Firmware-update: Ubiquiti EdgeMAX EdgeRouter 2.0.9

Ubiquiti Networks heeft versie 2.0.9 van de firmware voor de EdgeMax EdgeSwitches uitgebracht. De EdgeSwitches kenmerken zich door uitgebreide instelmogelijkheden, maar vergen wel enige netwerkkennis om het goed draaiend te krijgen. Ook zijn lang niet alle instellingen via de gui aan te passen en moet je dus via de commandline aan de gang. De lijst met veranderingen en verbeteringen voor deze release ziet er als volgt uit:

Overview

The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using delete system image CLI command, see here for more details) before doing an upgrade.

Improvements
  • Add anonymous crash reporting and analytics reporting which are disabled by default.
  • Add firmware upgrade button in WebGUI. This button will show indication when new stable firmware is available. Upgrade process will be initiated upon pressing this button.
  • Add annoying popup window to WebGUI where admin is being asked to allow or deny﻿ analytics&crash-reporting. Description and data samples available here -> https://help.ui.com/hc/en-us/articles/360051176734
  • Add "Factory Reset" button to WebGUI:
  • Add new CLI command add system image to automatically download and install latest stable firmware
  • Decrease size of firmware image by removing dependency on libxml and excluding it -> size of firmware image shrank by ~10Mb.
  • Reduce RAM usage by disabling systemd journaling (discussed here) and add new config entries to control systemd-journaling if necessary:
  • Add new L2TP VPN remote access client interface that establishes VPN connection to external L2TP remote access VPN server. For instance following example creates l2tpc0 Point-to-Point interface towards to L2TP server 192.168.11.1:
  • Enable connmark plugin in strongswan to allow connection from multiple L2TP-VPN clients from same NAT (discussed here). By default connmark is disabled and needs to be enabled from CLI with following command:
  • [UNMS] - Add support for "unlimited queues" and "dynamic wan interface" in UNMS QoS
  • [DPI] - Upgrade DPI signature database to version 1.564
  • [Performance] Improved forwarding performance on all ER models when offloading is disabled ---> +30% in simple NAT scenario, +10% in QoS/NetFlow scenario when comparing with v2.0.8.
  • [Performance] Improved IPsec performance on ER-X/ER-X-SFP/ER-10X/EP-R6 when offloading is enabled ---> +10% when comparing with v2.0.8. Discussed here
  • [PPPoE] - Increase PPPoE client IP pool size from 256 to 1024
  • [CLI] - Update CLI welcome message to make it consistent with other Edge*** products
  • [Security] - Now current config, private user files and backup firmware image will be permanently deleted when doing factory reset via CLI/WebGUI/UNMS. Previously backup firmware image used to survive factory-reset
Bugfixes
  • [WebGUI] - Fix bug when WebGUI showed wrong RX/TX counters on eth0~eth7 when ipv4 offloading is enabled
  • [WebGUI] - Fix regression from v2.0.0 when bandwidth measurement tool in WebGUI did not work at all. Discussed here
  • [WebGUI] - Fix bug in WebGUI when UNMS status is stuck in "connecting" state forever. Discussed here
  • [WebGUI] - Fix bug in WebGUI when some tools did not show any output (ping, trace, log, capture, bandwidth). Discussed here and here
  • [WebGUI] - Fix bug when WebGUI randomly crashed because lighttpd was stuck with 100% CPU load. lighttpd was upgraded to v1.4.55. Discussed here
  • [WebGUI] - Fix bug in WebGUI when firewall stats were empty during first 30 seconds. Discussed here
  • [UNMS] - Fix bug when QoS could not disabled from UNMS
  • [UNMS] - Strip 3rd party DEB packages from backup file when making ER backup from UNMS. We did this to reduce size of backup files because UNMS makes them very frequently.
  • [UNMS] - Fix wrong LED color indication when UNMS is not configured
  • [UNMS] - Fix bug when UNMS sometimes failed to perform initial connection with ER
  • [UNMS] - Fix bug when UNMS QoS crashed when binding to missing PPPoE interfaces
  • [UNMS] - Fix memory leak in udapi-bridge process when ER is connected to UNMS. Discussed here
  • [UNMS] - Fix rare config mis-synchronization between ER and UNMS causing random errors when configuring via UNMS
  • [SFP] - Fix bug when SFP port failed to process packets after reboot. Discussed here
  • [SFP] - Fix bug when some SFP modules were mistakenly reporting tx error
  • [SFP] - Fix bug when SFP interface stops working when Ethernet interface loses link on ER-12
  • [SFP] - Fix bug when stats in WebGUI stall if SFP module is misbehaving and responding with garbage instead of valid sfp data. Discussed here
  • [Offloading] - Fix random lock-ups when hwnat offloading is enabled on ER-X/ER-X-SFP. Discussed here and here
  • [Packages] - Restore builtin etherwake package that was removed since v2.0.0 firmware
  • [PPPoE/L2TP/PPP] - Fix buffer overflow vulnerability in pppd daemon (CVE-2020-8597)
  • [OSPF] - Fix bug when OSPF neighbors disappear after interface flap if OSPF network has /32 mask. Discussed here
  • [CLI] - Fix bug when add system image CLI command did not show "yes/no" prompt if there's no backup firmware image. Discussed here
  • [CLI] - Fix bug when shell command switch pvid dump crashes on ER-X. Discussed here
  • [BGP] - Fix bug when blocked BGP prefix leaked to neighbors when committing large BGP config. Discussed here and here
  • [SNMP] - Fix "unknown notification OID" and "Unknown token: monitor" errors in syslog when configuring SNMP. Discussed here
  • [SNMP] - Fix bug when SNMP flooded "error on subcontainer ia_addr insert" errors in syslog. Discussed here
  • [SNMP] - Fix SNMP flooding "cannot get stats strings information for interface" error to syslog on ER-X. Discussed here
  • [LoadBalancing] - Fix bug when Load Balancing randomly failed if WAN interface acquired new DHCP address. Discussed here
  • [PPPoE] - Fix RCE vulnerability in pppoe-server when using custom radius-disconnect script. Introduced here and discussed here
  • [PPPoE] - Fixed confusing "PADT: Generic-Error: xxxx" syslog message when PPPoE client disconnected. Discussed here
  • [DDNS] - Fix potential DDNS config disclosure vulnerability if multiple Dynamic DNS providers are configured
  • [PPTP] - Don't load nf_nat_pptp module during boot unless it it is really used
  • [IGMP] - Upgraded igmp-proxy to fix multiple IPTV freeze/disconnect issues
  • [System] - Add ethtool support for ER-X/ER-X-SFP/ER-10X models
  • [VPN] - Fix bug when L2TP-VPN daemon randomly crashed when WAN interface updated DHCP lease. Discussed here and here
  • [IPv6] - Fix bug when radvd failed when loading configuration with many VLANS (10+). Discussed here
  • [IPv6] - Fix bug when PD wont start if prefix6 range is outside of declared subnet. Backported FreeBSD patch from here
  • [IPv6] - Add static mapping feature for IPv6 PD so that service dhcp-statefull could have statically mapped hosts. Discussed here and here
  • [OSPFv3] - Fix regression from v2.0.7 when OSPFv3 stopped adding received routes to RIB. Discussed here
  • [OSPFv3] - Fix bug that caused failure when redistributing OSPFv3 routes via BGP. Discussed here
  • [QoS] - Fix bug when burst-size was causing bad performance when configured in UNMS
  • [Interfaces] - Add missing firewall config for switch0.pppoe and switch0.vif.pppoe interfaces. Discussed here and here
  • [Interfaces] - Fix bug when VLAN interface with MTU <1280 triggers "Commit Failed" error
  • [Interfaces] - Fix bug when packets with wrong MAC leaked to WAN if offloading is enabled on ER-X. Discussed here
  • [Interfaces] - Fix bug when wrong TX/RX counters were reported on switched port on ER-12/ER-12P
  • [Interfaces] - Allow deleting non existing address from config if it disappeared from kernel. Discussed here
  • [Routing] - Fix bug when all routing daemons (bgp, ospf, rip, ripng...) randomly & permanently die. This issue was randomly observed while creating/deleting 100+ PPPoE interfaces.
  • [Routing] Added Ethernet driver patch from Cavium that fixes packet reordering with 4.x kernel. This should improve performance of network services that are sensitive to UDP packet reordering (e.g. VoIP and Video streaming)
  • [TechSupport] - Add more LoadBalancing debug info to tech-support file
  • [SSH-Recovery] - Fix bug when setting VLAN interfaces in service ssh-recovery listen-on caused config corruption after reboot
  • [LED] - Fix bug when LED light was stuck in WHITE color forever. Discussed here
  • [DHCP] - Fix bug when same hostname could not be statically-mapped in different subnets for IPv4/IPv6 DHCP servers. Discussed here
  • [DHCP] - Fix bug in DHCP server when dhcp-boot option of first subnet was applied to all networks
  • [PoE] - Fix bug when PoE on eth9 on ER-10X remained enabled after doing factory reset
  • [UPnP] - Backport CVE-2019-12111 that fixes DDoS attack in miniupnpd . Discussed here

Upgraded following Debian packages: Known issues

  • apt (1.4.9 => 1.4.10)
  • apt-transport-https (1.4.9 => 1.4.10)
  • base-files (9.9+deb9u11 => 9.9+deb9u13)
  • ca-certificates (20161130+nmu1+deb9u1 => 20200601~deb9u1)
  • curl (7.52.1-5+deb9u9 => 7.52.1-5+deb9u10)
  • dbus (1.10.28-0+deb9u1 => 1.10.32-0+deb9u1)
  • libapt-pkg5.0 (1.4.9 => 1.4.10)
  • libcurl3 (7.52.1-5+deb9u9 => 7.52.1-5+deb9u10)
  • libcurl3-gnutls (7.52.1-5+deb9u9 => 7.52.1-5+deb9u10)
  • libdbus-1-3 (1.10.28-0+deb9u1 => 1.10.32-0+deb9u1)
  • libgnutls-openssl27 (3.5.8-5+deb9u4 => 3.5.8-5+deb9u5)
  • libgnutls30 (3.5.8-5+deb9u4 => 3.5.8-5+deb9u5)
  • libldap-2.4-2 (2.4.44+dfsg-5+deb9u3 => 2.4.44+dfsg-5+deb9u4)
  • libldap-common (2.4.44+dfsg-5+deb9u3 => 2.4.44+dfsg-5+deb9u4)
  • libperl5.24 (5.24.1-3+deb9u6 => 5.24.1-3+deb9u7)
  • libidn11 (1.33-1 => 1.33-1+deb9u1)
  • libperl5.24 (5.24.1-3+deb9u5 => 5.24.1-3+deb9u6)
  • libsasl2-2 (2.1.27~101-g0780600+dfsg-3 => 2.1.27~101-g0780600+dfsg-3+deb9u1)
  • libsasl2-modules-db (2.1.27~101-g0780600+dfsg-3 => 2.1.27~101-g0780600+dfsg-3+deb9u1)
  • libssl1.0.2 (1.0.2t-1~deb9u1 => 1.0.2u-1~deb9u1)
  • libtimedate-perl (2.3000-2 => 2.3000-2+deb9u1)
  • sudo (1.8.19p1-2.1+deb9u1 => 1.8.19p1-2.1+deb9u2)
  • igmpproxy (0.1 => 0.2.1)
  • tzdata (2019c-0+deb9u1 => 2020a-0+deb9u1)
  • [DPI] - Sometimes DPI is reporting wrong rx/tx counters
  • [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
  • [Offloading] - VLAN traffic is not being offloaded on ER-12
  • [DPI] - Sometimes DPI is reporting wrong rx/tx counters
  • [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
  • [Offloading] - VLAN traffic is not being offloaded on ER-12

Ubiquiti EdgeMAX EdgeSwitch

Versienummer 2.0.9
Releasestatus Final
Website Ubiquiti
Download https://community.ui.com/releases/EdgeMAX-EdgeRouter-Firmware-v2-0-9-v2-0-9/d75f346d-d734-4026-97a8-7b2d5cc4e079
Licentietype Freeware

Door Bart van Klaveren

21-11-2020 08:20
submitter: Chris.nl

21-11-2020 • 08:20

Submitter: Chris.nl

Bron: Ubiquiti

27-06 Ubiquiti EdgeMAX EdgeRouter 2.0.9 hotfix 2 6
02-'21 Ubiquiti EdgeMAX EdgeRouter 2.0.9 hotfix 1 8
11-'20 Ubiquiti EdgeMAX EdgeRouter 2.0.9 23
06-'19 Ubiquiti EdgeMAX EdgeRouter 2.0.3 17
03-'19 Ubiquiti EdgeMAX EdgeRouter 1.10.9 8
10-'18 Ubiquiti EdgeMAX EdgeRouter 1.10.7 7
08-'18 Ubiquiti EdgeMAX EdgeRouter 1.10.6 0
06-'18 Ubiquiti EdgeMAX EdgeRouter 1.10.5 0
04-'18 Ubiquiti EdgeMAX EdgeRouter 1.10.1 4
02-'18 Ubiquiti EdgeMax 1.10.0 15
Modems en routers Ubiquiti

Reacties (23)

+2victor538
21 november 2020 09:42
Dit is een belangrijke update. De performance regressie van de 2.x releases is eindelijk opgelost. Dit weerhield veel mensen om te updaten naar de 2.x branch.

In de release notes:
[Performance] Improved forwarding performance on all ER models when offloading is disabled ---> +30% in simple NAT scenario, +10% in QoS/NetFlow scenario when comparing with v2.0.8.
[Performance] Improved IPsec performance on ER-X/ER-X-SFP/ER-10X/EP-R6 when offloading is enabled ---> +10% when comparing with v2.0.8. Discussed here
En
[Routing] Added Ethernet driver patch from Cavium that fixes packet reordering with 4.x kernel. This should improve performance of network services that are sensitive to UDP packet reordering (e.g. VoIP and Video streaming)

[Reactie gewijzigd door victor538 op 21 november 2020 09:44]

+1downtime
@victor53821 november 2020 10:00
Dus het is eindelijk veilig om mijn ERPro-8 te upgraden?
0Dennisb1
@victor5387 december 2020 04:32
Maar dit staat er ook

[Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)

Spreekt elkaar lekker tegen :/
Ik draai nog de 1.x branch en l2tp is echt om te huilen. Max 30mbit

[Reactie gewijzigd door Dennisb1 op 7 december 2020 04:34]

+1webside007
21 november 2020 08:33
Eindelijk gereleased!! ;( heeft veel te lang geduurd, en ook: er zouden regelmatiger updates moeten verschijnen ipv om de zoveel maanden...
+1delphium
@webside00721 november 2020 08:58
Kun je uitleggen waarom? Is er een feature die je miste in de vorige firmware, of had je last van een bug? Wat is er precies verholpen in deze release waar jij zo op zat te wachten en waarom zou je graag al snel weer een nieuwe update willen?

Persoonlijk heb ik het liefst zo min mogelijk updates. Wel zitten er een aantal bugs in de firmware die ik graag opgelost zou zien:

1) Het systeempanel, dat openklapt van onderaf, klapt niet altijd helemaal open.
2) DHCP-servers die te allen tijde los van elkaar zouden moeten staan, interfereren toch met elkaar.

Verder is het irritant dat het niet mogelijk is om IP-adressen handmatig te releasen. Voor zover ik kan zien is dit nog niet opgelost.
+1FatalError
@delphium21 november 2020 09:48
Ik had last van de udp reordering problemen. Er draaien hier ipsec tunnels over udp Poort 4500. Zonder fix: 30 mbit/s, met fix: 170 mbit/s op een edgerouter lite.
De edgerouter 4 gaat van 80 naar 220 mbit/s (max van de lijn)

[Reactie gewijzigd door FatalError op 21 november 2020 09:48]

0webside007
@delphium3 december 2020 09:35
Sorry voor mijn late reactie.
Tuurlijk:
- security fixes
- troughput issue die al heeeeeel lang aansleept!
Is toch logisch dat er af een toe een update verschijnt? Security fixes, GUI verder ontwikkelen (is nodig!), ...

Ik beheer mijn lite 3 met IOS app en via UNMS (gratis). Werkt goed.
+1Chris.nl
@webside00721 november 2020 13:41
Dan kan je je inschrijven op de beta firmware. Tussentijds heb ik uit m'n hoofd 5 versies tussen 2.0.8 en 2.0.9 gehad. Maar ja, als je stabiel zit op de vorige firmware is het waarschijnlijk beter om daar van te genieten totdat er weer een nieuwe komt.
0webside007
@Chris.nl3 december 2020 09:36
Al gedaan en geraak niet in Beta sectie, pffff
Er staat dat ik al "applied" heb, maar kan nergens beta firmwares vinden...
0Chris.nl
@webside0073 december 2020 09:57
https://community.ui.com/releases en dan beta erbij selecteren. Op dit moment is er nog geen nieuwe beta.
0webside007
@Chris.nl3 december 2020 10:00
ok, bedankt. Ik probeer het nog eens
+1remyz
21 november 2020 08:26
Deze firmware update is voor EdgeRouters, niet EdgeSwitches, zoals het artikel vermeldt.
+1remsie
@remyz21 november 2020 12:42
Inderdaad, het heeft even geduurd, maar wel een dikke update hoor :9 :*)
+1Jerie
@remyz21 november 2020 14:55
:D ik gebruik beiden, en ik dacht al, van 1.9.0 naar 2.0.9 wat is hier aan de hand?
0Antiloop
24 november 2020 11:51
[Packages] - Restore builtin etherwake package that was removed since v2.0.0 firmware
Wie dat bedacht had om die eruit te halen 8)7 , gelukkig is ie weer terug.

(voor degene die niet weten wat het is, etherwake is om wakeonlan/WOL te kunnen doen dus)

[Reactie gewijzigd door Antiloop op 24 november 2020 11:52]

0GlowMouse
25 november 2020 15:30
Improvements
Add annoying popup window to WebGUI where admin is being asked to allow or deny﻿ analytics&crash-reporting. Description and data samples available here -> https://help.ui.com/hc/en-us/articles/360051176734
Echt een verbetering, zo'n popup waarvan zelfs de maker zegt dat hij irritant is 8)7

@EverLast2002 wel goed lezen, 'disabled by default' slaat op de dataverzameling, niet op die irritante popup. Zodra je inlogt, komt de irritante popup tevoorschijn met de vraag of je toch niet mee wilt werken met het verzamelen van data.

[Reactie gewijzigd door GlowMouse op 26 november 2020 16:42]

0EverLast2002
@GlowMouse26 november 2020 15:28
"which are disabled by default."
Staat standaard dus uit.
0EverLast2002
26 november 2020 15:38
Ik heb hier nog een EdgeRouter Lite (ERLite-3) liggen maar heb hem nog nooit gebruikt in produktie.
Teveel geklooi met CLI en webgui onderling, omdat bepaalde settings in de webgui niet werken.
En als je het Ubiquiti forum doorleest staat het vol met bugs en workarounds en mensen die firmware 1.x gebruiken.
Ik was best enthousiast toen ik die Lite-3 kocht maar inmiddels ligt ie in de doos niks te doen.
0webside007
@EverLast20023 december 2020 09:33
ik gebruik hem wel in PROD en werkt heel correct en stabiel.
Ik gebruik (IOS) app en UNMS (gratis) om hem te beheren.
Zit nu op 2.0.9 en werkt correct!
0webside007
3 december 2020 09:37
activeren jullie allemaal hardware offloading? Staat standaard af dacht ik...
0theemstra
6 december 2020 22:07
Vraagje,ik kan het nergens terugvinden. De edgerouter lite 3 variant is nergens meer te krijgen, is die discontinued?

