE80::/10 so all interfaces are equal metric to locate LL endpoints

L2TP

• Change relayed L2TP session stats to be consistent with non relayed by counting only IP and not LCP, etc.
• L2TP status showing an accounting session ID even when not using RADIUS accounting, useful for pcap
• Better status report for back to back sessions
• Correct NSN RADIUS parameters in platform RADIUS

PPP

• Adjusted LCP restart logic to restart LCP if far end persists in restarting
• Allow far end to refuse magic number negotiation

PPPoE

• Linked status page from PPPoE to L2TP

SNMP

• Added some IfXEntry SNMP values

VoIP

• Added contact header in REGISTER response
• Possible fix on some issues with ring group logic

VRRP

• Changed default startup delay to 60 seconds as usually more sensible and should not cause any harm

Web control pages

• Set larger input box size on web diagnostic tools

Release notes from Factory release 1.16.001 to Factory release 1.17.001

• Updated documentation

BGP

• Corrected AS list in show routes to handle multiple sequences (was showing with no separator)

CLI

• Fix obscure race condition which may cause panic when logging to command line (console).

Config

• Removed redundant fast-reboot options

CQM

• Corrected URL processing for CQM where using x=value/x=value type syntax
• Change to ping scan and cqm polling functions to be more aligned to real time seconds, ready for when we do NTP fully

DHCP

• Corrected tool tips on Kill/Unlock

Internal

• More details in thread statistics report

L2TP

• RFC4818 Delegated-IPv6-Prefix support added - see RADIUS documentation for how this is used.
• Complex bug with IPv6 routed via IPv6 gateway that is routed via an L2TP over IPv4 and generating an ICMP error causing a crash - fixed

Logging

• Removed unused log types for SNMP trap (will move to profiles) and SMS (may be added later)

NTP

• Added option to set ntp poll rate, will be removed/changed when we do NTP fully.

Profiles

• Clarified wording for and, or, and not, tests in profiles
• Clarified meaning of timeout and recover as times not number of tests

RADIUS

• Reinstated platform RADIUS accounting handling and relay (missing since 1.13.111)

VoIP

• Second call in a queue is not getting ringing to caller - fixed

Web control pages

• Added layout for config edit for l2tp incoming and outgoing
• New CSS - especially on config edit pages

Release notes from Factory release 1.15.001 to Factory release 1.16.001

BGP

• Colours on BGP status on web page

DNS

• DNS resolver negative caching handling and tweaks to handle VoIP DNS lookups where CNAME used
• Corrected negative caching timings

L2TP

• Added RADIUS option to avoid LCP restart on mismatched MRU
• Corrected sending MTU in RADIUS auth (could be sent twice in some cases)
• Allowing up to 64 byte CHAP challenge size in proxy auth

Logging

• Better wording for missed log entries

Ping

• Not trying to print reverse DNS on ping command while waiting DNS response

PPPoE

• Issue with IPv6 DNS servers not working on a second PPPoE client connection if same as previous

RADIUS

• RADIUS accounting refernce could change some time after reboot depending on clock setting, fixed
• Fix buffer leakage if RADIUS servers time out

Time

• Added very simple sanity check to SNTP clock setting, and logging to right place
• Logging IP from which clock was set

UI/CLI

• Added hard reboot option

VoIP

• Possible issue with hunt groups messing up after call transfer fixed
• Reduced some of the debug
• SRV handling for VoIP

Web control pages

• Avoid unnecessary invocation of bootloader when system reboot is requested

Release notes from Factory release 1.14.001 to Factory release 1.15.001

BGP

• Route refresh capability announced and refresh request handled
• Minor adjustment in graceful restart logic (not yet advertised)
• Fixed long delay rebooting when BGP active

Config

• Fixed factory default config for dns host name my.firebrick.co.uk - this means a new factory release of code.
• Corrected parsing of an IP using final :: in place of :0 (i.e. seemed to have too many colons)
• Not generating initial or trailing :: on IPv6 addresses where only one block replaced

Ethernet

• Avoid spurious port down messages at startup.

Firewall

• Routes to VRRP addresses now treated as to "self" not to "unknown" as previously
• Session table display indicates if incomplete as output was interrupted.

Flash

• Image priority tagging removed. Flash contents display shows penalty but no longer priority.
• Change to flash block allocation strategy to spread block usage.

L2TP

• Changed DHCPv6 served timing for L2TP

VoIP

• Mute on a snom caused a call drop due to loss of media, changed to send reinvite same as if on hold
• Validation of allow lists in config save for VoIP
• Tweak to send record route back correctly on dialogue responses

VRRP

• Fix issue if two separate VRRP configs used with same VRID one for IPv4 and one for IPv6

Web control pages

• Format of manual image upload UI page changed in line with auto update.

Release notes from Factory release 1.13.001 to Factory release 1.14.001

• Change to persistent data storage logic and timing

BGP

• Correct BGP route tie break where one route has MED set and one does not. No MED set is now treated as MED 0 correctly

Firewall

• Possible case where session tracking code could crash fixed

L2TP

• Changed IPv6 padding to be more generic padding of any packet that looks too short and under 73 bytes so works with IPv6 over LCP on BT 20CN lines

PPPoE

• Config change losing external PPPoE IPv6 address from routing
• Fixed IPv6 prefix delegation timeout issue

Profiles

• Fixed bug - a ping profile with no routing to send the ping was causing buffer loss
• Possible problem in ping profiles could result in a watchdog failure

RADIUS

• Corrected RADIUS tagging on NSN parameters in platform radius.

VoIP

• Added experimental VoIP feature
• SIP registreations now persist over reboot
• RTP payload type mapping added
• Ends calls on reboot
• Added ring group support - ringing all phones at once
• Fixed crash if extn not defined on telephone users
• Fixed ring group calling
• Fix simultaneous answering of called (cross of 200 and CANCEL)
• Registrations could cause crashes if CSeq wrong, fixed
• Fixed some bugs (affecting grandstream and linksys phones)
• No auto s/w upgrade if calls in progress
• Adedd reboot when free logic
• Tested with IPv6 on gigaset, and some bug fixes.
• Added internal caller ID (extn number)
• Fixed but in sent Call-ID causing issues
• 141 prefix setting withheld now
• New config fields for carrier work added - not implemented yet
• Fixed registrations that use a host name, such as A&A SIP2SIM service
• Allow list checking on incoming call match to carriers
• Matching incoming carrier calls based on To address
• Incoming carrier auth challenge and checking
• Incoming CLI from carrier
• Supports call diversion on SIP handset
• Added call limits options
• Added call transfer functions (blind, and attended)
• Software upgrade from web pages now does reboot when free when manually uploading code
• Made logging of REGISTER messages separate to aid debugging
• Added control of source-ip for outbound registrations
• Sending of messages from same IP as was used as target of incoming registrations to keep some phones happer
• Added some NAT detection and handling at SIP level - not yet on media level
• Improved low level parsing of some syntax variants
• Software upgrade now doing reboot when free on picking new code available
• Improved final status when ringing multiple phones
• Outgoing number formatting for carrier
• Corrected some of the SIP escaping
• Initial ring group queue logic (simply doing ring all)
• Improved VoIP status on web pages
• Ring group logic including strict, cyclic, random, oldest, and all, cascade or sequence modes.
• Faster handling of group progression where phones are busy/DND
• Added BLF handling for snom phones
• Fixed "ringing" state on BLF
• Added more detail on subscription status
• Fixed BLF to work when using a different one of the FireBricks IPs for subscription
• Call pickup/steal added
• Added display name to ring groups
• Added BLF on steal prefix
• Bugfix in SIP subscriptions if invalid data sent
• Added display name on carrier
• Empty and invalid SIP messages could cause a crash, fixed
• Subscription / Registration expiry bug fix
• Fixed profile on ring groups, and also 404 if nobody to ring
• Call hold tone
• Call time on VoIP status
• Colour background on call list status
• Colour background on other data on VoIP status
• Crash in some call transfer cases fixed
• Obscure bug in some cases on complex ring groups would fall back to ringing all, fixed
• Ignoring silly almost empty SIP packets from gigaset (some NAT thing)
• Allow redirect of group calls if got as far as ringing even if redirect set false as this is a manual redirect
• Call transfer and redirect now calling using the carrier selected for the phone doing the transfer/redirect not the original caller
• SIP INFO processing for DTMF
• Incoming number handling for carriers
• ACK generation on delayed response to closed call
• Fix crash case - looks related to hunt groups calling numbers for which users are not yet registered
• Fix for call transfer problems
• Increased number of carriers as often back to back with telephone users
• Outgoing carrier picking for external calls from hunt group using calling carrier
• Pickup was not working for a ringing call
• Transfer to ringing hunt group not working
• Added reason on CANCEL and BYE in some cases
• Race condition on call transfer can cause call to get stuck, fixed
• Corrected handling of Replaces header in REFER where escaping some characters
• Corrected handling of 100 Trying response on outgoing registration so we can register against asterisk
• Updated to handle OPTIONS from a carrier (e.g. asterisk)
• Added tag= on From for calls out via carrier, oops
• Changed for registration reply that does not contain explicit Expires header (e.g. sipgate)
• Changed domain on From and Call-ID
• Added handling of a 407 proxy auth request as well as 401
• Tweak for seq advance on INVITEs after 401/407 (asterisk was unhappy with reuse)
• Added more detail as a CDR log entry
• More CDR log tweaks
• Media detect logic added
• Made call related logs more consistent, always starting with call ID
• Corrected start time ms on CDR log
• Media loss detection improved
• Incorrect call time on status page
• Additional debug for NAT

Web control pages

• Session list copes better if you stop the browser while displaying
• Typo in web config for dns-host/block

Release notes from Factory release 1.10.001 to Factory release 1.11.004

BGP

• Some extra debug for tracking next hop issues on bgp
• Fix to pass on IPv4 tunnel in BGP for Ipv6 tunnel routes as 2002::/16 prefix endpoint
• Adjusted RR logic on BGP to avoid incorrect messing with next hop decision
• Changed BGP to silently ignore routes where we are already the next hop
• BGP change to still process withdraw in same packet as silently ignored routes (typically if using route reflectors)
• Added peer level export-med to set MED on exported routes (unless explicitly set in export filter) as this is commonly the only export filter
• Made local routes (apart from dead-end) take priority over equivalent BGP originated routes
• Changed ttl-security option to be 1 to 127, and use -ve as meaning force TTL sending and no checking
• Added import-localpref at peer level as a common global setting on EBGP links
• Obscure race condition on BGP shutdown could cause a crash

CLI

• Fix telnet timeout on users setting timeout 0 to not logout
• Implement several readline-style line-editing sequences
• Add two more control sequences - Ctrl-T and Alt-T

Config

• Fix where config did not detect overlapping port groups unless actually used in an interface
• Documented that a login timeout of 0 means no timeout but not in ip-group users
• Mandatory port on interface. Missing port on interface picks first port else creates a fatal error

CQM

• Some cases graphs could be duplicated if using long names or odd characters, fixed

DHCP

• Added new lock and unlock feature on DHCP allocations
• Added ability to manually set the name of DHCP allocations

DNS

• Added new feature under services/dns to allow local DNS responses including based on DHCP

Factory reset

• Changed so factory reset is DHCP client on WAN and DHCP server on LAN
• Changed factory reset to have my.firebrick.co.uk as local DNS for the firebrick itself

FB105

• Changes to better handle packet reordering issues on bonded tunnels
• Added tunnel set statistics clear button on status page
• Removed table from FB105 tunnel route sub object as not meaningful

Firewall

• Fixed firewall check code (web and command line) - was confused for more than the most basic checks
• Changed default for firewall where target unknown or nowhere to be "ignore" not "drop". This is important for pre-DHCP client connections from the brick

General

• Various additional debugging code added

IPv6

• Adjust handling of RA client to cope when more than one RA has same SLLA (e.g. VRRP) from different hosts

L2TP

• Added more debug logging on L2TP tunnels, especially relating to relaying
• Removed table from L2TP tunnel client route sub object as not meaningful

Logging

• Improved formatting of replay from previous run flash log on boot up

PPPoE

• PPPoE server (BRAS mode) was broken, fixed
• Added return of Relay-Session-Id received in PADO to PADR sent
• Adjusted PPPoE logging so as not to fill logs with requests that are not for us
• Removed table from PPP route sub object as not meaningful

SNMP

• Fix BGP and L2TP SNMP stats where values 128 to 255 and 32768 to 65535 reported as negative

Web control pages

• Fix issue with some links on Chrome viewing BGP peers
• Typos fixed in config
• Change to try and stop a factory reset config from claiming to have been changed whilst editing
• Incorrect HTML typo fixed in some tables
• Tidy layout of platform radius controls
• Tidy help on rule log settings
• Correct various typos
• Changed filenames for XML save to be more sensible
• Clearer warning of active sessions on reboot and s/w upgrade pages
• Fixed case where showing tables of information not right if a list of routes also shown
• Extra info shown on BGP status
• "Up to date" may have been erroneously displayed on Software Upgrade page - fixed.
• First config save from factory reset was not working, fixed
• New factory reset mode using port 1+3 to go back one config
• Added new System submenu
• Hovering on a link now underlines it
• Some more colours on tables
• Fix links for ND entries that upset some browsers
• Web status pages can now be seen by users with access level >= USER
• Button to clear thread tick counts added to thread statistics page (for users with ADMIN access)
• Additional logic for getting L2TP session data using circuit ID in URl

Release notes from Factory release 1.09.001 to Factory release 1.10.001

CQM

• Correct for rare race condition leading to multiple graphs of same name

Flash

• Avoid flash fragmentation by deleting old images if necessary before saving new image.

L2TP

• Since 1.08.007 RADIUS timeouts could cause RADIUS servers to "clog up" and stop doing any RADIUS, fixed
• Added min-retry as a minimum session time before retrying an outgoing L2TP connection (default 10 seconds)
• New platform RADIUS logic

Shaping

• Fix incorrect handling of (legacy) tx-interval on shaper

Release notes from Factory release 1.08.001 to Factory release 1.09.001

BGP

• Vendor specific SNMP for BGP status

DHCP

• Clear DHCP command now allows range/prefix to clear multiple entries
• Option to kill a DHCP allocation from web interface (DHCP status) now
• Change handling of BOOTP to operate as a REQUEST not DISCOVER so causing allocation of lease

L2TP

• Better "clear l2tp all", depending on speed of RADIUS accounting
• Vendor specific SNMP for L2TP status

PPP

• Added IP over LCP sending option to PPPoE code

SNMP

• SNMP now has extra logical interfaces which are all named shapers in order, including relevant stats for a shaper.

Release notes from Factory release 1.06.001 to Factory release 1.07.001

• Does not auto update and reboot if in factory reset recovery state

CLI

• New show routes command not BGP specific
• Show dhcp command layout fix

DHCP

• DHCP client sets /32 routes for DNS servers provided

Factory reset

• Made factory default have NAT set on the 10.0.0.X subnet

FB105

• Shows associated routes on FB105 tunnel status
• Added graph on web view of fb105 tunnel status if a graph set

Firewall

• Some better checking for warning about blank firewall rules

L2TP

• Change of field name (username) not preserving old field (user-name) in l2tp-relay, fixed
• Pressing a key on telnet command "clear l2tp all" stops clearing lines.
• Support for RADIUS Framed-IP-Netmask mapped to L2TP PPP IPCP NETMASK (144)
• L2TP client mode asks for DNS on PPP
• Config change was unnecessarily restarting some L2TP sessions
• L2TP failed tunnel timeout reduced from 5 minutes to 1 minute
• L2TP error response on duplicate tunnel ID to try and manage restart case better
• Better logging of unexpected L2TP SCCRQ
• Issue with L2TP clients when no hostname and no local system name configured

Web control pages

• Using web interface diagnostics/routing could cause a crash
• Showing associated routes on subnets, dongles, PPPoE, etc.

Release notes from Factory release 1.05.001 to Factory release 1.06.001

• Additional stats for sessions per second started
• Added memory usage to one second stats
• Allow multicast packets to be passed through switch
• Possible obscure issue with DHCP server code fixed - probably only when default dhcp server user (i.e. ip not set)
• Added new show status command on telnet, and reformatted web status page

CQM

• Bug if graphs trying to scale to just under 4Gb/s, showed scaled at bottom end in error. Fixed.
• Not including old (off screen) rate changes in max scale on graphs

DHCP

• Additional options in DHCP client
• Changed DHCP server to serve bricks IP as DNS server allowing it to relay, unless explicit servers set in config

Dongle

• Colour on dongle status
• Default if no route= set to also set /32s to DNS servers as well as default route
• Dongle reporting negotiated DNS servers in status

Ethernet

• Changed autoneg setting on ethernet ports to default to false if manually setting speed or duplex and not 1G

FB105

• FB105 tunnel status reporting half-up status correctly
• Changed logging to only log fatal errors (such as no source Ip or no route) once until next works
• Added additional recursion detection for FB105 tunnels
• Config of ports used in FB105 tunnels, and update to config convertor to match
• Reduced repetition of receive related warnings on identifyable tunnels

Firewall

• Internal adjustment to session tracking hashing functions
• Additional sanity check to pick up if someone tries adding a blank rule to a rule-set (typically by mistake)
• Rule set logic for checking tables when previously having table changes in another rule-set may not have been correct
• Diagnostic for firewalling not correctly handling non table 0 rule checks
• Checking for blank rules refined to allow rules just settting nat or tables

L2TP

• Changed L2TP logging so relay sessions have same logging as incoming session at the time
• L2TP config change was clearing tunnels if not using a hostname setting
• Changed logic for logging L2TP to try and ensure relayed sessions log correctly
• L2TP relay was dropping first packets exchanged
• Periodic RADIUS accounting was incorrectly showing timestamp less any current dropped packets which could cause a slight discrepancy
• Outgoing L2TP option ready for initial testing
• Final LCP TERM sent not logged correct field length in PPP dump, though sent correctly.

Logging

• Session track counter in log-stats
• Log email sending retry logic changed
• Added much more debug for log-debug for logging email sending
• Added additional information to emailed logs

Ping

• Ping graphs can now use a host name

PPPoE

• Default if no route= set to also set /32s to DNS servers as well as default route

RADIUS

• L2TP RADIUS for PAP was using cleartext password as message auth (16 byte), changed to random.

VRRP

• Deleting an interface which VRRP master caused a crash

Web control pages

• Improved lists of objects with sub objects present in config editor
• General change to css, layout and menus, and new options for menu/banner controls
• Extra information on DHCP client status page (subnets)
• Change to allow you to stay logged in when clock first sets
• Added ethernet port status to web status page
• Home page shows if system name is not set is this really should always be set, but is not actually a mandatory field

Release notes from Factory release 1.03.001 to Factory release 1.05.001

BGP

• Stopped announce of FE80::/10 when subnet has bgp="true"
• No longer logging full BGP packet when discarded due to !allow-own-as or allow-only-their-as
• Added additional per peer counters for ignored and filtered incoming updates

CLI

• The show flash log command is now available to admin users
• Added new command line to clear data pages in flash

Diagnostics

• Tidy up the traceroute command to allow more than one attempt per hop, and some bug fixes
• Access list check (command and web UI)
• New firewall/session diagnostics (command line and web UI)

Factory reset

• Made factory default have local-only set true on http access
• Removed factory default for restricting access to firebrick itself by firewall as access list controls now much better

FB105

• Various corrections to config convertor for latest releases
• Improved fb105 config conversion for VLAN handling

Firewall

• log-no-match on rule-sets should not log even if accept/continue, if there is no other logging set
• Subtle change in logic for session NAT to/from brick when routing table override in rule-set

Logging

• Possible fix to issue causing occasional unexplained crashes
• Bug where viewing logs on web pages could cause crash, fixed
• Removed hex dump debug log of DHCPv6 - as cluttred interface debug logs and better done using pcap

Manual

• Started work on additional information for config documentation

Ping

• Fixing interface based pings on startup not always working

PPPoE

• Additional logging of PPPoE PAP/CHAP response message even if failed

Services

• Added new access check for local-only on services. IMPORTANT - defaults to true for telnet, dns, timed, so you will need to set to false if you want remote access to these

SNMP

• snmp was not access locked to routing table, fixed

Web control pages

• Removed WebSite link as caused confusion, and made footer have link to FB website
• Added configurable links on home page and fb105 conversion
• Added optional CSS URL allowing customisation of control pages
• Session list allows selection by protocol first
• Added ping/traceroute on web interface
• Ping and traceroute now separate diagnostics
• Show route now on web diagnostics menu
• New session kill link on session table (web UI), and session kill command
• Web config edit has more information shown now, and change to some spacing.
• Missing titles on lists of blackhole and nowhere routes
• Config edit was not able to add / change shaper-override (profile based shaping logic)

Release notes from Factory release 1.01.001 to Factory release 1.03.001

Config

• Changed default config - using LAN and WAN as interface and port group names and added more comments

FB105

• Profile was not being considered on the sub object for routes
• Convertor maps ipsrc from FB105 to internal-ip in fb105 tunnel set up

Firewall

• Added log-no-match to rule-set to allow logging specifically for no-match cases.

L2TP

• Changed to not debug log PAP passwords at all, but showing length of data sent (so length of password)

Logging

• Documentation updated, and console log off/on commands now TROFF and TRON
• log-starts logs start and stop of stats logging
• Occasional crash in logging when lots of information is logged.

PPPoE

• Profile was not being considered on the sub object for routes
• Option to ignore supplied DNS servers on PPPoE

Profiles

• Changed wording on logs for inverted profiles

Routing

• Possible issue with watchdog failure being addressed

Web control pages

• Heading on web logs saying which log report shown
• Subnets listed in order
• Colour coded display for status of FB105 tunnels
• Layout changes on rule-sets
• Icons redrawn
• Changed page title to list name before serial
• Manual s/w upgrade looks nicer now
• Graph names as text on graphs list to allow searching in browser
• Corrected icons for rule-set
• Tweak factory reset menu
• Additional per second stats for http access counts
• Adjust timing on status check to try and ensure we see new s/w first time

Release notes from Factory release 1.00.020 to Factory release 1.01.001

Config

• Password now mandatory on user field, and error if blank and not using OTP
• Changed time-out to timeout in firewall controls as consistent with reset of config
• Added source= to rule-set rules and route-override rules
• Added extra notes on localpref to explain highest value wins
• Minor change to wording on web config
• Added <blackhole.../> and <nowhere.../> as explicit routing objects rather than using <route.../> with no gateway.
• as-path only on network object as was not in fact functional on route object

DHCPv6

• Rebind handling corrected (was being ignored)

FB105

• Corrected PCAP of IPv6 on FB105 tunnels
• Added code to help avoid FB105 tunnel traffic via the same tunnel causing a crash
• Timezone fixes on config convertor
• Changing table attribute on fb105 tunnel settings was not taking immediate effect

Firewall

• Rework of session tracking logs, including interface names, and various other layout changes
• Corrected case of mapping traffic to the firebrick using NAT and a target redirect was not NATting
• Cross table routing logic tweaked to pick up correct interfaces - should fix an issue where NAT not applied for PPP
• Removed unnecessary NAT stage for locally sourced traffic

L2TP

• Adjusted IPv6 RA for L2TP - now send periodically if IPv6 router solicitation previously received
• Logging of CHAP accept/reject showed wrong length (correct length was being sent)

Logging

• Emailed logs were re-sent on every config change, fixed
• Changed syslog to use UDP non encrypted RFC5424 logging with microsecond precision. Affects all log lines as module name added
• Added option to specify source IP for syslog messages

Manual

• Corrected description of interface object

Pcap

• PCAP giving better error messages

Ping

• Ping setting on interface was not always starting the pings, and not stopped when config removed. Fixed

Profiles

• Changed logic so "or" profile with no other settings and none of the "or" profiles match will fail not pass.
• Corrected timeout/recovery logic
• Added initial-state option on profiles
• Profiles tracking ppp did not spot if a PPP went off because it was itself turned off by profile config
• Changed logging for profiles so "still active" and "still inactive" logs are log-debug now

Routing

• Correctly sending ICMP errors for dead end routes
• Routing loop detection improvements
• Minor change to internal routing/ARP cache functions to test a specific bug report.

Session tracking

• Added set-reverse-graph to rules in rule-sets allowing the far side graph to also be set independantly from set-graph

Shaping

• Bug when setting reverse graph by means of route-override causing graph not to be applied

Web control pages

• Changed headings on config edit boxes
• Changed the sequence when downloading new code
• Automatically redirects to status page after a short delay when new s/w loaded
• Less margins on web pages
• Updated setting descriptive text in firewall rules
• Made breadcrumbs larger and easier to read