FireBrick

FireBrick - Firewalls, Bonding ADSL, Routers, Traffic Shaping...

FireBrick FB2700
FireBrick FB2700

FireBrick FB2700 series Software

As a matter of policy, FireBrick software upgrades are free to download for all FireBrick customers.

SOFTWARE UPGRADES ARE BEST PERFORMED USING THE WEB CONTROL PAGES ON THE FIREBRICK ITSELF

If you are loading new software from this web page, please read the instructions first.

Factory, Beta or Alpha?

There are three categories of software releases available - Factory, Beta and Alpha.

These categories reflect the amount of testing done - releases normally start life as an alpha, then after initial alpha testing are converted to a beta. As a beta they are subjected to further testing, both by ourselves and by customers in the field. If, after beta testing, a release is stable, we will promote it to a factory release. If during testing we find a problem, we may choose to withdraw that release, or promote a later release.

Factory releases have been tested extensively, both by us and by test users, and have been stable for some time as a beta release. We recommend upgrading all FireBricks to the latest factory release when convenient. FB2500 and FB2700 models will automatically upgrade to the latest factory release, unless you change the default "sw-update" setting in the config.

Beta releases have been through alpha testing to eliminate obvious bugs, and are generally stable. They are available to all users, should you wish to try a new feature or bug-fix before it is available as a factory release, and are willing to take the risk. FireBrick dealer technical support may also ask you to try a new beta to fix a problem. However, when running a beta, we suggest you keep an eye on our software downloads page, in case the beta you are using is withdrawn, or a subsequent beta release with relevant bug fixes is made available. When a beta release has had sufficient testing, it is normally promoted to factory release, or withdrawn if any serious problems are found. Your FireBrick's upgrade page will normally offer the latest beta release, or you can manually download it from our website and upload it onto your FireBrick.

Alpha releases are only for use by designated alpha testers, who are members of staff or customers closely involved in developing and debugging new features. Alpha releases may have had little or no testing, so there is a significant risk of bugs. If you would like to get involved in alpha testing, please contact your dealer. To load an alpha release, your FireBrick must first have alpha upgrades enabled by us. Your FireBrick's upgrade page will then offer the latest alpha release, or you can manually download it from our website and upload it onto your FireBrick.

Note that if any upgrade causes repeated crashes, your FireBrick automatically reverts to older code.

Upgrade Instructions

Upgrade using the FireBrick control pages

The FireBrick has a built-in software download and installation system which can be accessed from the web control pages. This provides a simple one-click download and install feature. Simply go to your FireBrick's Status page, and if there is an upgrade available it will display an upgrade link under the current software version. Click the upgrade link and it will show details of the latest release - once you have read the release notes and wish to proceed, simply click the Upgrade button and it will download that release, install it, and reboot (this causes a brief outage of a few seconds). More

Manually downloading and installing an upgrade

To install new software manually you need to load the main product image file. You may also wish to update the bootloader; this is normally unnecessary unless indicated by the release notes. The XSD file corresponding to the software may also be downloaded; this does not need to be installed on the FireBrick, but is useful as a definitive reference for the XML configuration.

Log in to your FireBrick administration pages, select Upload, browse to the main or bootloader image, and click Send new code. The software will be saved to flash, which will take a few seconds, and will become operational the next time the FireBrick is rebooted. You can force an immediate reboot by ticking the checkbox before clicking Send New Code.

Breakpoint Releases

When upgrading manually, do not skip over breakpoint software releases (labelled [Breakpoint] under release version number), as these update your config for changes in format or syntax. If you have saved configs, always re-save a copy after upgrading to a breakpoint issue. If you have tools to update configs, check documentation to confirm they are up to date. We recommend using the upgrade button on the FireBrick web control pages as this will ensure you do not miss any steps. Automatic upgrades to the latest factory release are done by default on FB2500 and FB2700 models. More


FireBrick Model: FB6000 | FB2500 | FB2700 | SoHo/Plus | FB105

Model Variant: FB2700   Change to: (default is FB2700)

Software Versions: Older versions | Factory releases | Factory and Beta | Factory, Beta & Alpha

2017-02-16
Current factory release
1.45.001 (Ximenes)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.44.000 to Factory release 1.45.001

DNS

  • Possible rare quirk that could cause a DNS resolver to be ignored/blocked

IPv6

  • When turning off RA we were sending an RA making prefixes valid for infinity rather than 0

OS

  • Improve OS interrupt scheduling to reduce possibility of panic under heavy load
  • Change of default value in new ethernet interrupt code config to address possible latency issue under load

Profiles

  • Forcing a config load which has a reference to non existent profile could cause a crash

Routing

  • L2TP source routing check could, in some cases, cause a crash if routing for IP is primarily via different route (e.g. BGP) with L2TP as fallback

Web interface

  • Packet dump was blocking other forms on web interface whilst running (error 409), fixed
  • Allow certificate download if read access to config, and only show cert actions if available to user
  • Removing 2FA could result in a crash, fixed
  • Logging for http does not log every web page access on normal logging now, that is on debug logging
2017-02-13
Older factory release
1.45.000 (Ximenes)
[Withdrawn]
Config:XSD Doc
Manual:PDF HTML
This release has been withdrawn.

Release notes from Factory release 1.44.000 to Factory release 1.45.000

DNS

  • Possible rare quirk that could cause a DNS resolver to be ignored/blocked

IPv6

  • When turning off RA we were sending an RA making prefixes valid for infinity rather than 0

OS

  • Improve OS interrupt scheduling to reduce possibility of panic under heavy load

Profiles

  • Forcing a config load which has a reference to non existent profile could cause a crash

Routing

  • L2TP source routing check could, in some cases, cause a crash if routing for IP is primarily via different route (e.g. BGP) with L2TP as fallback

Web interface

  • Packet dump was blocking other forms on web interface whilst running (error 409), fixed
  • Allow certificate download if read access to config, and only show cert actions if available to user
  • Removing 2FA could result in a crash, fixed
  • Logging for http does not log every web page access on normal logging now, that is on debug logging
2017-01-11
Older factory release
1.44.000 (Warbler)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.43.001 to Factory release 1.44.000

PPP

  • Ignoring unknown PPP/LCP protocol reject now
  • Closing PPP if IPv4 and IPv6 terminated or rejected

PPPoE

  • Rework of service name matching and PADO/PADS response logic for PPPoE

Web interface

  • Factory reset state not working due to new security measures means factory reset bricks cannot be configured via web interface, only telnet
  • Fix individual DHCP kill button which was not allowing unexpired or locked entries to be killed, and correct typo!
2017-01-05
Older factory release
1.43.001 (Vixen)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.42.100 to Factory release 1.43.001

DHCPv6

  • Tested on Zen IPv6 PPPoE/DHCPv6 - addressed a number of issues, now working

Dongle

  • Fix corrupt dongle name showing in dongle status UI

Ethernet

  • Improve ethernet receive processing and CPU load monitoring

Firewall

  • Fix bug with session mapping using hash function, which sometimes did not pick any mapping
  • Load balancing issue for firewalling when not using hashing

L2TP

  • Additional RADIUS logging for RADIUS based steering

OTP

  • Made web & telnet login prompt for OTP authenticator code so can be entered separately from password

Sampling

  • Introduce packet sampling (IPFIX/sFlow) [not yet documented]

SNMP

  • Named shapers were not returning actual stats

VoIP

  • Added config name to outgoing registrations as display name on contact
  • Issue with outgoing registrations locking up indefinitely if ICMP errors received

Web interface

  • Did not show new bootloader as available on status upgrades page
  • New password change menu to simplify password change and to allow users without config save access to update their password
  • Added QR code and suggested key to OTP set up
  • New simpler OTP set up
  • Removed OTP check on config recovery mode - given physical access needed and likely clock not set
  • Cross site scripting checks on web forms
2016-11-01
Older factory release
1.42.100 (UncleYap)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.41.000 to Factory release 1.42.100

BGP

  • Subtle recursive next hop check logic error where DeadEnd community tagged routes used

Bootload

  • This release includes a boot loader update which incorporates a number of minor changes

CLI

  • Increase CLI regexp buffer to support lines up to 300 characters
  • Fix lockup problem when doing command completion
  • Debug command for DNS cache

config

  • Removed top-level profile setting from route-override (it was non-operational)

DNS

  • Bug in DNS caching that could have caused other side effects in other systems - fixed
  • Custom DNS responses can now be restricted to specific interfaces
  • More aggressive DNS cache expiry where multiple entries have different TTL
  • Better cache handling when being flooded with requests to cache limit
  • Slightly more aggressive clean up of domains with expired cache or caching limits reached

L2TP

  • Allow config of advertised receive window
  • Avoid sending CDN or other session related messages once a CDN is received
  • Better handling of zero length username and zero length passwords in proxied authentication
  • Graph names not showing on L2TP sessions immediately after connect
  • Option for local LCP echo handling in middle of L2TP relayed connection
  • Edge case of L2TP with PAP and auth-name but no auth-resp (assumed no/null password) which was not doing RADIUS
  • Change when relaying L2TP with null password and PAP to send null password in an auth-resp
  • L2TP relay to send auth even for zero length login
  • Fix bug with showing L2TP routing

logging

  • Logging of config changes was not working correctly if system log-config was set

SNMP

  • Added some missing stats; Implemented Admin/Oper status reporting for ports; Improved port and interface naming.

UI

  • Subnets status page now shows portgroup name in Port column

USB

  • Fix crash updating config when dongle speed set and shapers are in use

VoIP

  • SIP DNS resolution where explicit :port suffix used was not working
  • Add force-dtmf option for telephone config, in PABX mode
  • Change of RTP sequence/timestamp logic to address some issues on DTMF event pass through
  • Fix SIP INFO DTMF from Snom
  • Change DTMF in-band generation to handle less frequent RTF/telephone-event messages
  • Better handling of SRV fallback
  • REGISTER now uses host name in URI and not name of proxy when proxy used
  • Finer control of when sending a pre-auth header (carrier setting)
  • http list of registrations now allows user to be of form localpart@domain with host being the proxy

Web interface

  • Port group names shown on port status
2016-05-08
Older factory release
1.41.000 (Taupi)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.40.000 to Factory release 1.41.000

BGP

  • New dead-end-community used to propagate routes within IBGP that are dead ends (e.g. nowhere or network)

Firewall

  • Fix to NAT64 logic where target is nowhere/network

IPsec

  • Decision on whether to send INITIAL_CONTACT notification was inverted
  • Allow traffic selectors to be specified in config
  • Fix scheduling problem which could cause IKE to lock up after prolonged use

IPsec/IKE

  • Add option to enable traffic selector sent to peer to be constructed from specified routing

L2TP

  • If RADIUS overwrites the proxy auth logic to change auth type then change proxy last LCP tx
  • Change logic for dummy auth on L2TP to wait for LCP negotiation to complete before RADIUS allowing proxy LCP details to pass to relayed connection

Routing

  • Changed internal routing logic for "next hop" based routes to be more efficient
2016-04-26
Older factory release
1.40.000 (Shed)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.39.000 to Factory release 1.40.000

ARP

  • Minor tweaks to ARP timing

BGP

  • Tweak next hop in some cases - review against RFC
  • Show BGP sessions that are down by profile as shutdown in peers list
  • Manual shutdown, albeit deprecated, was not working to close existing BGP sessions
  • Simplified the XML for BGP status, all peers list as <peer.../> now.
  • When originating routes from a 32 bit AS number via a 16 bit AS BGP session was not sending AS4_PATH
  • BGP tweak, allow incoming BGP in IDLE state

CLI

  • Command line completion could complete keyword arguments incorrectly

IP

  • Allow UDP to VRRP address - used for DNS, and RADIUS, etc.

IPsec

  • Fix crash when certificate named in connection is missing

L2TP

  • Incoming L2TP config allow any table if table attribute not set
  • Allow outgoing source IP setting on outgoing L2TP tunnels
  • RADIUS directed session steering for L2TP needs to use the specified table
  • Speed sanity check - do not believe L2TP speeds at or below 10kb/s as valid
  • Don't close tunnel on an out of order control packet showing backwards Nr sequence
  • Some more options for RADIUS to overwrite password on L2TP relay

Routing

  • Improve route caching update on deep recursive routes changing

SNMP

  • iso.3.6.1.2.1.31.1.1.1.1. (ifName) corrected as was a Counter64 not a String
  • Corrected counters for broadcast and multicast packets to 32 bit
  • Fix return ordering in bulk get requests; inprove encoding of integer values

TCP

  • Do not perform TCP MSS fixups on MD5-authenticated sessions

USB/Dongle

  • Improve hub handling - hub status now visible on UI; rare lockup when disconnecting hub fixed; logging improvements; config update was not always correctly processing config changes.

Web status

  • Minor tweaks to status pages
2016-03-20
Older factory release
1.39.000 (Rufus)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.38.001 to Factory release 1.39.000

CLI

  • Add command output filtering capability to CLI (telnet and serial link)
  • Fix crash in CLI when default logging is set to console
  • The "show route" and "show routes" commands have been combined to avoid ambiguity; If '?' is used to output command details the command help info is displayed, unless all commands are listed

DHCP

  • DHCP relay/remote server logic
  • Tidy up DHCP logging messages
  • Tweak for FireBrick as a DHCP client working via DHCP Relay Agents

DNS

  • Timeout of long-latency replies from DNS servers was flawed.

Dongle

  • Profile state change caused by dongle going offline was not being detected

Ethernet

  • LACP send and receive/status
  • LLDP send and receive/status
  • Port trunking options (with or without LACP)

IPsec

  • Minor change to help with diagnosis of occasional IKE crash
  • Avoid crash when clearing a NATed connection
  • Fix IKE crash when moving incoming connection to a config with no peer_id set
  • Fix occasional crash after prolonged use.

L2TP

  • Uplink speed control per connection
  • Change to way hashes are handled for session steering

LACP

  • Option to control the hashing used for trunking
  • Default LACP mode is passive for non trunked ports as some switches are strange

NTP

  • Better error logs for NTP / clock setting
  • Better NTP back off logic
  • Option for fast-retry for NTP until clock first set

PPP

  • Better timing of PPP LCP when using dummy auth (no authentication)

PPPoE

  • Tweak PPPoE Host-Uniq

Profile

  • Change to profiles use of and/or/not so these are tested on the "interval" rather than being immediate in some cases

Routing

  • Adjust hash logic slightly

UI

  • Kill link on web view of L2TP sessions/tunnels

USB/Dongle

  • Don't log transient transaction errors; Improve 3G PPP escaping; Improve stability for some dongle types
2016-02-14
Older factory release
1.38.001 (Quantum)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.37.002 to Factory release 1.38.001

Ethernet

  • Don't log transmit queue full errors (txqfull) caused by physical port being down

IPSec

  • IPSec upgrades and restructure

IPsec

  • Minor change to logging of IKE messages; fix crash on shutdown; suppress errors relating to multicast messages
  • Fix crash during rekeying when heavily loaded; fix possible crash during setup if routing changes; check ESP padding more thoroughly
  • Fix crashes caused by one-way packet drop when both peers have mode Immedaiate

USB

  • Increase USB port power-off time to 1 second - may help with resetting dongle stuck in unusual state
  • Fix dongle PPP startup timeout kicking in too soon; Fix occasional crash when viewing USB UI status page.

VoIP

  • Fix cases where tones not generated correctly such as ring tones, etc.
  • Audio pass through correctly when ringing a group and one leg is providing early audio
  • Allow RTP to quote IP6 and ::ffff:x.x.x.x format and treat as IP4

VRRP

  • Correct issue with VRRP ARP replies in some cases
2016-01-14
Older factory release
1.37.002 (Paul)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.36.002 to Factory release 1.37.002

BGP

  • Handle blackhole routes better - having an ingress and egress tag for blackhole routes
  • BGP rule override of pad was not working
  • Extra debug

Config

  • Default user password generation now salted SHA256

DHCP

  • Tweak DHCP server to use chaddr field not source MAC
  • Tweak to DHCP to allow renew of IP where ARP shows MAC as matching either chaddr or source MAC of request
  • Improved algorithm for selecting which restricted IP pools apply
  • Added a bit of sanity check on DHCP renew/expiry values received
  • Change DHCP retry to restart back off at expiry
  • DHCP log of moving IPs between interfaces was crashing, fixed
  • Extra debug counters for DHCP client

DNS

  • Random DNS source port for additional security
  • Incorrect ARCOUNT in cached responses when EDNS0 request used
  • Possible race condition in DNS tracking

Dongle

  • 4G dongle test release - may be unstable
  • Fixed occasional crash on packet transmission
  • Fix race condition causing device to fail to clear down occasionally; minor logging improvements; detect network connect/disconnect messages from 4G dongles
  • Fix another race condition causing rare crashes. Check potential 3G/PPP device is AT-capable before trying to use it.
  • Fix lockup when updating config after non-3G dongle has been detected.

etun

  • ETUN was ignoring profile settings - fixed

Firewall

  • Allow match of "same network" by target-ip in 0.0.0.0/8-31, e.g. use 0.0.0.0/24 to match "same /24 as source IP". Same logic in reverse for source-ip check. Same logic for ::/32-127
  • Layout change on firewall check

Flash

  • Improve flash scheduling; should fix occasional "Bad end read" crashes.
  • Fix another flash scheduling problem causing occasional crashes

IPsec

  • Recognize repeated INIT requests
  • Modify MSCHAPv2 to be compatible with MS Windows
  • EAP MSCHAPv2 - return a new challenge after password failure, allowing interactive password reentry on Windows clients
  • Add workarounds to allow interworking with OpenIKED
  • Minor improvement to error response when there is no suitable proposal for the IKE SA
  • Fix possible panic on shutdown
  • Fix crash when certificate trust chain is incomplete
  • Improvements to certificate storage, including fix for possible crashes after updating certificates.

L2TP

  • Changed overload logic for unresponsive LNS to better handle when LNS is relayed/outgoing connections
  • RADIUS auth sends original tx speed, not adjusted, which fixes issues when multiple authentication done on same connection
  • Allow overwrite of existing User-Password in RADIUS auth response (for PAP and CHAP use on relayed tunnel connection)
  • Relayed tx speed in connect info now reflects speed as updated by RADIUS, not original.
  • Fatal tunnel sequence errors now close tunnel
  • Tweak not to send ZLB in reply to message if the message causes a reply to be sent anyway
  • Allow session to be marked blackhole routed ('D' filter)
  • Added debug logging for DOS detection to show pps
  • L2TP clearing of dead tunnels improved (some edge cases left tunnels never clearing)
  • Internal stats cache clear on L2TP session start
  • RADUIS Accounting to show Connect based on actual speed, not original L2TP speed
  • Show when routes suppressed in L2TP session status
  • Additional LCP control (data len) for screwy Samsung LACs that don't cope with zero len
  • Send LCP TERM ACK reply when closing

L2TP/PPP

  • Change to allow non auth incoming L2TP to send RADIUS to validate as a "dummy authentication"
  • Stall (no reply) IPCP / IPV6CP if waiting on RADIUS, as can happen for dummy auth
  • Better handling of proxied LCP negotiating no authentication

OSPF

  • Initial testing for new OSPF code

Ping

  • Ping diagnostics "loss" stats were including ICMP errors as well as correct responses

PPP

  • Allow PPP LCP to negotiate unauthenticated (LCP rejecting AUTH)
  • Don't do IPCP whilst waiting on RADIUS (relevant for null auth)
  • PAP Ack/Nak with zero message now sends zero message len not zero data
  • Checking proxy LCP now accepts stupid LACs that claim to neg longer PAP/CHAP LCP messages if they otherwise look OK

PPPoE

  • Tweak PPPoE client to change Host-Uniq as some systems misbehave if always the same
  • PPPoE was not authenticating, Fixed

Routing

  • Next hop feasibility checking failed to spot when an Ethernet next hop stopped answering ARPs
  • Next hop logging is now separate system log target

Stats

  • One-second CPU stats output is now synchronized to UTC time

Tunnels

  • Allow more than one etun tunnel to be defined, and allow etun over a usb ethernet port

UI

  • Improve diagnostic if s/w upgrade fails

USB

  • Fixed problem with 3G dongle without a SIM card causing a "Too many devices" error
  • Fix modeswitch problem with old Huawei devices; introduce new "raw" modeswitch method.
  • Avoid crash when changing dongle profile. Improve modeswitch handling.
  • Fixed scheduling problem causing occasional crashes after displaying USB status
  • Fix crashes during USB device connection/disconnection
  • Fix crash in UI dongle status when dongle has no configured name

VLAN

  • Fix VLAN tagging problem

VoIP

  • Fix missing resend of invite response if no ACK received, fixed
  • Changed handling of retries to sequence through SRV records
  • Tweak default nonce response on RADIUS auth challenged request to match automatic auth request

Web config

  • Better handling of messages when test saving config with errors
  • Turn off autocomplete on config editor as causing issues

Web status

  • Status/Subnets now shows the interface headings
2015-04-29
Older factory release
1.36.002 (Orlando)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.35.001 to Factory release 1.36.002

BGP

  • Replacement routes with different flags were treated as no change
  • Fix mis handling of ORIGINATOR ID when not sent
  • Tweak to remove non standard tie break logic in BGP code
  • Cluster ID, Custer List and Originator ID now only sent where source is IBGP

Config

  • Certificate management extended

CQM

  • Tweak URLs for images of graphs to allow for graphs that look like a URL and break some browsers
  • Change logic for adjusting shared shapers when hitting limits to favour unit dropping most packets more

Ethernet

  • Fix packet padding which leaked internal ethernet checksum in last 4 bytes (not harmful but confusing)

IPsec

  • Please change from manual keyed IPsec to IKE shared key as manual keying between bricks is deprecated
  • Manually keyed IPsec config migrated to new config format on upgrade - logs upgrade has taken place to fb-support which normally emails FireBrick team as use of manual keying is not recommended
  • Authentication using certificates added
  • EAP authentication introduced.
  • Logging messages improved. Minor bugfixes.
  • Roaming IP pool implementation complete. RoadWarrior access now possible.
  • Add MSChapV2 to EAP methods. Some minor bugfixes.
  • Improvements in ID processing; session lifetime now configurable; bugfixes
  • Allow dead peer detection period to be configurable
  • Allow EAP to work with iPhone (iOS8.1.3+); more logging; minor bugfixes.
  • Fix crash during system shutdown
  • Internal restructure of IKE to better support multiple sessions and clean reauthentication. Should also fix problems with graphing.
  • Fix crash following unexpected SPI detection
  • UI status shows allocated IP for roaming connections; algorithms now only displayed in detailed view
  • Fix possible crash when a profile state change occurs
  • Connections controlled by profile were occasionally starting when profile inactive
  • Unnecessary diagnostic causing crash in some circumstances removed
  • Add ability to respond to rekey requests; minor bug fixes.
  • Avoid unnecessary duplicate session startup
  • Move manually-keyed config element. WARNING: If you use manually-keyed IPsec connections this update will delete them. Save your config before update so you can re-enter the connection data.
  • Allow graph names to include peer's ID or IP address
  • Fix crash when establishing new session
  • Fix routing table problem on immediate mode IKE connections
  • Avoid child SPI reuse
  • Fix packet drops following reauthentication on immediate mode IKE connections
  • Fix occasional crash in connection setup when initiated remotely
  • Fix problem with NATing incoming roaming sessions when using non-default routing table
  • Fix crash when using IPv6 roaming pool
  • Allow (and prefer) prefixes DNS and EMAIL rather than DOMAIN, FQDN, MAILADDR or MAIL for IKE identities
  • Fix possible crash when closing a NATed connection
  • Add debug logging of IP allocations
  • Problems with reassigning pool IPs after abrupt device disconnect fixed; Treatment of ID prefixes improved (FQDN: now preferred to DNS:); Multiple DNS servers accepted in pool config; cert/profile script improvements

Logging

  • Logging of panic message was not working correctly - fixed.

Manual

  • Added some more IPsec doc and corrected some other minor typos in manual

Password

  • Not upgrading passwords to SHA256+15, but to SHA1+3 so backwards compatible if code revertse

Ping

  • Added ping stats on ping command line and web (was already in XML)
  • Web/command line ping stats showed wrong average

PPP

  • Tweak to try and handle case of CHAP final reply having been missed, and reprocess duplicate CHAP response

PPPoE

  • Fix source MTU for sending down PPPoE link

Route

  • Diagnostics for routes shows reason for ordering

UI

  • Ticking the check box for an optional multiple select input (set) with one member pre-sets the only member as selected

VoIP

  • Edge case causing outgoing registrations to fail if unexpected contact expiry sent back
  • Tweak handling of RADIUS based 302 response handling from telephones
  • More ring groups and users
  • Sending Authorization header with just username set where we have a username and no challenge yet
  • Handle receipt of Authorisation with username and no response to match against carriers for incoming invites
  • Improved screen=yes/no handling where incoming has screen set, or is from untrusted cli source
  • New cascading group logic for out of hours
  • ACCESS_CHALLENGE response was not properly generating the authentication request
  • Cleaned up carrier matching logic and documentation
  • Allow Authorization/username to find telephone user if not matched on to address
  • Allow Authorization/username to find carrier when carrier is not configured with to address
2014-12-03
Older factory release
1.35.001 (Nestor)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.34.001 to Factory release 1.35.001

BGP

  • Added import-filters and export-filters and named bgp rules to config
  • Less agressive retry on BGP in some cases such as TCP connect failure
  • Improved BGP status
  • Withdraw of non existent route may cause parent route to be mistakenly withdrawn

Config

  • Check each interface has a unique port/vlan setting. Invalid configs will still load on bootup but must be corrected before resaving.
  • Storage and management of certificates and keys added (cannot be used effectively yet).

DHCP

  • Improved DHCP clear command and added link to clear all old DHCP

Firewall

  • Removed experimental EUI64 mapping (de-privacy IPv6 addressing) feature

Profiles

  • Added setting for expected (good) state of a profile, showing as green in status if expected, and listed unexpected on home page
  • Added profile to fixed ping graph config, and made ping on interface subject to interface profile
  • Control switches no long show by default on NOBODY level users or those without full config access unless specifically listed in the control switch users

TCP

  • Fix TCP session stalling on large fast transfers

VoIP

  • Fix handling of 3XX SIP response from carriers
  • Fix sending of 3XX SIP status on RADIUS response

Web control pages

  • Added "add" to home page links list as order matters
  • Changed list of radius steering settings to show "ip" in list as important field
2014-10-27
Older factory release
1.34.001 (Mercury)
[Breakpoint]
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.33.000 to Factory release 1.34.001

BGP

  • Route show lists exports via BGP peers
  • Better change detect on BGP config changes and better logging of changes causing BGP restart

CQM

  • Updated graph names to 40 characters max, and allow colon in graph name

Firewall/CQM

  • Change to allow graphs based on source IP
  • Changed MAC based graph names to include colons

Flash

  • Avoid watchdog during flash write when CPU is busy

L2TP

  • L2TP/RADIUS not trying second choice when first is blacklisted

Logging

  • Detect closed browser window, and close TCP session, when displaying log

OS

  • Improve scheduling control when CPU is busy

PPPoE

  • Tweak to PPPoE startup sequence

Routing

  • Better next hop change detect logic (less trigger happy on config changes)

TCP

  • Add status display for TCP sessions (debug level users)
  • Correct connection timeout detection for rare corner cases. Improve TCP status display.
  • Add buffered data counts to TCP status display
  • Add window sizes to TCP status display
  • Fix TCP session hangs caused by packet drops in uncommon situations
  • Add TCP SYN cookie handling to mitigate SYN flooding

VoIP

  • Improved some VoIP error codes, fewer 500's and better logging of cause of errors
  • Added compact headers for Refer-To and Event
2014-10-09
Older factory release
1.33.000 (Lucifer)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.32.000 to Factory release 1.33.000

BGP

  • Delay BGP announce until FIB update started for route in question to minimise black holes
  • Further work deferring BGP announce until routes in FIB
  • Faster BGP withdrawal
  • BGP export stats to count "default" when send-default is set
  • Change of send-default restarts BGP session
  • Change of send-no-routes correctly withdraws routes, no session restart
  • Change to use-vrrp-as-self now correctly re-announces the changed next hop
  • Possibly trigger happy BGP keep alive check when lots of peers, fixed
  • Balance load better on rx traffic between peers

DHCP

  • DHCP server now does not send default router, subnet, lease, renew, syslog, timed, ntpd, domain, domain-search, if there are manually configured response attributes for these
  • DHCP server no longer no longer sends "name" attribute as host-name (12). Configure as an extra string attribute if required

Diagnostics

  • Showing routes was truncating if too many routes - buffer size increased

Firewall

  • Longer default start-delay on firewall rules (1 min)

General

  • Better logging to flash of source of s/w load or reboot commands

Internal

  • Adjust buffer pool sizes and thresholds to avoid buffer depletion
  • More buffer count stats added to TCP

PPP

  • Tweak to avoid resend of CHAP response to challenge if LCP restarted

Routing

  • Avoid route updates hogging all CPU

TCP

  • Improved congestion control and loss recovery
  • Fix problem with TCP window calculation causing buffer overload

TCP/BGP

  • Avoid BGP sessions being aborted by TCP if buffers run out

VoIP

  • Handling inbound RFC based DTMF mixed with audio (non DTMF) at the same time (e.g. gigaset)

VRRP

  • Delay VRRP startup while route updates pending
  • Longer startup (uses configured delay when routes are updating)
2014-09-17
Older factory release
1.32.000 (Klingsor)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.31.000 to Factory release 1.32.000

BGP

  • Making BGP keep-alives higher priority, in case of really heavy BGP load
  • Fix race condition allowing BGP peer to vanish in rare conditions
  • Improved BGP shutdown sequence announces lower priority before withdrawing routes on shutdown
  • Shortened the BGP shutdown so it does not send the clears after the low-priority
  • Added configuration of BGP shutdown logic

Ethernet

  • Add new Ethernet DoS-detection parameters to config

General

  • Several minor internal changes that should improve stability

IPsec

  • Peer IP added to log messages

L2TP

  • Fix for NAT via outgoing L2TP connection
  • Crash if too many graphs created with L2TP
  • RADIUS L2TP Relay for steering was sending zero length Proxy-State with is not value
  • Outgoing tunnel did not come up / go down on profile change

Logging

  • Fixed issue with logging causing occasional bad buffer address panics
  • Improve logging efficiency and avoid dropped log messages
  • Fixed http logging of graph URLs

OS

  • OS Stream and TCP restructure

PPP

  • PPP challenge response resend on no accept/reject response

Routing

  • Path/community fixed settings in routing config with multiple IPs listed caused error on memory allocation
  • Improved checking for route loops

Syslog

  • External syslog now only includes general system log messages if specifically configured to do so

TCP

  • Tidy TCP MSS handling. Allow minimum MSS to be as low as 200.
  • Further TCP stack enhancements
  • Fix windowing problem - possibly causing slow transfers
  • Send window updates more often - improves BGP performance

UI

  • Show current stack usage as well as HWM in thread stats

VoIP

  • Fix for issue with VoIP over dongle
  • Fix use of backup carrier which may have been calling in parallel
  • Added routing table on Tx/Rx log lines
  • Fix for working on routing tables other than zero
  • Changed contact style in outbound registrations, uses IP literal now and no extra attributes on end
  • Add profile to list of carriers in config

VRRP

  • Fix bug in vrrp shutdown that was slowing down other shutdown processes
2014-08-08
Older factory release
1.31.000 (Janus)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.30.001 to Factory release 1.31.000

  • URLs fetched from the FireBrick for any reason now handle IP literals.
  • Option for URL to GET before a controlled reboot - mainly to warn nagios

DHCP Server

  • Minor tweaks to make NAK meet later RFCs

DNS

  • DNS fallback (default on) allows use of other tables for local lookups within the firebrick

Ethernet

  • Increased MTU to around 4k

Firewall

  • Interface option to map IPv6 source address to one based on EUI64 from MAC

Internal

  • Increase stack sizes and make route loop counter an error counter

IPsec

  • IPsec status display now shows algorithms in use

L2TP

  • Fix for steering RADIUS response - was causing RADIUS to lock up totally
  • RADIUS options to control long term shapers for L2TP sessions

Logging

  • Avoid crash when displaying logging using CLI
  • Fix crash when displaying logs using colours

TCP

  • Ongoing TCP improvements. Minor functional changes - mod to initial MSS calculation; TIME-WAIT time reduced.
  • TCP restructuring to prepare for enhancements. Includes fix for failure to resend lost SYN introduced recently.
  • Fix failure to send MSS option with SYN

VoIP

  • Tweak to handle possible overrun on SIP messages
  • Audio recording has DTMF in audio even if it arrives and is relayed as telephone events.
  • Allow wildcard contact in deregistration
  • Now sending periodic invite responses when trying/ringing/progress.
  • Send call progress 183 once we have started connecting a call and 3 seconds have passed even if far side still at trying stage
  • Accept privacy=no as well as the standard privacy=off in Remote-Party-ID to interwork with splicecom
  • Not sending ACK to contact found in 4xx response
  • Logging for VoIP messages relating to "calls" now includes REFER
  • Fix response to REFER (was 404 not 200) when non RADIUS working
  • Early call progress (at 3 seconds) now a configurable setting (default on)
  • Option to send SIP headers in long version rather than compact version
  • Tweak to ACK sending when response via proxy with Record-Route
  • Additional nonce checking for replay attacks
  • Nonce check on response even when using RADIUS (unless RADIUS did challenge)
  • Tweak to handling of expiry on registrations
  • Tweak nonce check - if no nonce, allow RADIUS auth to decide if to allow. Still checks nonce valid if present.
  • Tweak initial 100 Trying response when waiting for RADIUS
  • Avoid resend of INVITE after cancelled at 100 Trying, and not received 487 (i.e. ignore lack of 487) to avoid phantom calls
  • Internal change to handling of incomplete responses to VoIP requests
  • Initial 100 Trying waiting on RADIUS no longer tries to tag To: line as not establishing a dialogue (so, as per RFC).
  • Addition log to log-sip-call to record linkage of call-ids

Web control pages

  • Latest safari adds xmlns attributes on every element for no apparent reason, was breaking web config edit. Worked around
2014-06-03
Older factory release
1.30.001 (Icarus)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.29.000 to Factory release 1.30.001

  • Release candidate

Config

  • Fix profile "traffic lights" in config edit (did not change state on some browsers)

Diagnostics

  • Ping and Traceroute no accessible using GET as well as POST. GET assumes XML output
  • Fixed crash when more than one ping or traceroute diagnostic was run concurrently

DNS

  • DNS resolution and caching is now routing table specific
  • DNS fallback option - for incoming requests if no server in required routing table relay to any DNS available - default true

L2TP

  • Fix for race condition in RADIUS/L2TP causing crash

Logging

  • New log-config setting in system to specifically log config changes

Ping

  • Added ping stats to XML for ping/traceroute

PPPoE

  • IPv4 local end would "stick" if changed from having IPv4 to not (i.e. IPv6 only)

Profiles

  • Slight change to control switch graphic
  • A new control switch profile will now start with the initial value.
  • Control switches can now use and/or/not logic to enable them to be set or reset by other profile changes.

RADIUS

  • Fix race condition

USB

  • Fix problem causing detection of some devices to fail

VoIP

  • Added source ip option to bulk voip carrier config
  • Added default source IPv4/6 for sending potentially authenticated SIP messages
  • Added default source IPv4/6
  • Better handling for failed calls where auth required and none available. Was continually retrying.
  • Fix for RADIUS based REGISTER check where expires is on contact not its own header
  • Handling missing contact in ACK
  • Handle repeat failed auth on INVITE
  • Limit retries on final BYE or CANCEL if unable to send
  • Added direct URI for telephone user (called in addition to registered contacts)
  • Corrected in-band DTMF generation logic, previously intermittent
  • Added option for outgoing registrations to use a wildcard domain instead of a line= attribute
  • Added some initial SNMP stats for VoIP (number of call legs and RADIUS based incoming registrations)

Web config

  • Minor typos in config edit

Web control pages

  • Link to see DNS server details on IPv6 was broken URL on some browsers
  • Minor change to control switch profile images to help colour blind users
2014-04-03
Older factory release
1.29.000 (Hendra)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.28.000 to Factory release 1.29.000

  • Release candidate for testing

DHCP

  • Subnet list shows pending DHCP client subnets
  • Typo in DHCP logs

DNS

  • Min nxdomain of 10 seconds now

FB105 tunnel

  • Log (rather than crash) if a badly fragmented 105 tunnel packet is received

Firewall

  • Some cases of setting multiple aspects of a session in one go did not force a re-evaluation of target route for new IP so could affect other tests and NAt checks

Internal

  • Increase ethernet transmit max queue size to avoid packet drops during bursty transmissions.

IPsec

  • Support all crypto key lengths when using manual keying. Avoid crash when IPsec is under heavy load.

L2TP

  • Added Proxy-State on session steering RADIUS requests
  • Added control of reply hostname on incoming L2TP connection
  • Added default hostname (system name) on outgoing L2TP connections

NAT

  • New chapter/section covering Network Address Translation

PPPoE

  • PPPoE server (BRAS) handling of standard GEA Agent Remote ID and Circuit ID as called/calling and downstream speed setting
  • PPPoE handling gerenal VLAN tagging
  • Added text NAS-Port to RADIUS when using PPPoE "port{:vlan}/MAC"
  • PPPoE did not handle VLAN priority tagging on inbound packets
  • Some extra debug of unexpected PPPoE messages or fields

Profiles

  • Profiles can now test an ethernet port status

RADIUS

  • New section of manual explaining RADIUS client settings and timeouts

Routing

  • New source-filter-table setting on interfaces to allow separate source filtering lists to be managed using routing tables

Security

  • Added manual section on OTP

SNMP

  • Updated manual to include FireBrick specific SNMP in appendix

TCP

  • Add debug logging for aborted TCP sessions; avoid tcp timeout control upsetting TIMED_WAIT state.

UI

  • Fix broken XML links in system status pages
  • Add memory block usage to system status memory page (alpha releases only)

VoIP

  • Additional beep option for where "Record" button is used on snom phones
  • Extra debug on call states
  • Dynamic carriers existing would lose some non dynamic carriers on config load, fixed
  • Fix shutdown delay
  • Added option for controlling CLI format to telephones
  • Added config for tones when no media for calls to a carrier
  • Was sending invalid Via header for IPv6
  • Picking up correct expiry when less than requested on outbound registrations but not sent Expires header (e.g. sipgate)
  • Fixed possible crash on malformed SIP message
  • Tweak to allow call steal from your own number, i.e. when multiple registered devices
  • Adde option to re-map 404 error to a carrier
  • Faster, and more concurrent outbound registrations - better handling of registration changes
  • Fix for mixed sample size call recording (e.g. when 10ms one way and 20ms other)
  • 415 unsuppported media response to reinvite with unknown media
  • Possible stuck outgoing registrations fix
  • Tweak to allow radius based SIP target to control domain on From header
  • Added available buffer check on call set up
  • CLI format "transparent" added
  • Added additional named tones to defaults
  • Changed auto registrations to use same realm in From as in To
  • Sending RADIUS response for CLI of "Allowed" was not unsetting withheld flag
  • CLI handling tweak
  • Loading new register URL list clears proxy (from redirect) on change of config
2014-01-09
Older factory release
1.28.000 (Gordius)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.27.001 to Factory release 1.28.000

Bonding

  • Minor change to bonding to minimize packet reordering on arrival

Config

  • Removed profile from port groups as not used
  • Replaced shutdown with profile on ethernet control settings
  • Added "Test" option to config save to automatically revert if not properly saved within 5 minutes.

DHCP

  • Added domain-search attribute, as it is specially coded

Diagnostics

  • Temporary diagnostics added for tracking down odd problems

Firewall

  • Load sharing (on route override and session tracking rules) now allows sharing to be based on hash of IPs rather than random

IPsec

  • Fix problem with local-ip not always taking effect.
  • Fix crashes associated with NAT keepalives when sessions close
  • Fix IPsec crash during session init when repeat message received
  • Fix another IPsec corner case causing panic when IKE packets are dropped/repeated

L2TP

  • Added option to allow relay RADIUS auth reply to specify relay to another RADIUS server for auth or session steering.
  • Further minor tweak to bonding to improve re-order issues
  • Adjusted L2TP to drop routes before sending accounting RADIUS

Logging

  • Improve flash log replay at system startup. Should fix problem with non-detection and emailing of panic logs.
  • Fix problem causing non-detection of panic message at system startup

OS

  • Introduce new flash driver - currently for alpha builds only

pcap

  • pcap web interface allowing multiple select interfaces to match underlying capabilities

PortControl

  • Knightrider pattern (displayed when no ports connected) was running too slowly

USB

  • USB driver improvements: improved power overload detection and hub support

VoIP

  • Changed aggregate call status handling to just be highest status, and removed group values
  • Adjust to pick first priority on SRV even when DNS not cached (was falling back in such cases)
  • Added de-registration on removal of carrier and on reboot
  • Adjusted max-calls to a telephone to test before calling all registered devices, so they all get calls rather than only some when limited
  • Edge case could mean incorrect count of dynamic VoIP registrations
  • Minor tweak for RADIUS call leg log accounting - seemed to miss some STOP records.
  • Imrpoved log for ICMP error
2013-11-05
Older factory release
1.27.001 (Fidelio)
Config:XSD Doc
Manual:PDF HTML

Release notes from Factory release 1.27.000 to Factory release 1.27.001

PPPoE

  • PPPoE shows uptime

VoIP

  • Added max time limit on call establishing (e.g. ringing forever not allowed), 5 min default
  • Configurable response code for 600, 603, 604, 606 for hunt group calls
  • Edge case where VoIP would not send if fixed source address specified in some cases, typically IPv6