Firmware Update: Ubiquiti EdgeMax 1.10.0

Ubiquiti has released version 1.10.0 of EdgeMax, the management software that runs on several of the company’s EdgeRouters. The EdgeRouters are characterized by extensive setting options, but require some network knowledge to get it running properly. Also, not all settings can be adjusted via the gui and you will therefore have to work via the command line. The list of changes and improvements since 1.9.7 hotfix.4 is as follows:

New features:

• [Ssh-recovery] – This is new service which starts during early boot stage and provides emergency SSH access via IPv6 link-local address. ssh recovery can be used to access shell from directly connected neighbor if router is not accessible by normal means. By default ssh recovery service is listening on port 60257 on all ethernet interfaces and it is automatically terminated 60 seconds after boot. More information is available in this article.
• [Iperf] – Added iperf 2.0.3 which will be used by UNMS to measure bandwidth towards AirMAX devices
• [UBNT-discover] – Add CLI command to disable “ubnt-discovery” daemon, thus ER will stop responding to discovery messages on 10001 UDP port. (set service ubnt-discover-server disable). Discussed here
• [BGP] – Add support for BGP extended community that allows setting 4-byte AS numbers (set policy route-map xxx rule 42 set extcommunity rt 1234567:3200). Discussed here.

Enhancements and bug fixes:

• [WebGUI] – Add link to UMobile app to the login page
• [WebGUI] – Show full FW version in system version tooltip
• [WebGUI] – Display warning if UF-RJ45-1G has invalid speed
• [WebGUI] – Add tooltips for ports whose speeds can’t be changed on ER8-XG
• [WebGUI] – fix XSS vulnerability in GUI when creating new user
• [WebGUI] – fixed security vulnerability when operator user was able to rewrite any file by abusing poorly validated fields in “Packet capture” WebGUI window
• [WebGUI] – added UNMS status to WebGUI dashboard
• [WebGUI] – Fix stored XSS in Routing window
• [WebGUI] – Add”Download tech support file” button in WebGUI
• [Routing] – Add watchdog for critical routing daemons (nsm, ribd, ospfd, bgpd…) which will restore crashed daemon
• [BGP] – Fix bug when BGP session was closed if “BGP_ATTR_FLAG_PARTIAL” flag was missing in AS4_PATH attribute. Discussed here
• [BGP] – Fix bug when name of BGP community-list was parsed incorrectly allowing bad name to pass validation
• [Security] – Fix security vulnerability when partial contents of console buffer could be leaked via web socket connection
• [Interfaces] – Fix bug when auto-negotiation did not work on ER-PoE. Discussed here
• [Interfaces] – Fix regression in 1.9.7 when POE was randomly not turning on after reboot on ER-X-SFP. Discussed here
• [Dnsmasq] – Fix bug when dnsmasq did not start if DHCP server functionality was disabled and DNS “service dns forwarding except-interface” was set. Discussed here
• [DHCP] – Add static ARP support for DHCP-leased IPs with “set service dhcp-server static-arp”
• [DHCP] – Fix invalid characters in client’s hostname. Discussed here
• [DHCP] – Fix bug when 2nd DHCP client could not receive address from DHCP server if IPv4 offloading was enabled on Cavium-based routers (ER, ER-8-pro, ER-4, ER-6, ER-lite, ER-poe).
• [DHCP] – Add global DHCP client options to configuration (set interfaces ethernet eth0 dhcp-options global-option xxx). Discussed here
• [Firewall] – add a contiguous option to firewall time extension “set firewall name xxx rule yyy time contiguous…”
• [System] – Increase maximum ARP/NDP cache table size
• [System] – Coredumps will not be generated anymore unless explicitly enabled with “set system coredump enabled”
• [System] – Fix bug when “ubnt-utils” daemon crashed randomly. Discussed here
• [System] – Fix bug when ER-4 and ER-6 randomly hanged
• [CLI] – Improve speed of multiple CLI commands in following areas – interfaces, static-route, ospf, ospfv3, policy, dhcp, dns, pppoe-server, qos.
• [CLI] – Fix hostname validation when configuring static mapping.
• [Offload] – Fix packet reordering issue on Cavium-based routes. Now you can remove workaround that fixed this issue by forcing single-core RX processing: configure delete system packet-rx-core-num commit save
• [Offload] – Remove spurious warning messages from Cavium offload module when handling IPSec traffic
• [Offload] – Fixed bug in PPPoE offloading on Cavium-based routers when packets with incorrect IP checksum caused corrupted downloads (this fix works on all models except ER-Infinity). Discussed here
• [FlowAccounting] – Added flow accounting via ipt-netflow which performs better (+25% max throughput) comparing to original pmacct netflow implementation. this ipt-netflow can be configured in CLI with “set system flow-accounting-ipt …”
• [Flow-accounting] – fix bug when flow accounting detection failed. Discussed here
• [Kernel] – Fix bug when ER randomly rebooted on Cavium-based routers. Discussed here and here and many other threads on forum.
• [L2tpv3] – Fix bug when l2tpv3 interface could not be added to bridge during boot
• [Switch] – Fix bug when last interface could not be removed from switch via GUI
• [Switch] – Fix bug when address could be set to interface which is assigned to switch
• [SNMP] – Improve snmp performance by moving cache from flash storage to tmpfs.This also fixed random kernel crashes when SNMP updating cache in tight loop
• [Boot] – Decrease boot delay on ER-X from 5 seconds to 1 second
• [UNMS] – Fix bug when /tmp/sysd-save.xxxx files sometimes were not deleted if UNMS was enabled
• [UNMS] – Fix Remote Code Execution via UNMS
• [PPPoE] – Add description to pppoe interface. Discussed here
• [DNS] – Fix bug when namesevers were randomly erased from ‘/etc/resolv.conf’ file. Discussed here
• [EULA] – Update EULA

Updated software components:

• [Kernel] – upgraded Linux kernel to 3.10.107
• [DHCP] – upgraded ISC DHCP to 4.1-ESV-R8

Known issues:

• Bug with corrupted downloads via PPPoE interface is not fixed for ER-8-XG (it is fixed on all other ER models). Workaround – disable PPPoE offloading: configure set system offload ipv4 pppoe disableset system offload ipv6 pppoe disable commit save
• Failover load balancing stops working after reconfiguration (it works fine when configuring load-balancing for the first time or after reboot). Workaround – reset ubnt-util daemon after reconfiguring load balancing:

• sudo kill -kill `pidof ubnt-util` The ubnt-util daemon randomly crashes and following message is visible in syslog: Process 749 (ubnt-util) has crashed (parent 656 (ubnt-daemon) signal 11, code 0, addr 00000290000000000 ), coredumps disabled This crash does not affect functionality and it can be safely ignored. It will be fixed in future release.