Release notes from Factory release 1.60.010 to Factory release 1.61.010

Certificates

• Avoid panic on reboot if FB private key gets deleted

Config

• Enforce list max occurrences limits for all config items

CQM

• Small change to SVG to make loss/latency squared off like png

DHCP

• Treat a profile on a DHCP config entry with a restriction consistently with other config profile usage.

DHCPv6

• Various improvements (especially in the client)
• Make DHCPv6 work better with larger prefixes
• Allow larger server DUIDs

Ethernet

• Share MAC address on VLAN 0 between bootloader and app for each port

IKE

• Send out of band error when INIT request negotiation fails

IPv6

• Improved reliability of RA handling

MQTT

• Bigger MQTT messages
• Additional options on MQTT external
• MQTT crash fix
• Sending cleaner CONNACK for error cases

PPP

• Bug fix for issues with PPP client corrupting subnets

PPPoE

• Increase number of allowed PPP sessions (and fix crash loading configs with more than 20)

RADIUS

• Juniper ERX ingress/egress policy name in RADIUS server
• Correct defaulting of RADIUS server settings

Web UI

• Improve layout on XML edit page
• Improve button placement on system info pages
• Explanation added regarding TCP stress test blob output
• Further improve XML edit and reduce vertical height of top bar
• Make XML download links look like links
• Add line numbers to XML editor
• Reject paths with extraneous middle segments
• Various UI improvements
• Add a config option to prevent refreshing the CQM image lists
• Make graphs on the image list page clickable
• Editor - fix colour picker with 3 digit hex colours
• Force text colour in buttons to black (apparently ipads can default it to white)
• Warn on most pages when config is no longer valid

Release notes from Factory release 1.58.111 to Factory release 1.59.000

ACME

• ACME error reporting could get garbled message in some error cases

DHCP

• Changed some DHCP server logging to be JSON format (same as used for MQTT)

FB105

• Fix rare crash with FB105 tunnel bonding during configuration change

IPsec

• Fixed a problem with validation of peer certificate
• Fixed handling of out-of-order IKE fragments
• There is a new attribute peer-eaplist available on an IKE connection config item which enables the allowed EAP usernames to be specified.
• Improve EAP diagnostic logging and fix minor problem with message ID number checking
• Further improvements to EAP processing and error logging

L2TP

• Configured outgoing L2TP sessions now respect the bgp setting in the config

MQTT

• Added listener for FireBricks/# topic
• Changed MQTT mapping field names and fixed incorrect help text

OSPF

• OSPF marked experimental as it has some minor issues.

RADIUS

• Some additional RADIUS server settings, matching, added mqtt logging and changed log format to JSON, for working with some WiFi kit

Serial

• Eliminate rare crash in serial rx handling

TLS

• Improved stream handling in TLS to avoid occasional race conditions causing crashes

VoIP

• Improve logging when bulk carrier import fails

Release notes from Factory release 1.57.010 to Factory release 1.58.111

Certificates

• Removed expired DST Root CA X3 certificate

CLI

• Added CLI command to view port status

Config

• Allow numeric value with 0x prefix in config

DHCP

• DHCP client will now attempt to renew leases when ports go down and come back up. This will automatically reconfigure the subnet if plugged into a different network.
• Added mac-local test in DHCP pool
• Improved DHCP allocation logging and MQTT logging

Diagnostics

• Add diagnostic command and status page for buffer usage
• Include uptime information in automatic crash reports
• Log highest buffer users in case of exhaustion

Ethernet

• Improve setting of default port config on startup (may be faster startup in some cases)

IPsec

• Increase max number of simultaneous IKE/IPsec connections
• Fixed problem with IKE message fragmentation causing connection failures with some clients
• Fixed occasional "Response not pending" panic.

L2TP

• Added session-timeout to L2TP incoming

MQTT

• Simple MQTT message mapping option
• Improvements to MQTT broker (better error reports and sanity checks)
• MQTT payload pattern match
• Correct mapped MQTT messages erroneously setting retain
• Made IP a link on mqtt status
• MQTT mapping connection linking (e.g. for retained)
• Fix outgoing mqtt bug
• Started some MQTT v5 handling (a config option, experimental, not recommend yet)

OSPF

• Correct OSPF checksum issue for certain auth types

Profiles

• Added profile test for "DHCP allocated"
• Nicer web socket based profile control switches.
• MQTT profile control fixed
• Minor change, only sending MQTT if corresponding payload set (even if empty)

Serial

• Improve reliability of config import via serial

TLS

• Improve server authentication security and work around problems with some servers by using the signature algorithm extension.
• Fix TLS connection failover
• Added TLS stateless session resumption - without this newer versions of some browsers were very slow to load FB web pages
• Issue with TLS resume keys used over a s/w upgrade fixed

Web UI

• Fix setup wizard JS

Release notes from Factory release 1.56.010 to Factory release 1.57.010

ACME

• Allow specifying of the source IP for ACME requests

BGP

• BGP tags for static routes

Certificates

• Fix problem with cross-signed certificates causing IPsec connection issues with Windows clients

Config

• Allow delayed automatic upgrades

DHCP

• DHCP option to force broadcast offer/ack to address edge case with some APs and devices

Ethernet

• Fix over zealous ether damping

HTTP

• Fixed issue where http client (e.g. ping graph download, etc) gets non 2XX response causing later problems

IPsec

• Increase internal packet buffer size to help with IKE certificates
• Fixed IP pool leakage
• An IKE session was sometimes shown in waiting state as well as connected.
• Further IPsec tweak to avoid losing connection in some circumstances
• Add workaround to avoid repeated reauthentications when peer is StrongSwan and mode is immediate
• Fix bad config status entry after deleting a live connection
• Implemented IKE fragmentation to improve authentication with long certificate chains

L2TP

• Slightly faster outgoing L2TP connect (proxy auth sent)
• Handle incoming local match password check for PAP

PPPoE

• Issue with some PPPoE sessions restarting on config change

Routing

• Default source IP per routing table

Shaping

• Additional control on shapers (burst limit in ms)

TLS

• Added support for simple TLS clients with limited storage
• Minor memory leak in TLS client fixed

VRRP

• Make VRRP clearer when used with profiles (status page and manuals)

Web control pages

• Configurable intro text and links on login page
• Web access security update

Web UI

• Add ethernet counters to web
• Show which type of app upgrade would be initiated
• Show some context lines in live logging view

Release notes from Factory release 1.54.101 to Factory release 1.56.010

• Fix bug in ASN.1 length encoding

Config

• Additional options for finer control of source filtering setting
• Additional help text for L2TP

CQM

• Graphs used to show a damping level even when damping not in use (i.e. l2tp damping not set), removed

DHCP

• Added "circuit" to the matching rules for DHCP server IP pool (circuit being Agent Info option 82 circuit sub option 1)

FB105

• Change internal IP config for FB105 to allow IPv6 internal IPv6 to be set

HA

• Some issues with invalid tunnel packets logging when using L2TP HAL
• HAL did not work well if one of the links was rate limited
• Increased number of HA sets to 7
• Added additional hal-log for debug logging of HAL

IPv6

• Slight change to SLAAC RA client default localpref so global addresses preferred

L2TP

• Improved logging for incoming L2TP sessions so more obvious which config used
• Minor changes to some L2TP config attribute names, and updates to manual
• Correct logic on L2TP point to point speed controls on outgoing tunnel
• Don't override manual shaper speeds on point to point L2TP where no speed is received from calling end
• OSPF issues with incoming L2TP config fixed
• L2TP tx/rx speed of -1 recognised and ignored
• Issue with DOS limit on outgoing L2TP fixed

Manual

• Clarifed that config access on web interface also needs user "admin" level

PPP

• Tweaked PPP handling when far end wants to talk IPV6CP and we were not planning to. We now negotiate.

PPPoE

• L2TP PPPoE BRAS mode now picks up payload-table from L2TP config.

SNMP

• Integer values were sometimes misreported

Web control pages

• Setup wizard bug when IPv6 defined

Web UI

• Minor changes, allowing some javascript to be embedded
• Experimental feature added to allow js-url in config (for when logged in, trusted IP, non password entry pages)
• Tweak XML edit so that a zero login timeout does not fail if XML config edit is longer than 5 minutes

Release notes from Factory release 1.53.000 to Factory release 1.54.101

ACME

• ACME status for certificates shows when last error happened.
• Make ACME status clear at start up if clock not set yet
• Fix ACME error status to show time of error

BGP

• Add Refresh buttons to BGP UI status page

CLI

• show configuration now allowed (redacted) at "view" level

Config

• Improved syntax checking of numeric fields
• Separate logging for http client accesses
• Added new config access level (demo) allowing test but not commit/save config.

Config editor

• Tweak to config edit to make default values more obvious

DHCP

• Improve lease expiry when the FireBrick does not know the correct time

Ethernet

• Improve DoS detection and logging of ethernet damping

HTTP

• HTTP client requests now fall back to other IPs (e.g. for code updates, ACME, etc)

Internal

• Scheduling changes to improve performance under heavy CPU load (eg crypto processing)
• In some circumstances Watchdog panics may report incorrect thread - fixed.
• Improve diagnostics if a "CPU1 stuck" error occurs.

IPsec

• Avoid crash related to IPsec config logging settings when FB is under heavy load

IPv6

• Handling of 6in4 (protocol 41) packet receipt from ethernet is now controlled on a per interface setting defaulting to FALSE
• Prefix Delegation IPv6 address was using a base address not interface specific auto IP, fixed

L2TP

• Configurable PPP timeout values per tunnel
• Additional logging on config change
• Fix payload table logic on local auth incoming L2TP sessions
• Consistent NAS-Port attribute on RADIUS STOP records (previously was 0)

LACP

• Prevent unnecessary continuous packet exchange

Logging

• Avoid harmless unexpected interrupt log messages

Manual

• Additional documentation on IPv6 prefix delegation and SLAAC

PPP

• Tweak LCP restart timing for very slow latency links

Profiles

• Profile ping of local gateway by ping 0.0.0.0

SNMP

• Experimental addition of new-style vendor-specific structure to fit better with standard usage of OIDs/MIBs.

TLS

• Use own server preferences when choosing crypto suite and EC curves; Do not send anchor certificate
• Fix corner-case which may cause a TLS stream to go into limbo with TCP stuck in CLOSE_WAIT
• Improve TLS session end - avoid occasional crashes/lockups.
• Fix a couple of TLS issues causing problems with ACME and downloading large pages
• Finally fixed TLS issue
• Extra diagnostics added to help with occasional TLS crashes

VRRP

• Incorrect error message for ID clash in VRRP, fixed

Web UI

• Improve UI status reporting for bgp, including ability to filter routes list

Release notes from Factory release 1.52.010 to Factory release 1.53.000

ACME

• Control switch a CA name (e.g. "letsencrypt.org") profile during AMCE renewal validation phase
• Added acme-profile, and made the renewal profile prefixed fb-, e.g. fb-letsencrypt.org
• Tweak to ACME to allow for additional challenges for a few seconds

Certificates

• Make certificate domain name checking case-insensitive

Config editor

• Config edit of passwords did not work with & or similar escaped characters. Fixed, but passwords limited in length when editing config now (120 characters).

DHCP

• Lease expiry times were incorrect when lease acquired before time had been set

DNS

• DNS relay limit check

IPsec

• Provide SNMP status info for IPsec
• Fix crash when [id] is used in graph name of a waiting connection
• Show EAP identity (username) in log messages and UI status, and allow it in graph names

IPv6

• Avoid a problem seen with IPv6 fragmentation with some Linux stacks.

L2TP

• Added pointless bearer capabilities to SCCRP as one carrier expects it for some reason!

PPP

• New PPP debug log/dump format options

PPPoE

• PPPoE did not install IPv4 DNS if explicit routes set, fixed
• PPPoE Calling ID prefix appended with VLAN and/or MAC

TCP/UI

• Fix TCP problem causing IPv6 fragmentation which was causing intermittent UI access problems.

TLS

• Added capability for key exchange signing using SHA2 (needed for compatibility with latest versions of curl).

Release notes from Factory release 1.49.000 to Factory release 1.50.000

ACME

• Minor improvements to ACME - handling some extra order status responses

BGP

• Additional debug for ignored updates

CQM

• Added more stats (total bytes/packet/drops) to CQM XML

Crypto

• PKCS#8 formats now fully accepted and served for RSA and DSA keys

Diagnostics

• Fix TCP download test (was always saying 0 bytes loaded)

DNS

• Changed DNS logic so not simply fallback="true" but fallback-table defined. This means multiple table DNS will default not to fall back now.

General

• Slight performance improvements

IPsec

• Fix duplicate connection problem after roadwarrior client switches from wifi to 3G
• Fix Roadwarrior problems - IPv4 NAT not working and IPv6 routing failing on Apple clients

IPv6

• Changed ICMPv6 (ND/NA) source address in some cases to match scope

L2TP

• Allow L2TP matched incoming sessions to set payload-table
• Added colours to tunnel and session status

Logging

• Fix possible syslog buffer overrun

Pcap

• Improved pcap "self exclude" to only exclude the actual TCP session traffic of the dump, not all traffic to/from the IP of the browser as before

PPPoE

• Minor change to PPPoE timeout logic - could be disrupted by frequent profile changes

RADIUS

• Platform RADIUS server ERX parameters now tagged if part of tagged response

Routing

• Impove some logic where table 0 has no routes and totally mapped via rule-sets (e.g s/w upgrades, etc)

Telnet

• Option to configure custom telnet prompt

TLS

• Fix lockup at end of stream on TLS connections

VRRP

• VRRP low-priority mode (e.g. for profile off) caused flapping

Web control pages

• User setting to hide "save" button in config edit (i.e. has to do "test" first).
• Added Content-Language to avoid some browsers offering to translate control pages
• CSS update
• Adjust initial timeout to allow for slow TLS handshake

Release notes from Factory release 1.48.101 to Factory release 1.49.000

BGP

• Added startup delay for sending BGP announcements to make for cleaner reboots when used as part of a part

Config

• Tweaked factory default LAN firewall rule to allow from FireBrick to LAN (needed for VoIP)
• Removing Ethernet port config now sets port back to default settings

CQM

• Tweak graph logic - was not working if only selecting ave or max latency to show on SVG

FB105

• Fix internal-ip on fb105 tunnels routing

HTTP

• Changed HTTP redirect logic to better handle cases where some port mapping is used in front of the web control pages

IPv6

• Added DNSSL (search list) to RA settings on subnet

L2TP

• Minor change to handle low buffer scenarios better

Logging

• Fixed UTC timestamp on logs (was local time with Z suffix, sorry)

PPPoE

• PPPoE can now be linked to physical port for direct connection to modem - resetting the port when PPPoE goes down (fixes bug in some modems)

SNMP

• Various SNMP updates
• bgp and l2tp now support SNMP treewalk
• Vendor-specific SNMP for BGP and L2TP reorganized to follow standard table construction. ***NOTE*** this will affect customers using SNMP with BGP/L2TP
• Add CPU buffer free counts to SNMP statistics

VoIP

• Tweak for REFER logic, allow refer to match user details with no password (i.e. check IP)

VRRP

• Corrected VRRP v3 checksum - UPGRADE BACKUP ROUTERS FIRST

Watchdog

• Watchdog detection of CPU1 failure (CPU1 stuck) modified to allow recovery, hopefully giving better diagnostics

Web control pages

• New css for mobile use
• Fix wizard when email specified as it caused save error
• New control of whether logs on web/cli include system logs or not (default not, except for "default" log after factory reset)
• Config edit not working when clock not set, fixed.
• Recovery config edit now prompts to save even when no changes as it is not the "live" config
• Minor improvements to web control pages (extra classes, etc)

Web UI

• Add TCP throughput diagnostic

Release notes from Factory release 1.46.100 to Factory release 1.47.100

Authentication

• Interface can be marked "wan" to consider it not local for "local-only" access controls
• Added advice on printing and storing QR code in case phone fails

BGP

• New "grey hole"community tag for IBGP to pass blackhole routes that have no-fib set, so routes get to EBGP for external blackhole announcements
• More info on BGP peers

Config

• Config editor did not show advanced selected option entries that are blank if without Show all

Config editor

• Adjust timing on config edit as firefox keeps saying edited by someone else

CQM

• More slight tweaks - edge case of SVG for unknown CQM graph (i.e. blank graph) with title text enabled caused a crash...
• Slight changes to SVG (slightly bigger) to add id to some fields and include off image (cropped) data to allow some post processing (e.g. merging graphs)
• CQM SVG now includes option for markers on the tx/rx lines like the old PNGs did - by popular demand, CSSable.
• SVG CQM graphs did not show "damping"

DHCP

• DHCP client Class and Client-Identifier now configurable
• Minor tweaks to DHCP server as per RFC6842 (correctly returning client ID)

Internal

• Fix incorrect flash log replay output at system startup
• Minor change to low buffer checks for TCP management interfaces and L2TP

L2TP

• PPP LCP restart if not negotiated after 30 seconds and an LCP restart has not been tried already
• Added RADIUS Framed-IPv6-Prefix
• Option to mark an L2TP session as isolated, i.e. not allowed to pass directly from another L2TP session
• Added relay-local-ip config for L2TP to control the IP used for relaying connections, and extra debug info
• Tweak behaviour if all RADIUS servers not responding
• Malformed L2TP packet could cause crash

LEDs

• Ensure LEDs start up in cycling (knightrider) mode

Logging

• Syslog missing NILVALUE for structured data
• Some additional logging for impossible packet headers requiring split for MTU
• Tweak to delayed logging (email) so it may send on controlled shutdown

Manual

• Corrected explanation of trusted, local-only, and allow controls in manual
• Updates to manual covering scripted access and special URLs

Ping

• Show ping/traceroute response coming back on wrong table

PPPoE

• PPPoE was not handling priority tagged VLAN packets well
• Tweak to PPPoE client back-off when connections start but don't complete

Profiles

• Profiles now allow checking of outgoing L2TP tunnel state

Routing

• Changed linked routes display, e.g. for L2TP sessions, to be more logical

SNMP

• SNMP was not respecting profile setting

SVG

• Minor SVG tweaks to save space
• Extra info in SVG to aid post processing

Telnet

• Fix instructions on telnet config import. It ends with ^D or a line with just a dot on it

USB

• Remove unnecessary logging

Web control pages

• https support introduced. Should now support most modern browsers. Limited certificate management.
• Change of monospace font
• Dynamic status of ports
• Started work on initial config wizard
• Warning for config edited by someone else now advises IP and name of other user(s)
• Tidy layout of config edit for system settings
• Option to skip the setup wizard
• DHCP clear all unused now operates per interface
• Colour picker was not working for named colours (also, added "orange")
• Additional security related http headers added with sensible defaults
• Change ajax sync logic on config edit to be neater
• TLS: Added AEAD-GCM cipher suites - now get an "A" rating with Qualys SSL Labs test.
• Can now specify a list of possible certificates to be used for https in http config
• The logs page was not working when you only had one log target. Given system defaults to two to start, this is rare!
• Save button appearing on key press in a field, and not just when leaving field - so more obvious
• Slight re-order of the config to be a little easier to follow

Web UI

• More compact SVG for CQM and QR codes
• Status shows currently ntp status, i.e. reports if no time server set, DNS not working, etc.
• DHCP status now lists interfaces and shows per interface rather than all in one table

Release notes from Factory release 1.44.000 to Factory release 1.45.001

DNS

• Possible rare quirk that could cause a DNS resolver to be ignored/blocked

Internal

• Improve OS interrupt scheduling to reduce possibility of panic under heavy load
• Change of default value in new ethernet interrupt code config to address possible latency issue under load

IPv6

• When turning off RA we were sending an RA making prefixes valid for infinity rather than 0

L2TP

• RADIUS interim stats would repeat last stats a lot of the time if few active sessions

Profiles

• Forcing a config load which has a reference to non existent profile could cause a crash

Routing

• L2TP source routing check could, in some cases, cause a crash if routing for IP is primarily via different route (e.g. BGP) with L2TP as fallback

Web UI

• Packet dump was blocking other forms on web interface whilst running (error 409), fixed
• Allow certificate download if read access to config, and only show cert actions if available to user
• Removing 2FA could result in a crash, fixed
• Logging for http does not log every web page access on normal logging now, that is on debug logging

Release notes from Factory release 1.43.001 to Factory release 1.44.000

PPP

• Ignoring unknown PPP/LCP protocol reject now
• Closing PPP if IPv4 and IPv6 terminated or rejected

PPPoE

• Rework of service name matching and PADO/PADS response logic for PPPoE

Web UI

• Factory reset state not working due to new security measures means factory reset bricks cannot be configured via web interface, only telnet
• Fix individual DHCP kill button which was not allowing unexpired or locked entries to be killed, and correct typo!

Release notes from Factory release 1.42.100 to Factory release 1.43.001

Authentication

• Made web & telnet login prompt for OTP authenticator code so can be entered separately from password

DHCPv6

• Tested on Zen IPv6 PPPoE/DHCPv6 - addressed a number of issues, now working

Ethernet

• Improve ethernet receive processing and CPU load monitoring

L2TP

• Additional RADIUS logging for RADIUS based steering

Sampling

• Introduce packet sampling (IPFIX/sFlow) [not yet documented]

SNMP

• Named shapers were not returning actual stats

Web UI

• Did not show new bootloader as available on status upgrades page
• New password change menu to simplify password change and to allow users without config save access to update their password
• Added QR code and suggested key to OTP set up
• New simpler OTP set up
• Removed OTP check on config recovery mode - given physical access needed and likely clock not set
• Cross site scripting checks on web forms

Release notes from Factory release 1.40.000 to Factory release 1.41.000

BGP

• New dead-end-community used to propagate routes within IBGP that are dead ends (e.g. nowhere or network)

Firewall

• Fix to NAT64 logic where target is nowhere/network

L2TP

• If RADIUS overwrites the proxy auth logic to change auth type then change proxy last LCP tx
• Change logic for dummy auth on L2TP to wait for LCP negotiation to complete before RADIUS allowing proxy LCP details to pass to relayed connection

Routing

• Changed internal routing logic for "next hop" based routes to be more efficient

Release notes from Factory release 1.39.000 to Factory release 1.40.000

ARP

• Minor tweaks to ARP timing

BGP

• Tweak next hop in some cases - review against RFC
• Show BGP sessions that are down by profile as shutdown in peers list
• Manual shutdown, albeit deprecated, was not working to close existing BGP sessions
• Simplified the XML for BGP status, all peers list as <peer.../> now.
• When originating routes from a 32 bit AS number via a 16 bit AS BGP session was not sending AS4_PATH
• BGP tweak, allow incoming BGP in IDLE state

CLI

• Command line completion could complete keyword arguments incorrectly

IP

• Allow UDP to VRRP address - used for DNS, and RADIUS, etc.

IPsec

• Fix crash when certificate named in connection is missing

L2TP

• Incoming L2TP config allow any table if table attribute not set
• Allow outgoing source IP setting on outgoing L2TP tunnels
• RADIUS directed session steering for L2TP needs to use the specified table
• Speed sanity check - do not believe L2TP speeds at or below 10kb/s as valid
• Don't close tunnel on an out of order control packet showing backwards Nr sequence
• Some more options for RADIUS to overwrite password on L2TP relay

LACP

• Adjust port ID used in LACP to start from 1, to avoid port 0 being used

Routing

• Improve route caching update on deep recursive routes changing

SNMP

• iso.3.6.1.2.1.31.1.1.1.1. (ifName) corrected as was a Counter64 not a String
• Corrected counters for broadcast and multicast packets to 32 bit
• Fix return ordering in bulk get requests; improve encoding of integer values

TCP

• Do not perform TCP MSS fixups on MD5-authenticated sessions

Web control pages

• Minor tweaks to status pages

Release notes from Factory release 1.38.001 to Factory release 1.39.000

CLI

• Add command output filtering capability to CLI (telnet and serial link)
• Fix crash in CLI when default logging is set to console
• The "show route" and "show routes" commands have been combined to avoid ambiguity; If '?' is used to output command details the command help info is displayed, unless all commands are listed

DHCP

• DHCP relay/remote server logic
• Tidy up DHCP logging messages
• Tweak for FireBrick as a DHCP client working via DHCP Relay Agents

DNS

• Timeout of long-latency replies from DNS servers was flawed.

Ethernet

• LACP send and receive/status
• LLDP send and receive/status
• Port trunking options (with or without LACP)

L2TP

• Uplink speed control per connection
• Change to way hashes are handled for session steering

LACP

• Option to control the hashing used for trunking
• Default LACP mode is passive for non trunked ports as some switches are strange

NTP

• Better error logs for NTP / clock setting
• Better NTP back off logic
• Option for fast-retry for NTP until clock first set

PPP

• Better timing of PPP LCP when using dummy auth (no authentication)

PPPoE

• Tweak PPPoE Host-Uniq

Profiles

• Change to profiles use of and/or/not so these are tested on the "interval" rather than being immediate in some cases

Routing

• Adjust hash logic slightly

Web UI

• Kill link on web view of L2TP sessions/tunnels

Release notes from Factory release 1.37.002 to Factory release 1.38.001

Ethernet

• Don't log transmit queue full errors (txqfull) caused by physical port being down

VRRP

• Correct issue with VRRP ARP replies in some cases

Release notes from Factory release 1.36.002 to Factory release 1.37.002

BGP

• Handle blackhole routes better - having an ingress and egress tag for blackhole routes
• BGP rule override of pad was not working
• Extra debug

Config

• Default user password generation now salted SHA256

Config editor

• Better handling of messages when test saving config with errors
• Turn off autocomplete on config editor as causing issues

DHCP

• Tweak DHCP server to use chaddr field not source MAC
• Tweak to DHCP to allow renew of IP where ARP shows MAC as matching either chaddr or source MAC of request
• Improved algorithm for selecting which restricted IP pools apply
• Added a bit of sanity check on DHCP renew/expiry values received
• Change DHCP retry to restart back off at expiry
• DHCP log of moving IPs between interfaces was crashing, fixed
• Extra debug counters for DHCP client

DNS

• Random DNS source port for additional security
• Incorrect ARCOUNT in cached responses when EDNS0 request used
• Possible race condition in DNS tracking

Flash

• Improve flash scheduling; should fix occasional "Bad end read" crashes.
• Fix another flash scheduling problem causing occasional crashes

L2TP

• Changed overload logic for unresponsive LNS to better handle when LNS is relayed/outgoing connections
• RADIUS auth sends original tx speed, not adjusted, which fixes issues when multiple authentication done on same connection
• Allow overwrite of existing User-Password in RADIUS auth response (for PAP and CHAP use on relayed tunnel connection)
• Relayed tx speed in connect info now reflects speed as updated by RADIUS, not original.
• Fatal tunnel sequence errors now close tunnel
• Tweak not to send ZLB in reply to message if the message causes a reply to be sent anyway
• Allow session to be marked blackhole routed ('D' filter)
• Added debug logging for DOS detection to show pps
• L2TP clearing of dead tunnels improved (some edge cases left tunnels never clearing)
• Internal stats cache clear on L2TP session start
• RADUIS Accounting to show Connect based on actual speed, not original L2TP speed
• Show when routes suppressed in L2TP session status
• Additional LCP control (data len) for screwy Samsung LACs that don't cope with zero len
• Send LCP TERM ACK reply when closing

L2TP/PPP

• Change to allow non auth incoming L2TP to send RADIUS to validate as a "dummy authentication"
• Stall (no reply) IPCP / IPV6CP if waiting on RADIUS, as can happen for dummy auth
• Better handling of proxied LCP negotiating no authentication
• Tweak to RADIUS accounting for reaching quota - possible race condition when very low usage LNS
• Fix for cache condition on stats collection in very low usage LNS

Ping

• Ping diagnostics "loss" stats were including ICMP errors as well as correct responses

PPP

• Allow PPP LCP to negotiate unauthenticated (LCP rejecting AUTH)
• Don't do IPCP whilst waiting on RADIUS (relevant for null auth)
• PAP Ack/Nak with zero message now sends zero message len not zero data
• Checking proxy LCP now accepts stupid LACs that claim to neg longer PAP/CHAP LCP messages if they otherwise look OK

PPPoE

• Tweak PPPoE client to change Host-Uniq as some systems misbehave if always the same
• PPPoE was not authenticating, Fixed

Routing

• Next hop feasibility checking failed to spot when an Ethernet next hop stopped answering ARPs
• Next hop logging is now separate system log target

Stats

• One-second CPU stats output is now synchronized to UTC time

Web control pages

• Status/Subnets now shows the interface headings

Web UI

• Improve diagnostic if s/w upgrade fails

Release notes from Factory release 1.34.000 to Factory release 1.35.001

BGP

• Added import-filters and export-filters and named bgp rules to config
• Withdraw of non existent route may cause parent route to be mistakenly withdrawn

Config

• Check each interface has a unique port/vlan setting. Invalid configs will still load on bootup but must be corrected before resaving.
• Storage and management of certificates and keys added (cannot be used effectively yet).

DHCP

• Improved DHCP clear command and added link to clear all old DHCP

PPPoE

• Tweak to PPPoE startup sequence

Profiles

• Added setting for expected (good) state of a profile, showing as green in status if expected, and listed unexpected on home page
• Added profile to fixed ping graph config, and made ping on interface subject to interface profile
• Control switches no long show by default on NOBODY level users or those without full config access unless specifically listed in the control switch users

TCP

• Fix TCP session stalling on large fast transfers

Web control pages

• Added "add" to home page links list as order matters
• Changed list of radius steering settings to show "ip" in list as important field

Release notes from Factory release 1.32.000 to Factory release 1.33.000

BGP

• Delay BGP announce until FIB update started for route in question to minimise black holes
• Further work deferring BGP announce until routes in FIB
• Faster BGP withdrawal
• BGP export stats to count "default" when send-default is set
• Change of send-default restarts BGP session
• Change of send-no-routes correctly withdraws routes, no session restart
• Change to use-vrrp-as-self now correctly re-announces the changed next hop
• Possibly trigger happy BGP keep alive check when lots of peers, fixed
• Balance load better on rx traffic between peers

DHCP

• DHCP server now does not send default router, subnet, lease, renew, syslog, timed, ntpd, domain, domain-search, if there are manually configured response attributes for these
• DHCP server no longer no longer sends "name" attribute as host-name (12). Configure as an extra string attribute if required

Diagnostics

• Showing routes was truncating if too many routes - buffer size increased

General

• Better logging to flash of source of s/w load or reboot commands

Internal

• Adjust buffer pool sizes and thresholds to avoid buffer depletion
• More buffer count stats added to TCP

Monitoring

• Check voltage readings from ADC for consistency.

PPP

• Tweak to avoid resend of CHAP response to challenge if LCP restarted

Routing

• Avoid route updates hogging all CPU

TCP

• Improved congestion control and loss recovery
• Fix problem with TCP window calculation causing buffer overload

TCP/BGP

• Avoid BGP sessions being aborted by TCP if buffers run out

VRRP

• Delay VRRP startup while route updates pending
• Longer startup (uses configured delay when routes are updating)

Release notes from Factory release 1.31.000 to Factory release 1.32.000

BGP

• Making BGP keep-alives higher priority, in case of really heavy BGP load
• Fix race condition allowing BGP peer to vanish in rare conditions
• Improved BGP shutdown sequence announces lower priority before withdrawing routes on shutdown
• Shortened the BGP shutdown so it does not send the clears after the low-priority
• Added configuration of BGP shutdown logic

Ethernet

• Add new Ethernet DoS-detection parameters to config

General

• Several minor internal changes that should improve stability

Internal

• OS Stream and TCP restructure

IPC

• Tweak IPC thresholds to avoid ipcbusy happening and hence annoying error logs

IPsec

• Peer IP added to log messages

L2TP

• Fix for NAT via outgoing L2TP connection
• Crash if too many graphs created with L2TP
• RADIUS L2TP Relay for steering was sending zero length Proxy-State with is not value
• Outgoing tunnel did not come up / go down on profile change

Logging

• External syslog now only includes general system log messages if specifically configured to do so
• Fixed issue with logging causing occasional bad buffer address panics
• Improve logging efficiency and avoid dropped log messages
• Minor improvement to power level logging
• Fixed http logging of graph URLs

PPP

• PPP challenge response resend on no accept/reject response

Routing

• Path/community fixed settings in routing config with multiple IPs listed caused error on memory allocation
• Improved checking for route loops

Serial port

• Fix serial port driver following internal stream handling changes

TCP

• Tidy TCP MSS handling. Allow minimum MSS to be as low as 200.
• Further TCP stack enhancements
• Fix windowing problem - possibly causing slow transfers
• Send window updates more often - improves BGP performance

VRRP

• Fix bug in vrrp shutdown that was slowing down other shutdown processes

Web UI

• Show current stack usage as well as HWM in thread stats

Release notes from Factory release 1.30.001 to Factory release 1.31.000

• URLs fetched from the FireBrick for any reason now handle IP literals.
• Option for URL to GET before a controlled reboot - mainly to warn nagios

DHCP

• Minor tweaks to make NAK meet later RFCs

DNS

• DNS fallback (default on) allows use of other tables for local lookups within the firebrick

Ethernet

• Increased MTU to around 4k

Internal

• Increase stack sizes and make route loop counter an error counter

L2TP

• Fix for steering RADIUS response - was causing RADIUS to lock up totally
• RADIUS options to control long term shapers for L2TP sessions

Logging

• Avoid crash when displaying logging using CLI
• Fix crash when displaying logs using colours

TCP

• Ongoing TCP improvements. Minor functional changes - mod to initial MSS calculation; TIME-WAIT time reduced.
• TCP restructuring to prepare for enhancements. Includes fix for failure to resend lost SYN introduced recently.
• Fix failure to send MSS option with SYN

Web control pages

• Latest safari adds xmlns attributes on every element for no apparent reason, was breaking web config edit. Worked around

Release notes from Factory release 1.29.000 to Factory release 1.30.001

• Release candidate

Config

• Fix profile "traffic lights" in config edit (did not change state on some browsers)

Config editor

• Minor typos in config edit

Diagnostics

• Ping and Traceroute no accessible using GET as well as POST. GET assumes XML output
• Fixed crash when more than one ping or traceroute diagnostic was run concurrently

DNS

• DNS resolution and caching is now routing table specific
• DNS fallback option - for incoming requests if no server in required routing table relay to any DNS available - default true

Internal

• Modify timing and logging of ipc overload events

L2TP

• Fix for race condition in RADIUS/L2TP causing crash

Logging

• New log-config setting in system to specifically log config changes

Ping

• Added ping stats to XML for ping/traceroute

PPPoE

• IPv4 local end would "stick" if changed from having IPv4 to not (i.e. IPv6 only)

Profiles

• Slight change to control switch graphic
• A new control switch profile will now start with the initial value.
• Control switches can now use and/or/not logic to enable them to be set or reset by other profile changes.

RADIUS

• Fix race condition

Web control pages

• Link to see DNS server details on IPv6 was broken URL on some browsers
• Minor change to control switch profile images to help colour blind users

Release notes from Factory release 1.28.000 to Factory release 1.29.000

• Release candidate for testing

Authentication

• Added manual section on OTP

DHCP

• Subnet list shows pending DHCP client subnets
• Typo in DHCP logs

DNS

• Min nxdomain of 10 seconds now

FB105

• Log (rather than crash) if a badly fragmented 105 tunnel packet is received

L2TP

• Added control of reply hostname on incoming L2TP connection
• Added default hostname (system name) on outgoing L2TP connections

PPPoE

• PPPoE server (BRAS) handling of standard GEA Agent Remote ID and Circuit ID as called/calling and downstream speed setting
• PPPoE handling gerenal VLAN tagging
• Added text NAS-Port to RADIUS when using PPPoE "port{:vlan}/MAC"
• PPPoE did not handle VLAN priority tagging on inbound packets
• Some extra debug of unexpected PPPoE messages or fields

Profiles

• Profiles can now test an ethernet port status

RADIUS

• New section of manual explaining RADIUS client settings and timeouts

Routing

• New source-filter-table setting on interfaces to allow separate source filtering lists to be managed using routing tables

SNMP

• Added iso.3.6.1.4.1.24693.1 SNMP for system monitoring (voltages, temps, etc)
• Updated manual to include FireBrick specific SNMP in appendix

TCP

• Add debug logging for aborted TCP sessions; avoid tcp timeout control upsetting TIMED_WAIT state.

Web UI

• Fix broken XML links in system status pages
• Add memory block usage to system status memory page (alpha releases only)

Release notes from Factory release 1.27.001 to Factory release 1.28.000

Bonding

• Minor change to bonding to minimize packet reordering on arrival

Config

• Replaced shutdown with profile on ethernet control settings
• Added "Test" option to config save to automatically revert if not properly saved within 5 minutes.

DHCP

• Added domain-search attribute, as it is specially coded

Diagnostics

• Temporary diagnostics added for tracking down odd problems

Internal

• Introduce new flash driver - currently for alpha builds only

L2TP

• Added option to allow relay RADIUS auth reply to specify relay to another RADIUS server for auth or session steering.
• Further minor tweak to bonding to improve re-order issues

LEDs

• Knightrider pattern (displayed when no ports connected) was running too slowly

Logging

• Improve flash log replay at system startup. Should fix problem with non-detection and emailing of panic logs.

Pcap

• pcap web interface allowing multiple select interfaces to match underlying capabilities

Release notes from Factory release 1.26.000 to Factory release 1.26.010

Config

• Made local-only optional again and default true for http services

Profiles

• Converting a profile to a control-switch now sets control-switch to previous profile state when config loaded

Release notes from Factory release 1.25.010 to Factory release 1.25.101

L2TP

• Make Acct-Delay optional parameter in L2TP accounting, if not sent the packet is identical on resends making duplicates easier to spot in RADIUS server

PPPoE

• Closing PPPoE more cleanly on shutdown

RADIUS

• RADIUS being too agressive with retry times, and recording timeouts to quickly

Routing

• Added lightweight source filter option on interface: "blackhole" that checks source address is routeable to anything sensible, allowing blackhole routes to block source traffic

TCP

• TCP timeout improvements. Now less aggressive when recovering from packet drops, and in particular when faced with spoofed source TCP SYNs

Release notes from Factory release 1.25.001 to Factory release 1.25.010

L2TP

• Fixed session inconsistency on relayed connections where relay fails
• Was constantly trying accounting RADIUS on all sessions every second if no RADIUS configured or responding
• relay-pick feature not quite right
• Odd case of tunnels/sessions clearing with negative timers, logic changed to avoid this

Logging

• Additional one second stats and change to the way counters are shown on them

TCP

• Reset TCP connection on seeing badly formatted options

Web control pages

• Fix possible lock up under constant TCP port 80 attack, now recovers quickly

Release notes from Factory release 1.23.001 to Factory release 1.24.004

Config

• Fix problems with factory default config

DHCP

• DHCP address allocation for new devices changed to be more reliable

Internal

• Some thread priorities adjusted.

L2TP

• Changed default lockout timeout on relayed tunnels to 3 minutes
• Use graph setting on local termination L2TP/PPPoE using match

Logging

• Minor changes to default settings for system log messages

Routing

• Changed logic for next hop checks where gateway is on multiple subnets, where at least one of which does not answer ARPs causing route to be suppressed

Web control pages

• Changed web status pages to not show unused menus even in debug level user

Release notes from Factory release 1.19.001 to Factory release 1.20.001

• Changed [not] to [inverted] in Profile logging text.

BGP

• Note that the localpref default is 0 for network statements on this factory release.
• Adjust next hop logic in presence of VRRP to avoid incorrect use of VRRP address in some route passing
• Fix debug log of accepted prefixes on BGP, was showing garbage extra bits

CLI

• Fix double line spacing on some command line output
• Added a "show run" and "import config" in telnet/command line allowing dump and upload of raw XML.

Config editor

• Moved css-url to http services config, will need editing as not automatically moved

CQM

• Configurable latency Y axis
• Ping only graphs (i.e. no throughput) now have standard deviation on ping timings
• Minor change to default colours
• Corrected showing of "off line" on graphs
• Minor tweak on graphs
• Setting Y axis latency in ms on graphs as part of URL

DNS

• Malformed DNS packets could cause crash, fix

Factory reset

• Default timeserver set to ntp.firebrick.ltd.uk rather than pool.ntp.org

L2TP

• Additional control over timeouts on L2TP
• Changed default timeouts on outgoing L2TP client sessions - faster recovery and retry
• Possible lockup and watchdog in cases of unresponsive RADIUS servers
• Added quota (tx) to L2TP (as RAIDUS filter code Q)
• Added quota (tx, or tx+rx) and terminate action to allow radius accounting on exceeding quota or session timeout
• Added Filter-Id and Session-Timeout to all RADIUS updates, was just Start record, as some data can change dynamically
• L2TP should now accept RADIUS CoA sooner - was not accepted until PPP negotiation had finished

Monitoring

• Changes in power supply inputs are now logged.

Ping

• Allow configuration of larger ping packets

PPP

• Improvements to checking and timing in PPP processes
• Slight change in PPP sequence numbering
• Minor tweaks, including new accept-dns in dongle config
• Improved debug / logging for PPP connections
• Support PAP as client login on PPP
• Adjusted retry timeouts on PAP/CHAP requests
• Corrected PPP client PAP continuing to IPCP

PPPoE

• Tweak to handle multiple service responses in PADO

Profiles

• Improved logging after non state change profile
• Date/time profile tests when not clock set assume initial state
• Date/time profile tests now have comment field in config

Web control pages

• New layout for ping and traceroute allowing XML export
• traceroute and ping no reporting a "firewalled" response if seen, rather than just unreachable
• Web interface showing system name on title if trusted IP

XML config

• Fix factory reset config
• Changed XSD duration to an FB type that uses saner syntax [[HH:]MM:]SS

Release notes from Factory release 1.17.001 to Factory release 1.18.001

• Draft documentation included in releases

BGP

• New filter option to check for community present in a route
• Showing BGP route details shows additional community tags as well
• Fix for BGP config where local IP is DHCP, meaning BGP did not start up unless a local-id was set
• Fix BGP import/export filtering which only considered first match rule
• Allow use of pad on BGP peer if add-own-as set, even on ibgp
• new use-vrrp-as-self (default true) means the next hop used in BGP will use an appropriate VRRP address if possible
• Ignored received announcments treated correctly as a withdrawal
• Corrected BGP ingress filtering to allow detagging the standard community tags
• Made BGP next hop logic consider routes to dead end and to network as non feasible (previously they were feasible but could not route)
• Fixed config to only allow one list of import and one list of export rules under bgp peer, as only first in list was checked anyway

Config editor

• Tweak class for cqm images in css

CQM

• Fix for long term shapers which only worked if sharing of shaper was set
• Graphs show min and max rate limit per hour now
• More corrections on long term shaper logic
• Long term shapers were not actually applying the shaper limit, it seems, even if worked out correctly
• Changed min line on graph to be dotted

DHCP

• Fix for possible lock up causing watchdogs in some cases
• Internal change to try and resolve issue where DHCP has been seen to cause a lock up and watchdog on some systems

DNS

• DNS resolver no longer caching SOA as it was not expanding the MNAME/RNAME fields correctly
• DNS server now ignores expired DHCP allocations

Ethernet

• Added layer 2 interface mapping function (map port/VLAN to port/VLAN directly no session track or firewall)
• Fix for linked ports including port 0

Internal

• Improved watchdog error reporting
• Further improvement to watchdog panic diagnostic
• Avoid 0000fff8 ECC panic when upgrading from older s/w

IP

• Added ARP/ND link state test to work at subnet level
• Made Wake on LAN a separate diagnostic and linked to DHCP
• Internal change to avoid possibility of recursive tunnelling overrunning buffer space

IPv6

• Fix for ND responses for FE80::/10 LL addresses matching our MAC prefix (we answered all requests even if specific MAC not in use)
• Adjusted routing for FE80::/10 so all interfaces are equal metric to locate LL endpoints

L2TP

• Change relayed L2TP session stats to be consistent with non relayed by counting only IP and not LCP, etc.
• L2TP status showing an accounting session ID even when not using RADIUS accounting, useful for pcap
• Adjusted length of called number field and improved PAP L2TP relay details
• Better status report for back to back sessions
• Correct NSN RADIUS parameters in platform RADIUS

PPP

• Adjusted LCP restart logic to restart LCP if far end persists in restarting
• Allow far end to refuse magic number negotiation

PPPoE

• Linked status page from PPPoE to L2TP

SNMP

• Added some IfXEntry SNMP values

VRRP

• Changed default startup delay to 60 seconds as usually more sensible and should not cause any harm

Web control pages

• Set larger input box size on web diagnostic tools

Release notes from Factory release 1.16.001 to Factory release 1.17.001

• This release includes additional memory checking - any problems, contact support
• Updated documentation

BGP

• LNS allowing full table
• Corrected AS list in show routes to handle multiple sequences (was showing with no separator)

CLI

• Fix obscure race condition which may cause panic when logging to command line (console).

Config

• Removed redundant fast-reboot options

CQM

• Corrected URL processing for CQM where using x=value/x=value type syntax
• Change to ping scan and cqm polling functions to be more aligned to real time seconds, ready for when we do NTP fully

DHCP

• Corrected tool tips on Kill/Unlock

Internal

• More details in thread statistics report
• Scrub RAM after ECC errors.

L2TP

• RFC4818 Delegated-IPv6-Prefix support added - see RADIUS documentation for how this is used.
• Complex bug with IPv6 routed via IPv6 gateway that is routed via an L2TP over IPv4 and generating an ICMP error causing a crash - fixed

Logging

• Removed unused log types for SNMP trap (will move to profiles) and SMS (may be added later)

NTP

• Added option to set ntp poll rate, will be removed/changed when we do NTP fully.

Profiles

• Clarified wording for and, or, and not, tests in profiles
• Clarified meaning of timeout and recover as times not number of tests

RADIUS

• Reinstated platform RADIUS accounting handling and relay (missing since 1.13.111)

Web control pages

• New CSS - especially on config edit pages

Release notes from Factory release 1.13.001 to Factory release 1.16.001

• Change to persistent data storage logic and timing

BGP

• Correct BGP route tie break where one route has MED set and one does not. No MED set is now treated as MED 0 correctly
• Minor adjustment in graceful restart logic (not yet advertised)
• Fixed long delay rebooting when BGP active
• Colours on BGP status on web page

Config

• Fixed factory default config for dns host name my.firebrick.co.uk - this means a new factory release of code.
• Corrected parsing of an IP using final :: in place of :0 (i.e. seemed to have too many colons)
• Not generating initial or trailing :: on IPv6 addresses where only one block replaced

DNS

• DNS resolver negative caching handling and tweaks to handle VoIP DNS lookups where CNAME used
• Corrected negative caching timings

Ethernet

• Avoid spurious port down messages at startup.

Flash

• Image priority tagging removed. Flash contents display shows penalty but no longer priority.
• Change to flash block allocation strategy to spread block usage.

L2TP

• Changed IPv6 padding to be more generic padding of any packet that looks too short and under 73 bytes so works with IPv6 over LCP on BT 20CN lines
• Changed DHCPv6 served timing for L2TP
• Added RADIUS option to avoid LCP restart on mismatched MRU
• Corrected sending MTU in RADIUS auth (could be sent twice in some cases)
• Allowing up to 64 byte CHAP challenge size in proxy auth

Logging

• Better wording for missed log entries

Ping

• Not trying to print reverse DNS on ping command while waiting DNS response

PPPoE

• Config change losing external PPPoE IPv6 address from routing
• Fixed IPv6 prefix delegation timeout issue
• Issue with IPv6 DNS servers not working on a second PPPoE client connection if same as previous

Profiles

• Fixed bug - a ping profile with no routing to send the ping was causing buffer loss
• Possible problem in ping profiles could result in a watchdog failure

RADIUS

• Corrected RADIUS tagging on NSN parameters in platform radius.
• Work on RADIUS accounting to get better stats in case of pre-empted session
• RADIUS accounting refernce could change some time after reboot depending on clock setting, fixed
• Fix buffer leakage if RADIUS servers time out

Time

• Added very simple sanity check to SNTP clock setting, and logging to right place
• Logging IP from which clock was set

UI/CLI

• Added hard reboot option

VoIP

• Ignoring silly almost empty SIP packets from gigaset (some NAT thing)
• Adjust for restart of LCP on PPP happening when non 1500 MTU proxied negotiation

VRRP

• Fix issue if two separate VRRP configs used with same VRID one for IPv4 and one for IPv6

Web control pages

• Session list copes better if you stop the browser while displaying
• Typo in web config for dns-host/block
• Fix session table display lockup
• Format of manual image upload UI page changed in line with auto update.
• Avoid unnecessary invocation of bootloader when system reboot is requested

Release notes from Factory release 1.10.001 to Factory release 1.11.004

BGP

• Adjusted RR logic on BGP to avoid incorrect messing with next hop decision
• Changed BGP to silently ignore routes where we are already the next hop
• BGP change to still process withdraw in same packet as silently ignored routes (typically if using route reflectors)
• Added peer level export-med to set MED on exported routes (unless explicitly set in export filter) as this is commonly the only export filter
• Made local routes (apart from dead-end) take priority over equivalent BGP originated routes
• Changed ttl-security option to be 1 to 127, and use -ve as meaning force TTL sending and no checking
• Added import-localpref at peer level as a common global setting on EBGP links
• Obscure race condition on BGP shutdown could cause a crash

CLI

• Fix telnet timeout on users setting timeout 0 to not logout
• Implement several readline-style line-editing sequences
• Add two more control sequences - Ctrl-T and Alt-T
• Added "show power status" command - same action as "show fan status"

Config

• IMPORTANT - make sure all interface definitions state the port to use before upgrading
• Documented that a login timeout of 0 means no timeout but not in ip-group users
• Mandatory port on interface. Missing port on interface picks first port else creates a fatal error

Console

• Serial login did not work if user has an allow list for IP access

DHCP

• Added new lock and unlock feature on DHCP allocations
• Added ability to manually set the name of DHCP allocations

DNS

• Added new feature under services/dns to allow local DNS responses including based on DHCP

Factory reset

• Changed so factory reset is DHCP client on WAN and DHCP server on LAN
• Changed factory reset to have my.firebrick.co.uk as local DNS for the firebrick itself

General

• Various additional debugging code added

IPv6

• Adjust handling of RA client to cope when more than one RA has same SLLA (e.g. VRRP) from different hosts

L2TP

• Added more debug logging on L2TP tunnels, especially relating to relaying

Logging

• Changed power failure event to log a simple message rather than panic
• Improved formatting of replay from previous run flash log on boot up

PPPoE

• PPPoE server (BRAS mode) was broken, fixed
• Added return of Relay-Session-Id received in PADO to PADR sent
• Adjusted PPPoE logging so as not to fill logs with requests that are not for us

SNMP

• Fix BGP and L2TP SNMP stats where values 128 to 255 and 32768 to 65535 reported as negative

Web control pages

• Fix issue with some links on Chrome viewing BGP peers
• Typos fixed in config
• Incorrect HTML typo fixed in some tables
• Tidy layout of platform radius controls
• Tidy help on rule log settings
• Correct various typos
• Changed filenames for XML save to be more sensible
• Clearer warning of active sessions on reboot and s/w upgrade pages
• Fixed case where showing tables of information not right if a list of routes also shown
• "Up to date" may have been erroneously displayed on Software Upgrade page - fixed.
• First config save from factory reset was not working, fixed
• Added new System submenu
• Hovering on a link now underlines it
• Some more colours on tables
• Fix links for ND entries that upset some browsers
• Web status pages can now be seen by users with access level >= USER
• Button to clear thread tick counts added to thread statistics page (for users with ADMIN access)
• Additional logic for getting L2TP session data using circuit ID in URl

Release notes from Factory release 1.08.001 to Factory release 1.10.001

BGP

• Vendor specific SNMP for BGP status

CQM

• Correct for rare race condition leading to multiple graphs of same name

DHCP

• Clear DHCP command now allows range/prefix to clear multiple entries
• Option to kill a DHCP allocation from web interface (DHCP status) now
• Change handling of BOOTP to operate as a REQUEST not DISCOVER so causing allocation of lease

Flash

• Avoid flash fragmentation by deleting old images if necessary before saving new image.

L2TP

• Internal change to RADIUS handling to reduce risk of watchdog under heavy load
• Updated RADIUS to abort authentication request if session closed to reduce load if slow auth replies
• Better "clear l2tp all", depending on speed of RADIUS accounting
• Vendor specific SNMP for L2TP status
• Added min-retry as a minimum session time before retrying an outgoing L2TP connection (default 10 seconds)
• New platform RADIUS logic

Shaping

• Fix incorrect handling of (legacy) tx-interval on shaper

SNMP

• SNMP now has extra logical interfaces which are all named shapers in order, including relevant stats for a shaper.

Release notes from Factory release 1.06.004 to Factory release 1.07.001

• Does not auto update and reboot if in factory reset recovery state

CLI

• New show routes command not BGP specific
• Show dhcp command layout fix

DHCP

• DHCP client sets /32 routes for DNS servers provided

L2TP

• Pressing a key on telnet command "clear l2tp all" stops clearing lines.
• Increased L2TP neg slots to 1024
• Support for RADIUS Framed-IP-Netmask mapped to L2TP PPP IPCP NETMASK (144)
• L2TP client mode asks for DNS on PPP
• Config change was unnecessarily restarting some L2TP sessions
• L2TP failed tunnel timeout reduced from 5 minutes to 1 minute
• L2TP error response on duplicate tunnel ID to try and manage restart case better
• Better logging of unexpected L2TP SCCRQ
• Issue with L2TP clients when no hostname and no local system name configured

Web control pages

• Using web interface diagnostics/routing could cause a crash
• Showing associated routes on subnets, dongles, PPPoE, etc.

Release notes from Factory release 1.05.001 to Factory release 1.06.004

• Added memory usage to one second stats
• Possible obscure issue with DHCP server code fixed - probably only when default dhcp server user (i.e. ip not set)
• Added new show status command on telnet, and reformatted web status page
• Ethernet port status shown on FB6000 now

CQM

• Bug if graphs trying to scale to just under 4Gb/s, showed scaled at bottom end in error. Fixed.
• Not including old (off screen) rate changes in max scale on graphs

DHCP

• Additional options in DHCP client
• Changed DHCP server to serve bricks IP as DNS server allowing it to relay, unless explicit servers set in config

Dongle

• Colour on dongle status
• Default if no route= set to also set /32s to DNS servers as well as default route
• Dongle reporting negotiated DNS servers in status

Ethernet

• Changed autoneg setting on ethernet ports to default to false if manually setting speed or duplex and not 1G

L2TP

• Changed L2TP logging so relay sessions have same logging as incoming session at the time
• L2TP config change was clearing tunnels if not using a hostname setting
• Changed logic for logging L2TP to try and ensure relayed sessions log correctly
• L2TP relay was dropping first packets exchanged
• Periodic RADIUS accounting was incorrectly showing timestamp less any current dropped packets which could cause a slight discrepancy
• Change of field name (username) not preserving old field (user-name) in l2tp-relay, fixed

Logging

• Log email sending retry logic changed
• Added much more debug for log-debug for logging email sending
• Added additional information to emailed logs

Ping

• Ping graphs can now use a host name

PPPoE

• Default if no route= set to also set /32s to DNS servers as well as default route

RADIUS

• L2TP RADIUS for PAP was using cleartext password as message auth (16 byte), changed to random.

VRRP

• Deleting an interface which VRRP master caused a crash

Web control pages

• Improved lists of objects with sub objects present in config editor
• General change to css, layout and menus, and new options for menu/banner controls
• Extra information on DHCP client status page (subnets)
• Change to allow you to stay logged in when clock first sets
• Home page shows if system name is not set is this really should always be set, but is not actually a mandatory field

Release notes from Factory release 1.03.001 to Factory release 1.05.001

ARP

• Internal adjustment to queued packets waiting on ARP

BGP

• Stopped announce of FE80::/10 when subnet has bgp="true"
• No longer logging full BGP packet when discarded due to !allow-own-as or allow-only-their-as
• Added additional per peer counters for ignored and filtered incoming updates

CLI

• The show flash log command is now available to admin users
• Added new command line to clear data pages in flash

Diagnostics

• Tidy up the traceroute command to allow more than one attempt per hop, and some bug fixes
• Access list check (command and web UI)

Factory reset

• Made factory default have local-only set true on http access

FB105

• Various corrections to config convertor for latest releases
• Improved fb105 config conversion for VLAN handling

Logging

• Possible fix to issue causing occasional unexplained crashes
• Bug where viewing logs on web pages could cause crash, fixed
• Removed hex dump debug log of DHCPv6 - as cluttred interface debug logs and better done using pcap

Manual

• Started work on additional information for config documentation

PPPoE

• Additional logging of PPPoE PAP/CHAP response message even if failed

Services

• Added new access check for local-only on services. IMPORTANT - defaults to true for telnet, dns, timed, so you will need to set to false if you want remote access to these

SNMP

• snmp was not access locked to routing table, fixed

Web control pages

• Removed WebSite link as caused confusion, and made footer have link to FB website
• Added configurable links on home page and fb105 conversion
• Added optional CSS URL allowing customisation of control pages
• Added ping/traceroute on web interface
• Ping and traceroute now separate diagnostics
• Show route now on web diagnostics menu
• Web config edit has more information shown now, and change to some spacing.
• Missing titles on lists of blackhole and nowhere routes

Release notes from Factory release 1.01.002 to Factory release 1.03.001

• TCP floods (e.g. http) could cause crash, fixed

Config

• Changed default config - using LAN and WAN as interface and port group names and added more comments

L2TP

• Changed to not debug log PAP passwords at all, but showing length of data sent (so length of password)

Logging

• Documentation updated, and console log off/on commands now TROFF and TRON
• log-starts logs start and stop of stats logging
• Occasional crash in logging when lots of information is logged.

Profiles

• Changed wording on logs for inverted profiles

Routing

• Possible issue with watchdog failure being addressed

Web control pages

• Heading on web logs saying which log report shown
• Subnets listed in order
• Icons redrawn
• Changed page title to list name before serial
• Manual s/w upgrade looks nicer now
• Graph names as text on graphs list to allow searching in browser
• Corrected icons for rule-set
• Tweak factory reset menu
• Additional per second stats for http access counts
• Adjust timing on status check to try and ensure we see new s/w first time

Release notes from Factory release 1.00.001 to Factory release 1.01.002

Config

• Increase internal storage for config by 33%
• Password now mandatory on user field, and error if blank and not using OTP
• Added extra notes on localpref to explain highest value wins
• Minor change to wording on web config
• Added <blackhole.../> and <nowhere.../> as explicit routing objects rather than using <route.../> with no gateway.
• as-path only on network object as was not in fact functional on route object
• IPv6 addresses use lower case when output as a config view.

DHCPv6

• Rebind handling corrected (was being ignored)

FB105

• Timezone fixes on config convertor

L2TP

• Fixed DHCPv6 issue on L2TP which was only working on session numbers below 4096
• Incorrect logging of LCP Init Rx, Last Rx, and Last Tx, fixed
• Improved logging where incorrect length proxy challenge or response received on L2TP connect
• Added extra checking on L2TP packets where hidden fields could encode invalid length
• Made error for bad hidden field length non fatal - investigating how this is happening
• Hidden fields stopped working on L2TP tunnels after two config changes after tunnel was established, fixed
• Some internal rework of L2TP code, and answering ICMPV6 router solicitations over L2TP
• Adjusted IPv6 RA for L2TP - now send periodically if IPv6 router solicitation previously received
• Logging of CHAP accept/reject showed wrong length (correct length was being sent)

Logging

• Adjusted email log sending to use CR+LF on all contents lines as per RFC2821, rather than just LF as is convention on linux system
• Fix for rare case causing crash after emailing a log.
• Email has boot date/time in text at top now
• Emailed logs were re-sent on every config change, fixed
• Changed syslog to use UDP non encrypted RFC5424 logging with microsecond precision. Affects all log lines as module name added
• Added option to specify source IP for syslog messages

Manual

• Corrected description of interface object

Pcap

• Added more useful error messages for malformed pcap requests
• Can now use pcap to log l2tp session from the start based on calling line id, see documentation for details
• PCAP giving better error messages

Ping

• Ping setting on interface was not always starting the pings, and not stopped when config removed. Fixed

Profiles

• Changed logic so "or" profile with no other settings and none of the "or" profiles match will fail not pass.
• Corrected timeout/recovery logic
• Added initial-state option on profiles
• Profiles tracking ppp did not spot if a PPP went off because it was itself turned off by profile config
• Changed logging for profiles so "still active" and "still inactive" logs are log-debug now

Routing

• Correctly sending ICMP errors for dead end routes
• Routing loop detection improvements
• Minor change to internal routing/ARP cache functions to test a specific bug report.

TCP

• TCP test port (4242) removed
• Increased number of active TCP sessions

VRRP

• VRRP use-vmac default changed to true

Web control pages

• Changed headings on config edit boxes
• Changed the sequence when downloading new code
• Automatically redirects to status page after a short delay when new s/w loaded
• Less margins on web pages
• Changed breadcrumbs in UI to use :: not : as spacing, consistent with website
• Slight changes to layout of software upgrade pages
• Made breadcrumbs larger and easier to read

Release notes from Factory release 0.02.001 to Factory release 0.06.001

• Factory release
• PPP DHCPv6 prefix delegation for initial testing (no DNS yet)
• Faster reboot time
• Sending DHCPv6 DNS responses as well
• config load crashing if FB105 routes on dead tunnel
• fb105 config causing config edit problem
• DHCP server error recently introduced now fixed
• Fixed DHCP client, and reworked some ARP/ND code
• Slight changes on IPv6 ND timeouts when no response, and also on IPv6 RA options for M and O bits
• Corrected ARP issue introduced in previous version
• Some significant internal changes, but main impact is subtle changes to subnets are now picked up correctly, and you can set gateway=' on a dhcp client to not pick up a gateway now
• Minor tweaks on DHCP server side
• Changed config main page layout, tweak to hopefully fix CQM average latency, additional debug added
• New status reports on web admin pages, more to come
• minor tidy of new status pages
• Issue with handling of some reply packets fixed, e.g. DNS resolver function
• Changes to IPv6 ND handling for FE80::/10 LL addresses, was affecting windows machines
• New FB105 status on web interface and command line
• Session tracking on web interface
• Session table now done as two lines per session to be easier to read
• Tweaks to http headers as some were wrong
• Correct odd error on image upload web page, and slight tweak to ARP response on overlapping subnets
• Changed source to source-ip in profiles for pinging. Some prototype web config not finished let. Added profiles to FB6202.
• Minor changes to screen layout and graphics
• Added new experimental web config editor (for users set to level DEBUG) for testing/feedback
• Web config initial release
• IE6 fix for checkboxes
• Candidate factory release. Also, IPv6CP timeout on PPP.
• Factory release candidate - new web config
• Web config not working on all variants, fixed
• Tidy up of some web config and added profiles to subnets
• Slight alteration for session tracking and firwalling to an interface where there is no route to host, should mean fewer lingering sessions. Also added special interfaces to web config.
• Slight alteration for session tracking and firwalling to an interface where there is no route to host, should mean fewer lingering sessions. Also added special interfaces to web config
• Factory release candidate
• Test

Authentication

• OATH/OTP login feature added
• OATH/OTP update - lockout after failed attempts, etc

L2TP

• Minor update to tunnel MTU on relayed L2TP
• Checking fixed on DHCP via L2TP/PPP interface, caused fatal error before
• Minor change to an L2TP parameter for GGSN use

VRRP

• Change to handle unexpected VRRP packet via no ethernet interfaces

Web control pages

• New web based status functions started, subnet list is only one so far
• CSS tweaks
• Various minor UI changes