Firmware-update: Ubiquiti EdgeMAX EdgeRouter 2.0.9

Ubiquiti Networks has released version 2.0.9 of the firmware for the EdgeMax EdgeSwitches. The EdgeSwitches are characterized by extensive setting options, but do require some network knowledge to get it running properly. Also, not all settings can be adjusted via the gui, so you have to get started via the command line. The list of changes and improvements for this release looks like this:


The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using delete system image CLI command, see here for more details) before doing an upgrade.


  • Add anonymous crash reporting and analytics reporting which are disabled by default.
  • Add firmware upgrade button in WebGUI. This button will show indication when new stable firmware is available. Upgrade process will be initiated upon pressing this button.
  • Add annoying popup window to WebGUI where admin is being asked to allow or deny analytics&crash-reporting. Description and data samples available here ->
  • Add “Factory Reset” button to WebGUI:
  • Add new CLI command add system image to automatically download and install latest stable firmware
  • Decrease size of firmware image by removing dependency on libxml and excluding it -> size of firmware image shrank by ~10Mb.
  • Reduce RAM usage by disabling systemd journaling (discussed here) and add new config entries to control systemd-journaling if necessary:
  • Add new L2TP VPN remote access client interface that establishes VPN connection to external L2TP remote access VPN server. For instance following example creates l2tpc0 Point-to-Point interface towards to L2TP server
  • Enable connmark plugin in strongswan to allow connection from multiple L2TP-VPN clients from same NAT (discussed here). By default connmark is disabled and needs to be enabled from CLI with following command:
  • [UNMS] – Add support for “unlimited queues” and “dynamic wan interface” in UNMS QoS
  • [DPI] – Upgrade DPI signature database to version 1.564
  • [Performance] Improved forwarding performance on all ER models when offloading is disabled —> +30% in simple NAT scenario, +10% in QoS/NetFlow scenario when comparing with v2.0.8.
  • [Performance] Improved IPsec performance on ER-X/ER-X-SFP/ER-10X/EP-R6 when offloading is enabled —> +10% when comparing with v2.0.8. Discussed here
  • [PPPoE] – Increase PPPoE client IP pool size from 256 to 1024
  • [CLI] – Update CLI welcome message to make it consistent with other Edge*** products
  • [Security] – Now current config, private user files and backup firmware image will be permanently deleted when doing factory reset via CLI/WebGUI/UNMS. Previously backup firmware image used to survive factory-reset


  • [WebGUI] – Fix bug when WebGUI showed wrong RX/TX counters on eth0~eth7 when ipv4 offloading is enabled
  • [WebGUI] – Fix regression from v2.0.0 when bandwidth measurement tool in WebGUI did not work at all. Discussed here
  • [WebGUI] – Fix bug in WebGUI when UNMS status is stuck in “connecting” state forever. Discussed here
  • [WebGUI] – Fix bug in WebGUI when some tools did not show any output (ping, trace, log, capture, bandwidth). Discussed here and here
  • [WebGUI] – Fix bug when WebGUI randomly crashed because lighttpd was stuck with 100% CPU load. lighttpd was upgraded to v1.4.55. Discussed here
  • [WebGUI] – Fix bug in WebGUI when firewall stats were empty during first 30 seconds. Discussed here
  • [UNMS] – Fix bug when QoS could not disabled from UNMS
  • [UNMS] – Strip 3rd party DEB packages from backup file when making ER backup from UNMS. We did this to reduce size of backup files because UNMS makes them very frequently.
  • [UNMS] – Fix wrong LED color indication when UNMS is not configured
  • [UNMS] – Fix bug when UNMS sometimes failed to perform initial connection with ER
  • [UNMS] – Fix bug when UNMS QoS crashed when binding to missing PPPoE interfaces
  • [UNMS] – Fix memory leak in udapi-bridge process when ER is connected to UNMS. Discussed here
  • [UNMS] – Fix rare config mis-synchronization between ER and UNMS causing random errors when configuring via UNMS
  • [SFP] – Fix bug when SFP port failed to process packets after reboot. Discussed here
  • [SFP] – Fix bug when some SFP modules were mistakenly reporting tx error
  • [SFP] – Fix bug when SFP interface stops working when Ethernet interface loses link on ER-12
  • [SFP] – Fix bug when stats in WebGUI stall if SFP module is misbehaving and responding with garbage instead of valid sfp data. Discussed here
  • [Offloading] – Fix random lock-ups when hwnat offloading is enabled on ER-X/ER-X-SFP. Discussed here and here
  • [Packages] – Restore builtin etherwake package that was removed since v2.0.0 firmware
  • [PPPoE/L2TP/PPP] – Fix buffer overflow vulnerability in pppd daemon (CVE-2020-8597)
  • [OSPF] – Fix bug when OSPF neighbors disappear after interface flap if OSPF network has /32 mask. Discussed here
  • [CLI] – Fix bug when add system image CLI command did not show “yes/no” prompt if there’s no backup firmware image. Discussed here
  • [CLI] – Fix bug when shell command switch pvid dump crashes on ER-X. Discussed here
  • [BGP] – Fix bug when blocked BGP prefix leaked to neighbors when committing large BGP config. Discussed here and here
  • [SNMP] – Fix “unknown notification OID” and “Unknown token: monitor” errors in syslog when configuring SNMP. Discussed here
  • [SNMP] – Fix bug when SNMP flooded "error on subcontainer ia_addr insert" errors in syslog. Discussed here
  • [SNMP] – Fix SNMP flooding “cannot get stats strings information for interface” error to syslog on ER-X. Discussed here
  • [LoadBalancing] – Fix bug when Load Balancing randomly failed if WAN interface acquired new DHCP address. Discussed here
  • [PPPoE] – Fix RCE vulnerability in pppoe-server when using custom radius-disconnect script. Introduced here and discussed here
  • [PPPoE] – Fixed confusing “PADT: Generic-Error: xxxx” syslog message when PPPoE client disconnected. Discussed here
  • [DDNS] – Fix potential DDNS config disclosure vulnerability if multiple Dynamic DNS providers are configured
  • [PPTP] – Don’t load nf_nat_pptp module during boot unless it it is really used
  • [IGMP] – Upgraded igmp-proxy to fix multiple IPTV freeze/disconnect issues
  • [System] – Add ethtoolsupport for ER-X / ER-X-SFP / ER-10X models
  • [VPN] – Fix bug when L2TP-VPN daemon randomly crashed when WAN interface updated DHCP lease. Discussed here and here
  • [IPv6] – Fix bug when radvd failed when loading configuration with many VLANS (10+). Discussed here
  • [IPv6] – Fix bug when PD wont start if prefix6 range is outside of declared subnet. Backported FreeBSD patch from here
  • [IPv6] – Add static mapping feature for IPv6 PD so that service dhcp-statefull could have statically mapped hosts. Discussed here and here
  • [OSPFv3] – Fix regression from v2.0.7 when OSPFv3 stopped adding received routes to RIB. Discussed here
  • [OSPFv3] – Fix bug that caused failure when redistributing OSPFv3 routes via BGP. Discussed here
  • [QoS] – Fix bug when burst-size was causing bad performance when configured in UNMS
  • [Interfaces] – Add missing firewall config for switch0.pppoe and switch0.vif.pppoe interfaces. Discussed here and here
  • [Interfaces] – Fix bug when VLAN interface with MTU <1280 triggers “Commit Failed” error
  • [Interfaces] – Fix bug when packets with wrong MAC leaked to WAN if offloading is enabled on ER-X. Discussed here
  • [Interfaces] – Fix bug when wrong TX/RX counters were reported on switched port on ER-12/ER-12P
  • [Interfaces] – Allow deleting non existing address from config if it disappeared from kernel. Discussed here
  • [Routing] – Fix bug when all routing daemons (bgpospfripripng…) randomly & permanently die. This issue was randomly observed while creating/deleting 100+ PPPoE interfaces.
  • [Routing] Added Ethernet driver patch from Cavium that fixes packet reordering with 4.x kernel. This should improve performance of network services that are sensitive to UDP packet reordering (e.g. VoIP and Video streaming)
  • [TechSupport] – Add more LoadBalancing debug info to tech-support file
  • [SSH-Recovery] – Fix bug when setting VLAN interfaces in service ssh-recovery listen-on caused config corruption after reboot
  • [LED] – Fix bug when LED light was stuck in WHITE color forever. Discussed here
  • [DHCP] – Fix bug when same hostname could not be statically-mapped in different subnets for IPv4/IPv6 DHCP servers. Discussed here
  • [DHCP] – Fix bug in DHCP server when dhcp-boot option of first subnet was applied to all networks
  • [PoE] – Fix bug when PoE on eth9 on ER-10X remained enabled after doing factory reset
  • [UPnP] – Backport CVE-2019-12111 that fixes DDoS attack in miniupnpd . Discussed here

Upgraded following Debian packages: Known issues

  • apt (1.4.9 => 1.4.10)
  • apt-transport-https (1.4.9 => 1.4.10)
  • base-files (9.9+deb9u11 => 9.9+deb9u13)
  • ca-certificates (20161130+nmu1+deb9u1 => 20200601~deb9u1)
  • curl (7.52.1-5+deb9u9 => 7.52.1-5+deb9u10)
  • dbus (1.10.28-0 + deb9u1 => 1.10.32-0 + deb9u1)
  • libapt-pkg5.0 (1.4.9 => 1.4.10)
  • libcurl3 (7.52.1-5+deb9u9 => 7.52.1-5+deb9u10)
  • libcurl3-gnutls (7.52.1-5+deb9u9 => 7.52.1-5+deb9u10)
  • libdbus-1-3 (1.10.28-0 + deb9u1 => 1.10.32-0 + deb9u1)
  • libgnutls-openssl27 (3.5.8-5+deb9u4 => 3.5.8-5+deb9u5)
  • libgnutls30 (3.5.8-5+deb9u4 => 3.5.8-5+deb9u5)
  • libldap-2.4-2 (2.4.44+dfsg-5+deb9u3 => 2.4.44+dfsg-5+deb9u4)
  • libldap-common (2.4.44+dfsg-5+deb9u3 => 2.4.44+dfsg-5+deb9u4)
  • libperl5.24 (5.24.1-3+deb9u6 => 5.24.1-3+deb9u7)
  • libidn11 (1.33-1 => 1.33-1+deb9u1)
  • libperl5.24 (5.24.1-3+deb9u5 => 5.24.1-3+deb9u6)
  • libsasl2-2 (2.1.27~101-g0780600+dfsg-3 => 2.1.27~101-g0780600+dfsg-3+deb9u1)
  • libsasl2-modules-db (2.1.27~101-g0780600+dfsg-3 => 2.1.27~101-g0780600+dfsg-3+deb9u1)
  • libssl1.0.2 (1.0.2t-1~deb9u1 => 1.0.2u-1~deb9u1)
  • libtimedate-perl (2.3000-2 => 2.3000-2+deb9u1)
  • sudo (1.8.19p1-2.1+deb9u1 => 1.8.19p1-2.1+deb9u2)
  • igmpproxy (0.1 => 0.2.1)
  • tzdata (2019c-0+deb9u1 => 2020a-0+deb9u1)
  • [DPI] – Sometimes DPI is reporting wrong rx/tx counters
  • [Offloading] – L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
  • [Offloading] – VLAN traffic is not being offloaded on ER-12

Known issues

  • [DPI] – Sometimes DPI is reporting wrong rx/tx counters
  • [Offloading] – L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
  • [Offloading] – VLAN traffic is not being offloaded on ER-12
  • Version number 2.0.9
    Releasestatus Final
    Website Ubiquiti
    License type Freeware