Firmware Cutting Edge

Cutting Edge Firmware Release October 29th, 2015 – Version 2015081830/2015102900

This new cutting edge firmware fixed a couple of bugs relevant to upgrading to RuggedVPN. It also contains important bug fixes for anyone using mobile Broadband (UMTS, CDMA, LTE) in their setup.

This firmware release is compatible with both the February 25th 2015 stable firmware release (Version 2014110730/2015021100) and all cutting edge releases since.

New features

  • It is now allowed to upgrade from Classic to RuggedVPN without a maintenance license in place. A warning will be shown when doing so. Please note that RuggedVPN still requires a VLM subscription. However, you no longer have to do the VLM registration first before installing RuggedVPN firmware, but can do this after installing the RuggedVPN firmware.
  • After installation of RuggedVPN, the router will keep working for 14 days. If no VLM license has been installed (or if the router hasn't been downgraded to Classic firmware) by then, the device will cease operation. This also allows our customers to trial RuggedVPN firmware.
  • This Cutting Edge firmware introduces full support for Northern European LTE 450 modules.

Bug fixes

  • Licenses will now be deleted if instructed by the license server, and the online license deactivation function also is available now.
  • Fixed bug that caused the device MCC/MNC not getting re-read in case the first read failed. This sometimes caused the APN auto detection to fail.
  • Resetting or reconnecting an LTE module can cause the router's internal timer to get out of sync for up to two seconds. Due to this, channels will behave strangely: You can see high latency, channel stalls etc. This problem is now fixed. Reconnecting or resetting an LTE module no longer should affect other channels.
  • Due to the Anti-DDoS connection limiter not being initialized correctly, in all previous firmware releases sometimes the config data transfers between active and Hotspare Hubs could fail with an SSL error.
  • The maintenance license type "Iron" which will be used in OEM projects is now supported 
  • It is now allowed to upgrade from Classic to RuggedVPN without a maintenance  license in place - now also works with old web interface
  • Added missing "Deactivate" button for license manager
  • A pre-existing config file from a previous RuggedVPN install will now be removed when doing a factory reset.
  • There was a way to close SSH CLI connections without the connection limiter knowing. This could cause an IP getting locked out of the CLI forever after too many reconnects.
  • License manager will now always use the right interface to do license activations and de-activations. Before it only worked if the default route was on a VPN Tunnel.
  • The connection limiter / DDoS protection has been changed. HTTP, VPN, SSH, Stacking and Hotspare connections are now counted individually per IP.

Cutting Edge Firmware Release August 18th, 2015 – Version 2015072130/2015081800

This new cutting edge firmware releases fixes a very rare VPN Hub crash bug, a very rare bug in Node stacking, and a couple of other minor issues. We recommend updating to this firmware release in case you are running Node stacks.

This firmware release is compatible with both the February 25th 2015 stable firmware release (Version 2014110730/2015021100) and all cutting edge releases since.

New features

A valid Warranty extension license that has not expired is now also counted for "Under Maintenance Contract". If your router still has Warranty left you therefore now are able to upgrade to RuggedVPN even if you haven't yet converted your Warranty license to a Viprinet Lifetime Maintenance contract. For warranty extensions we now also display how much days are left on it.

Bug fixes

  • A rare crash bug on VPN Hubs caused by outdated VPN Clients connecting was fixed.
  • After router boot, a stacking master node could fail to bind its communication socket under rare circumstances, causing stacking slaves not to be able to connect to the master, which in turn would cause a split brain situation.
    In this worst case, the stacking master will now instead reboot to resolve this split brain.
  • In very rare circumstances two stacking nodes right now being in a split conflict while at the exact same time reconnecting to a Hub with the tunnel previously having been disconnected for less than 3 minutes could cause the Hub to crash.
  • In SNMP, vpnRouterCPULoad was exported as string instead of integer as it should be.
  • For VDSL Modules the sync speed reported in the log ("Synched Downstream/Upstream Rate") was swapped. The actual values used were correct, so this is a display issue only.
  • In case a VPN Hub had an invalid DNS resolver configuration, doing the DNS reverse lookup for incoming channel connections could take very long. In case of a lot of channels reconnecting, this could delay any connects to complete for a very long time. Now, incoming channel connections are no longer reverse-resolved.

Cutting Edge Firmware Release July 24th, 2015 – Version 2015072130/2015072405

This new cutting edge firmware releases fixes a rare VPN Hub crash bug, and further prepares users for an upgrade path to the upcoming RuggedVPN new firmware generation. This firmware release is compatible with both the February 25th 2015 stable firmware release (Version 2014110730/2015021100) and the March 31st 2015 cutting edge firmware (Version 2015031230/2015032801).

New features

  • The license manager available in RuggedVPN is now also available in the classic firmware.
  • The SupportID that is needed to register a router for the upcoming Viprinet Lifetime Maintenance System is now displayed.

Bug fixes

  • A rare crash bug on VPN Hubs caused by outdated VPN Clients connecting was fixed.
  • In a node stacking setup, stacked Nodes would never share LAN routes.
  • Fix for GPS not updating speed and heading.
  • All products should be displaying CPU and System core temperature now. Please note that for some products a different temperature sensor deeper inside the CPU is now used. This may cause your CPU temperature to jump up by 10-20°C. This is not a problem and not a defect.
  • QOS rules only matching on TOS did get ignored in the past.
  • Updated all warning popups in regards of missing maintenance contract and RuggedVPN. We'd like to apologize for any confusion caused by these nag screens in previous firmware releases.
  • When a classic router was connecting to a RuggedVPN Hub, under very rare circumstances traffic could have been blocked for QoS classes using BondingTCPOptimizer on the classic node.
  • In the past, changing "Enabled mobile technologies" sometimes did not work, especially when executed on a module that right now has a data connection open. It now should always work.

Cutting Edge Firmware Release March 31st, 2015 – Version 2015031230/2015032801

This new cutting edge release fixes two rare but critical bugs contained in previous firmware releases including the February 25th stable release. We recommend that all Multichannel VPN Hub 5010 be updated. Also, the new 4G LTE Modules available since late March 2015 should only be used in node routers that have been updated to this firmware.

For all other users, there is no immediate need to update from the current stable firmware.

This release is fully compatible with the February 25th stable firmware release. It is OK only to update devices that need the fixes from this release, keeping all other routers on the stable firmware release.

Bug fixes

  • Using multiple of the new 4G modules could completely block the router in case the module had been unable to read home network information from the SIM.
  • Network name display for some carriers (e.g. T-Mobile) was broken for the 4G Europe II module.
  • Under very rare circumstances, corrupted SSL data could cause the Hub 5010 to crash and reboot.
  • 4G modules used in a stacking slave for some mobile networks have been unable to connect.
  • Under rare conditions WWAN modules may fail to read the IMSI and Home MCC/MNC from the SIM, causing Automatic APN Detection to fail.
  • APN Database entries updated for AT&T USA, Rogers and Telus Canada.

Cutting Edge Firmware Release February 11th, 2015 – Version 2014110730/2015021100

This new cutting edge release is supposed to be the final firmware release of the “classic” series bringing new features before moving to our “Next generation” firmware platform.

This release brings a lot of stability fixes to polish this firmware release for a long use cycle (until customers are upgrading to the NG firmware).

This release is fully compatible with the October 2nd 2014 stable firmware release. It is therefore OK to keep running the Stable Firmware release on VPN Hubs, and only update VPN Nodes that need the improvements listed here (or the ones from the December 11th 2014 cutting edge release). Please note that you need to install this firmware release for VDSL or “4G Europe II” modules to be supported.

Customers still running earlier firmware releases than the October 2014 stable firmware are advised to check the release notes of that release in detail before installing this release, due to a high number of improvements and bug fixes.

New features

  • It is now possible to configure DNS servers for VPN Client groups. If done so, the VPN Client will use these DNS servers instead of using the Hub's DNS. This allows the VPN Client to be used in combination with a Domain controller, so VPN Client users can become part of a Windows domain.
  • The new “4G Europe II” module is now supported.
  • The CLI now supports ping, traceroute and moduleinfo tools (similar to what you can use in the web interface).

Bug fixes

  • Fixed race condition that caused update scripts to sometimes get called twice when starting them manually.
  • Very big (100MB+) local update packages are now supported.
  • Fixed the bug that offline firmware uploads are sometimes aborted, resulting in corrupted firmware uploads getting rejected. This happened if there was just 100ms without data getting sent during the upload. It mostly happened with the new web interface and when doing updates remotely.
  • The distribution of system load on multi-core Hubs has been improved.
  • Changed maintenance contract warning start to March 2015.
  • Several improvements for LTE status reporting.
  • Fixed a bug that caused OptimalLatencyBelow not to be displayed in monitoring API and -tool. 
  • IP address of a replaced device in Hub hotspare mode is now shown in the new web interface.
  • Several bug fixes for the channel congestion notification system.
  • The SIM traffic reporting could end up in a state where it never committed its values to the accounting server.

Cutting Edge Firmware Release December 11th, 2014 – Version 2014093030/2014121100

This new firmware release adds support for the final version of our new VDSL modules to the router firmware. It also brings various bug fixes compared to the October 2nd stable firmware release. And finally this release brings some significant performance improvements for the 5XX router series – depending on the setup, these routers now can bond up to 50 MBit/s instead of 35 MBit/s.

Please note: Beta versions of the VDSL module are NOT compatible with this firmware release, and the final version of the VDSL modules now shipping is incompatible with any previous Viprinet firmware release. If you wish to use VDSL modules, you must upgrade the router to this firmware release.

Please note: If you are using VPN Clients, we highly recommend updating VPN Hubs to this release. All previous releases contain a crash bug, where a certain pattern of VPN Clients connecting/disconnecting can cause the Hub to reboot.

This release is fully compatible with the October 2nd stable firmware release. It is therefore OK to keep running the Stable Firmware release on VPN Hubs, and only update VPN Nodes that need the improvements listed here.

Customers still running earlier firmware releases than the October 2014 stable firmware are advised to check the release notes of that release in detail before installing this release, due to a high number of improvements and bug fixes.

New features

  • Default congestion control now is cubic, default autotuning Hybrid. There have been significant improvements to the Hybrid autotuning mode.
  • Full support for final version of VDSL modules.
  • A new HTTPS CA database is now used, which includes support for various CA's customers have requested.

Bug fixes

  • Managed SIMs got disabled after an hour of the activation server being unreachable, while they are meant to be disabled after 24 hours.
  • When a VPN Client disconnected and a different client user later connected with the IP of the previous user getting re-used, this could cause to the VPN Hub crashing and rebooting.
  • Access Point Settings were missing the option to configure administrative rights.
  • On router startup, the error message “The tunnel password for the tunnel contains illegal characters” was printed to the log.
  • If two or more WAN modules were power-cycled exactly at the same time, sometimes the modules would not come back, with a router reboot needed to get back the modules.
  • TKIP is now disabled for HT clients on 5XX WLAN AP in 802.11n.
  • Manual firmware updates may now also be uploaded if the automatic firmware check resulted in the “UpdatesAvailable” status.
  • All 51X routers have their configuration files now marked as compatible to each other. Before 511, 512 and 513 weren't allowed to use 510 configuration and vice versa.
  • Fixed Hub 5000/5010 picture size in web interface.
  • If the SSH CLI was activated, a connection flood to port 22 could be used to run a DoS attack against the router.

Cutting Edge Firmware Release October 2nd, 2014 – Version 2014093030/2014100200

This new firmware release contains important bug fixes for our August 2014 Cutting Edge and Stable Firmware releases. It also fixes all potential security issues with the embedded Bash shell used internally in our routers (known as “Shellshock”). Although the Shellshock attack is very hard to achieve without local system access in regards to our products, there still is a significant risk that needs to be closed.

We urge all our customers to update to this firmware release as soon as possible.

This firmware release does not bring any new functionality but major bug fixes only. Also, this firmware is identical for both firmware branches, Cutting Edge and Stable.

Customers still running earlier firmware releases than the August 2014 stable firmware are advised to check the release notes of the August release in detail before installing this release, due to a high number of improvements and bug fixes.

Bug fixes:

  • Since last week, multiple exploits in the widely used bash-shell were discovered. While we don't use the bash shell in any direct way where it would be exposed to the outside world, it is used by the DHCP client service running for the WAN modules. There is an unconfirmed possible attack vector, in that if an attacker would be able to run a compromised DHCP server connected to a Viprinet WAN Ethernet module, and if this Ethernet module would be configured to use DHCP, the router could be made to execute code using manipulated DHCP options.

    This release incorporates all published patches to bash and to our knowledge fixes all known vulnerabilities.

    Until you have updated, disabling DHCP on WAN Ethernet modules and instead using static IP configured would also close the potential attack vector.

    To the best of our knowledge, there is no attack vector for VPN Hubs, and no attack vector with any other of our router or VPN services. 
  • VDSL modules would always return “No answer received from modem” when checking module info
  • CDMA450 modules had several problems with resetting and switching from/back to power saving mode. All of these issued have been fixed.
  • In very rare cases, SIM initialization could fail for our LTE modules due to a Qualcomm bug. A work-around makes sure this no longer happens.
  • By creating invalid port forwarding entries, you could create a port forwarding of doom which would lock you out of the router. You no longer can shoot yourself in the foot this way.
  • If you would create a routing rule where all options would have been set to “Ignore” you would effectively create a default route, potentially locking yourself out of the router. This way of shooting yourself in the foot also no longer works.

Cutting Edge Firmware Release August 6th, 2014 – Version 2014061630/2014080100

This new firmware release is a bug fix release for the Cutting Edge firmware release released on July 24th (Version 2014061630/2014072201).
It contains two bug fixes.

If you are currently running the July Cutting Edge Firmware release on Multichannel VPN Routers 200, 500 or 51X, we urge you to immediately update to this release, as it fixes a critical bug. For users of all other products there is no immediate need to upgrade. 

Customers still running earlier firmware releases are advised to check the release notes of the Cutting Edge Firmware 2014061630/2014072201 in detail before installing this release, due to a high number of improvements and bug fixes.

This update also brings support for the previously problematic Vodafone UK network when it comes to our LTE modules. If you are located in the UK and wish to use the Vodafone mobile networks with our products, please update to this release and see the notes below on usage on that network.

Bug fixes:

  • Sadly, the Cutting Edge Firmware released in July is suffering from a compiler bug on the Multichannel 200, 500 and 51X series. This bug can cause some subtle and hard-to-notice weird behavior. But even worse, with hosts doing lots of traffic flows, the router sooner or later can have all traffic flows stuck, wrongly accusing that host of doing a DoS attack and no longer allowing new flows from that host.
    This bug effectively can make some or all of your hosts in the LAN to sooner or later to no longer be able to talk to the router or the VPN/Internet!
    We therefore urge all our customers who have updated 200, 500 and 51X routers to July's Cutting Edge firmware releases to immediately update to the August release! No other product is affected by this bug. We apologize for any inconvenience. We have updated our internal test suites to be able to detect similar bugs in the future.
     
  • New channel finetuning option “Save traffic when idle”: needed for Vodafone UK not to kick out idle channels out of the UMTS cell into some weird high-latency idle mode. This idle mode causes modems doing very low traffic to constantly getting thrown out of UMTS cell towers, with the need for them to then re-register. This idle mode causes an idle link latency of about 350ms, and a surge in packet loss and/or latency of up to 2500ms each time the channel starts to transmit significant amounts of bandwidth again – after that surge the behavior of the network turns back to normal. All of this can cause lots of troubles with achievable throughput and channel autotuning. We think that what Vodafone is doing here is a terrible idea and a standards violation, but we have to deal with it.
    The new “Save traffic when idle” option is enabled by default, which is identical to the behavior in previous firmware versions when this option didn't exist. If you disable the option, more idle ping traffic (about 10–15 KBit/s) will be generated, making sure the modem is not kicked out of the UMTS cell. However, you will burn more data traffic for this. We recommend disabling this option for the Vodafone UK network only.
    An alternative solution to the problem is to Disable Latency Autotuning for channels using Vodafone UK networks and inside the channel finetuning settings choose a “Optimal Latency below” value of 400ms, and a “Maximum allowed latency” value of 2500ms. This way the channel stays usable even if Vodafone UK enables the idle mode.
    Also 3G monitoring code can now detect this weird idle mode and will properly report it through monitoring tools as registration state “Normal / Idle”.

Cutting Edge Firmware Release July 24th, 2014 – Version 2014061630/2014072201

This new firmware release brings a couple of new features and a big number of improvements. 

The most important new feature is that with this release, Hubs and Routers are able to notify each other if the other side has rebooted. This fixes a number of problems that originated from certain kind of traffic if only one side of a tunnel got rebooted, and if that reboot lasted less than 3 minutes. The non-rebooted side would expect a re-establishment of the previously existing tunnel connection, keeping all old connection flow states intact while the rebooted device started with empty state. This would cause connections that were running prior to the reboot to get stuck. While for most protocols this is a not a problem, it is for example a big problem for IPSec which always re-uses the same UDP connection parameters (source/destination port). These connections could get stuck for a very long time.

Long story short: This update should fix the problems for all customers running IPSec or similar tunnel protocols (GRE) and had their tunnel inside a Viprinet tunnel stuck if either their Router or Hub had rebooted.

What's also very important news is that this firmware supports a new concept called "Managed SIM": a centralized SIM accounting with shared traffic as well as reporting and monitoring. For now this service is only available for our customers in Germany, but we plan to also offer these services in other countries.

Also, VDSL modules are now fully supported.

And finally, several optimizations for using Viprinet in high-speed vehicles have been made.

While this release is fully compatible with the Stable Firmware released on April 6th 2014 (Version 2014021430/2014022500), some of the new features only work if both Hubs and Routers are updated. We therefore recommend updating Hubs and Routers at the same time.

This release also contains an important bug fix for 5XX Routers – without this bug fix, these devices may permanently go out of service if power is lost at a certain moment during startup. We therefore urge all customers using models 500, 510, 511, 512, or 513 to update to this release as soon as possible.

Important notes for users upgrading from older firmware releases

If you wish to update from anything older than the last Stable Firmware release (2014021430/2014022500), please consult the release notes of all firmware releases since then, most importantly the release notes of the current stable firmware release.

List of changes compared to the current Stable Firmware release

New features

  • Hubs and Routers are now exchanging “boot IDs” informing the other side whether the remote end has rebooted, and thus can clear the flow state accordingly.
  • VDSL advanced settings are now available.
  • Viprinet Managed SIMs are now supported.
  • Maintenance contracts are now supported by the firmware.
  • New channel fine tuning setting “RapidReconnects”: If enabled, channels will very show a very aggressive reconnect behavior which includes restarting the WAN module used if a channel stalls for a longer time. Turn this option on only if the router is going to be used in a high-speed vehicle typically going faster than
  • 100 km/h.
  • When restoring a config backup, there now is an option “Do not overwrite existing licenses”. If this is set, licenses bound to the router prior to uploading the backup will stay intact.
  • New function “Clear dynamic leases” inside the DHCP Server settings.

Bug fixes

  • If Latency Autotuning is turned off for a channel, the channel no longer will do a ping test when changing from ConnectedStalled to Connected. This way the channel can be used again much quicker after a short stall (e.g. when a vehicle is going through a highway tunnel).
  • In very rare cases (high-speed trains), LTE modules could crash in a way that they were detected to be still up – forever. New watchdog code now makes sure that such "frozen" modules are automatically powercycled.
  • Cell IDs are now properly reported with LTE modules (before they typically showed "0" as Cell ID).
  • The receiving side of a BondingDiversity flow had a serious memory leak which after some time could cause that device to run out of memory.
  • If power was lost at a specific moment during boot up on 5XX routers, the firmware storage could get corrupted which would cause the router to no longer be able to start up. This could be seen in installations where the 5XX router was used in a car that very often was powered on only for a couple of seconds before getting powered off again.
  • The SSH CLI no longer listens on WAN interfaces as these cannot be controlled by an ACL.
  • A couple of objects inside the web interface in previous firmware releases would ignore deletion attempts, e.g. licenses and stacked routers. Now these objects can successfully be deleted.
  • On 5XX Routers, time zone management had been broken in all previous firmware releases. This caused reports to the traffic reporting server to use wrong timestamps, and also caused web browsers not to cache any elements of the web interface.
  • Due to a bug, the QoS Class setting “Required Link Stability” has mostly been ignored in all firmware releases during the last year. Therefore, an unstable channel could ruin the throughput for tunnel traffic even if due to the “Required Link Stability” setting the unstable channel was not expected to be used. This fix will bring a significant improvement for setups where unstable links are bonded (moving vehicles).
  • CDMA450 modules may crash when trying to reset them in a 5XX router. The reset option for these modules therefore now is ignored.
  • The various forms of download test tools inside the web interface had problems on 5XX routers where they could get stuck or abort.
  • Rights management for WAN modules has not been persistent and lost during router reboot, and also has not been marked as available in the new web interface. It now works, and therefore it’s possible to grant non-root users access to WAN module configuration.
  • The download test tool would not abort downloading if you closed the download test tool window inside the new web interface, causing unneeded data traffic to occur.

Cutting Edge Firmware Release April 22nd, 2014 – Version 2014040231/2014042200

In the light of the NSA revelations, the previous Stable Firmware has taken the security of our products to a new level. This Cutting Edge release now further improves product quality in several areas. 

This Cutting Edge Firmware release introduces a new channel autotuning mode which has been designed for moving vehicles. If you are using Viprinet routers in such a setup, you should test this mode, as it dramatically improves throughput and channel stability in these cases. This release also brings support for a new LTE module for Australia, and improves module support for CDMA450.

Finally, a big performance improvement in the new web interface makes it far more enjoyable on Routers and Hubs where lots of logging messages scroll through.

This release is fully compatible with the Stable Firmware released on April 6th, 2014 (Version 2014021430/2014022500). It is therefore OK to keep VPN Hubs running the stable release and only deploy this Cutting Edge release onto routers that require any of the new features.

Important notes for users upgrading from older firmware releases

If you wish to update from anything older than the last Stable Firmware release (2014021430/2014022500), please consult the release notes of all firmware releases since then, most importantly the release notes of the current stable firmware release.

List of changes compared to the current Stable Firmware release

New features

  • If you have Streaming Optimizations licensed, there now is a new bandwidth autotuning mode available: “Rapid Autotuning”. This mode is optimized for 3G/4G links used in vehicles moving at high speeds, while using multiple different carriers at the same time. Rapid Autotuning is similar to Passive Autotuning as it does not generate any artificial test traffic; it is, however, far more aggressive. In a moving vehicle, cell tower changes will happen very often, as will short spikes of packet loss. With existing autotuning modes, these often would cause the channel to re-start testing at very low speeds. Rapid Autotuning instead aggressively re-establishes the previous bandwidth after a short spike of packet loss and/or a cell tower change. Compared to Hybrid and Passive Autotuning, the amount of throughput with Rapid Autotuning has doubled in our tests in high-speed vehicles. If you are using bonded 3G/4G in moving vehicles, you most definitely should start using this mode.
  • The new LTE module “10-01036 LTE/UMTS/HSPA+/GPRS/EDGE (AUS)” for Australia is now fully supported.
  • The performance of the new web interface for Hubs where a lot of log messages are scrolling through has been highly improved. It's now finally usable even on busy Hubs.
  • For all password fields, there now is a “change password” dialogue, which also measures and displays password strength.
  • LTE modules that get rejected from the network now behave much nicer. Instead of  constantly hammering the carriers' networks, they now exponentially back off in case of multiple connection failures.
  • The APN database got updated. Now, there internally is also a dedicated APN database  for carriers that uses an APN on LTE that is different from the one on UMTS. Due to this, it is now possible to have APN Auto Configuration enabled for almost any carrier. Also, APN Auto Configuration from now on is by default turned on for all UMTS/LTE modules (before it had been turned off by default).
  • Internal time-outs for packet flows have been reduced. This is especially the case for TCP connections through the tunnel that ended by both sides having done the FIN/ACK close. These changes should be invisible to customers, with one exception: During a DoS attack against a network connected by a Viprinet router, the system load will now be dramatically lower.
  • When a tunnel was down, every packet arriving for this tunnel would generate a “Dropped packet from LAN as Tunnel is down” warning log message. This message has been removed.
  • The “AT command tool” is now also available for CDMA450 modules.

Bug fixes

  • On 5XX Routers, viewing configuration objects that contained combo boxes (Drop-down selection lists) could result in an internal error.
  • The module info could not be read from VDSL modules in the new web interface, only in the old one. It now works in both.
  • If an Ethernet module had its “Expected Link Speed” setting not on automatic mode but manually configured, this could confuse the “Online” LED control of that module if you pulled out the Ethernet cable and plugged it back in again.
  • Even if the registration on a network hadn't been completed yet, LTE modules would already try to establish a data connection to that network. This would cause log messages complaining that the data connection failed due to lack of service. The modules now won't try to establish a data connection before coverage exists and network registration has been completed.
  • Since the current Stable Firmware release, the routers would automatically save the configuration after start-up. This was done so that automatically generated SSL/SSH private keys would get stored to disk. However, in rare cases, modules in the router would not have fully started up by the time the configuration was saved, causing the router to save a config with some modules missing. If you now at some point rebooted the router without ever before having changed something in the web interface (causing the config to be saved), you could lose your module config on the next boot. Now, whenever a module is inserted or removed into a router, the configuration automatically will be saved. Due to this, you will no longer lose your configuration in the case described above.
  • The Hub Redundancy System in the latest Stable Firmware release contained forgotten debug log messages. These have now been removed. Also, the amount of logging for the Hub Redundancy System during times where everything is fine has been drastically reduced.
  • Some recent versions of our CDMA450 modules would always start up in power-save mode, never waking up from that. With this firmware release, these modules are now woken up during initialization.
  • In some cases, uploading files to the router (QoS configuration restore, manual firmware update) through HTTPS could fail with a “Bad Request” error.
  • In the current Stable release, every request to the old web interface is delayed between 1–2 seconds, making things really slow. While we highly recommend to move to the new web interface, this “punishment” for using the old web interface surely wasn't intended and is now fixed.
  • In a stacking setup, the log message “New effective physical link capacity to WAN (based on remote report)...” for remote interfaces (those located on a slave router) would cause internal errors on the stacking master. After 1000 of these internal errors, the stacking master would reboot. This is now fixed.

Cutting Edge Firmware Release March 3rd, 2014 – Version 2014021430/2014022500

In the light of the NSA revelations, the previous cutting Edge Firmware release has taken the security of our products to a new level. This update adds a couple of further improvements on top of that. In regards of the new security features, please read the important release notes for the previous Cutting Edge Firmware release (February 10th, 2014 – Version 2014013131/2014020702) which also apply to this release!

This release brings a couple of additional improvements for our February 10th firmware release and is expected to be upgraded to being the new stable firmware branch soon.

This release is fully compatible with the Stable Firmware released on August 12th, 2013 (Version 2013071130/2013080900 (Multichannel VPN Router 500/510: Version 2013071130/2013080900)). It is therefore OK to run the Cutting Edge Firmware on Routers, while the Hubs are running the Stable release. However, many of the improvements in security require support on both sides of the VPN. We therefore recommend updating both the Router and the Hub to this firmware in a timely manner.

List of changes compared to the previous Cutting Edge Firmware Release (2014013131/2014020702) – if you are updating from a Stable Release, please also consult all previous Cutting Edge Release notes since then!

New features

  • Multichannel VPN Router 200 is now supported (to be first displayed at CeBIT 2014).
  • The new improved security features put a higher load onto the Hub when a channel is established. If a very high number of channels would connect to the Hub at the same time, the very high load would result in a kind of DoS on the Hub, and actually could lead to a load feedback loop: Due to the high load, the SSL handshake of the channels would not complete within the timeout range, and therefore disconnect and reconnect, causing even more load.
    You could see this in real life if you would reboot a Hub that is under heavy load with lots of tunnels, for example after a firmware update.
    We have now implemented throttling on both the Hub and the Router. If a channel is aborting during connecting to the Hub, it is now throttled instead of hammering the Hub with connects. On the Hub side, under situations of high CPU load, acceptance of new channels is delayed in a way which does not result in timeouts.
    With these changes, we are now able to survive a higher channel connection load on the Hub than with the current stable branch firmware (which has less secure SSL handshake).
  • The behavior of Routers and Hubs during a DoS attack has been improved. If a source or destination host was doing more than 25,000 flows (TCP Connections), it would get blocked. However, if it was the Hub IP being attacked, this would result in the Hub IP itself also getting blocked, making for example the web interface of the Hub unreachable until for example a TCP SYN flood DoS was over. Now, locally bound router IPs are no longer blocked. Also, logging amount during DoS attacks caused significant CPU load. This has been reduced. A blocked host is now only logged once, and again once it is unblocked (which happens if the number of active flows goes below 24,000 again).
  • VDSL modules now allow setting a VLAN.
  • VDSL modules now support RFC1483 with static IPs, and allow special characters in PPP usernames and passwords.

Bug fixes

  • With the previous cutting edge firmware if you edit multiple channels at the same time using the Multi-edit feature of the new web interface, after you post your changes all your channels  will be using a single (the first) module. Only after the next channel reconnect, each channel would then use the same module; this means that performance may go down the drain hours after you have done the changes. This bug has been fixed.
  • Multichannel VPN Routers 511, 512 and 513 now show the correct product name in the web interface.

Cutting Edge Firmware Release February 10th, 2014 – Version 2014013131/2014020702

In the light of the NSA revelations, this Cutting Edge Firmware release takes the security of our products to a new level. We have spent the past weeks to improve pretty much every security-relevant aspect of our products.

In addition, this firmware release includes a finalized and stable version of our new administration web interface, which had been available as a preview for a couple of months.

And finally, this release brings a lot of bug fixes.

This release is fully compatible with the Stable Firmware released on August 12th 2013 (Version 2013071130/2013080900 (Multichannel VPN Router 500/510: Version 2013071130/2013080900)). It is therefore OK to run the Cutting Edge Firmware on Routers, while the Hubs are running the Stable release. However, many of the improvements in Security require support on both sides of the VPN. We therefore recommend updating both the Router and the Hub to this firmware in a timely manner.

Important notes for users upgrading from a Stable Firmware Release

Viprinet routers now support access control lists. Using this you can define which IPs and subnets from LAN or WAN/VPN may access services. Upon firmware upgrade, a set of default rules will be created. These are designed in a way not to interfere with existing installations, and it is recommended to tighten them. For example AdminDesk access currently is allowed both on HTTP and HTTPS from everywhere, while we recommend only allowing HTTPS from the Internet.

Due to the new ACLs the AdminDesk SSL certificate settings have moved from “[ AdminDesk ] LAN settings” to “[ AdminDesk ] Integrated services”. Should you have installed your own custom SSL certificate, you will have to re-install it after firmware upgrade.

All SNMP settings also got moved to “[ AdminDesk ] Integrated services”. After firmware upgrade, you will have to re-configure SNMP.

List of changes compared to the previous Cutting Edge Firmware Release (2013111430/2013120500) – If you are updating from a stable release, please also consult all previous Cutting Edge Release notes since then

New features

  • The new web interface is now feature complete, and all known bugs are fixed. It is now also used as a default.
  • HTTPS usage for web interface access is now highly encouraged.
  • The encryption for the web interface has been highly improved. We are now using 2048-bit RSA key + SHA256 certificated, TLS 1.2 and perfect forward secrecy (Elliptic curve Diffie–Hellman). At SSLabs, Viprinet routers score with an “A” mark.
  • The encryption for the VPN Tunnels has been updated accordingly. In addition, the VPN Routers will now take a fingerprint of the VPN Hub’s SSL certificate, and reject re-connecting to it in case the fingerprint changes. This is done in a way that the fingerprint will neither change when changing VPN Hub Redundancy settings nor if you move over the VPN Hub configuration to a new VPN Hub. The new system prevents a theoretical Man-in-the-Middle attack against our products, where an attacker would place a device in front of the VPN Hub, stealing the VPN Hubs IP and pretending to be that device.
  • For multiple authentication failures on the SSH CLI, further login attempts from the same IP are now throttled. This makes brute force attacks on SSH unfeasible.
  • Channel Bandwidth Autotuning by default will no longer generate log messages. This highly reduces the number of log lines generated on busy VPN Hubs with lots of Tunnels/Channels. Logging can be turned back on a per-channel basis.
  • Channel and WAN bandwidth reports now are only logged every 10 seconds, and if the link speed of a WAN device is unknown, it is no longer reported instead of reporting “0/0”.
  • Our new VDSL modules are now fully supported.

Bug fixes

  • We have fixed a potential VPN Tunnel protocol downgrade attack. In a man-in-the-middle-attack an attacker could force a VPN Router to fall back to an outdated Viprinet VPN Tunnel protocol version where the Tunnel password would be sent over in clear text over the SSL connection. This way the tunnel password could be stolen, and a rogue VPN Router operated by the attacker could be connected to the VPN Hub instead of the real one, gaining access to the VPN. We would like to thank Portcullis Security for their research and advisory on this issue. The old VPN Tunnel protocol versions are now disabled.
  • Both inside the old and new web interface, input filtering wasn't done properly, enabling all kinds of cross-site-scripting attacks (XSS) for logged in users. All known attacks are now properly filtered.
  • From this release, you can no longer create objects (Tunnels, Channels etc) that contain illegal characters. Existing objects will still load. Check your log files for critical warnings on this, and rename all objects with illegal special characters in them – in the next firmware release, these objects will no longer be loaded.
  • Hybrid autotuning had a bug that could lead to MaxBandwidthToWAN being set to “0” and staying there.
  • If multiple users with the same user name were logged in to the web interface (new or old one, doesn't matter), every user would only receive a part of the log messages.
  • If Channel Bandwidth Autotuning was turned off for a connected channel and MaxBandwidthToWAN manually set to “0” (as it is sometimes done on the VPN Hub to not use the downstream of an expensive UMTS/LTE link, but only use it as an upstream booster), various weird effects could occur. If the channel had the lowest latency, best LinkStability or lowest Cost, QoS classes could select this channel as the preferred one to use while not being able to actually transfer any traffic through it. Due to this, these QoS classes would no longer transport any traffic. Channels that have zero bandwidth now are ignored by the QoS system.
  • In a Node Stacking setup, sometimes on the Slave device a DHCP service would be running while it should not.

Cutting Edge Firmware Release December 11th, 2013 – Version 2013111430/2013120500

This Cutting Edge Firmware brings a couple of improvements in regards to product performance on the Multichannel VPN Router 300, improved configuration compatibility, and various improvements regarding LTE modules in the EU and North America.

This release is fully compatible with the Stable Firmware released on August 12th. It is therefore OK to run the Cutting Edge Firmware on Routers, while the Hubs are running the Stable release. The improvements on IPSec and Hub Redundancy however require the Hub to also run the Cutting Edge release. If you are using this cutting edge release on a VPN Hubs, it is recommended that you update all VPN Hubs that are part of the same redundancy group.

Important notes for users upgrading from a Stable Firmware Release

Compared to the current stable firmware, this cutting edge release also includes all the changes of the September 14th and October 31st, 2013 cutting edge release. If you are upgrading from a stable firmware to this release instead of the previous cutting edge firmware release, please also consult the releases notes of the September 14th, 2013 cutting edge release. The most important changes compared to the last stable release are:

  • Viprinet now supports access control lists. Using this you can define which IPs and subnets from LAN or WAN/VPN may access services. Upon firmware upgrade, a set of default rules will be created. These are designed in a way not to interfere with existing installations, and it is recommended to tighten them. For example AdminDesk access currently is allowed both on HTTP and HTTPS from everywhere, while we recommend only allowing HTTPS from the Internet.
  • Due to the new ACLs the AdminDesk SSL certificate settings have moved from “[ AdminDesk ] LAN settings” to “[ AdminDesk ] Integrated services”. Should you have installed your own custom SSL certificate, you will have to re-install it after firmware upgrade.
  • All SNMP settings also got moved to “[ AdminDesk ] Integrated services”. After firmware upgrade, you will have to re-configure SNMP.

List of changes compared to the previous Cutting Edge Firmware Release

New features

  • Complete overhaul of the LTE module monitoring code. This firmware now for the first time fully supports our 10-01031 and 10-01032 modules designed for USA and Canada. It also is much better at analyzing used technologies, and will also report the current frequency/Band that is used.
  • The logic on which a config coming from a different router is marked compatible with which product has been rewritten. Now project routers are marked as compatible with themselves (another router of same model and project number) or with the standard model of the exact same product.
    Example:
    50-00300 is compatible to 50-00300 and 01-00300, but incompatible to 51-00300.
  • The three different types of LTE modules will now automatically rename themselves to “LTE 700 AWS/UMTS/HSPA+/GPRS/EDGE” / “LTE/UMTS/HSPA+/GPRS/EDGE” / “LTE 700/CDMA/EV-DO” once the chipset model has been identified.
  • VPN Clients connected to the Hub will now use Hybrid autotuning on the Hub instead of Heuristic. This reduces the amount of test traffic in situations where the PC's WAN connectivity is very unstable (say, a Laptop user sitting in a moving train).
  • This release for the first time includes firmware builds for the upcoming Multichannel VPN Router 511 and 512 models.
  • The new web interface got a new layout – status and editor are no longer tabs. We think that the new layout gives a better workflow.
  • The new web interface now has "module info", "interface info" and "ARP table" tools. Still a lot of tools from the old web interface are missing, e.g. "ping", "traceroute" and "download test". These will be added in the next release.

Bug fixes

  • The previous cutting edge release did not support CDMA450 modules; slots would be shown as empty. This release re-adds support for these modules.
  • The CLI now correctly should be supporting int64 and float values. Therefore, you now should be able to read GPS position data using the CLI.
  • For LTE modules, the “Expected link capacity” value was wrongly set if the module used HSDPA. This was rarely seen in the EU, as here you typically get HSPA+ instead (=HSUPA and HSDPA+). If the combination has been HSUPA+HSDPA, you would end up with an expected link capacity of 384 kbps downstream, which would effect autotuning. However, the issue was frequently seen with AT&T and T-Mobile in the USA.
  • On the 300 router, we have seen buffer overruns on the LAN interface in situations where there was a big spike of packets going out to the LAN. For instance, this happened when bonding unstable links, where data was released in huge spikes after a situation of packet loss / retransmissions. The problem would cause lost packets on the LAN. And these lost packets would result in application-layer TCP retransmissions, which with high latency links could limit the achievable throughput quite a lot. The problem would automatically improve after a couple of hours. However, this often meant that 300 routers in demo situations (just powered on to demo bonding of UMTS/LTE) would show unstable download speed.
    This problem should now be fixed.
    To validate, go to “[ AdminDesk ] LAN settings -> Ethernet interface info tool”.
    There, the “overruns” counters for TX and RX now should always stay at 0.
  • A bug in BondingTCPOptimizer has been fixed – certain devices when sending a zero window could get stuck as the Linux-style of window probing that Viprinet used was ignored. We now also randomly do a Windows-style window probe (trying to send data which is out of the window). This fixes video streams getting stuck on Samsung Smart TVs.
  • This release contains preliminary experimental support for the upcoming new VDSL modules.
  • The trial license feature introduced in previous cutting edge firmware releases had a bug that caused the trial license to never actually expire.

Cutting Edge Firmware Release October 31st, 2013 - Version 2013100731/2013102601

This Cutting Edge Firmware brings a couple of big improvements in regards of LTE modules in Europe and North America, the Hub Redundancy System, and for users of IPSec gateways setting up IPSec tunnels through Viprinet VPN Tunnels.

This release is fully compatible with the Stable Firmware released on August 12th. It is therefore OK to run the Cutting Edge Firmware on Routers, while the Hubs are running the Stable release. The improvements on IPSec and Hub Redundancy however require the Hub to also run the Cutting Edge release. If you are using this cutting edge release on a VPN Hubs, it is recommended that you update all VPN Hubs that are part of the same redundancy group.

Important notes for users upgrading from a Stable Firmware Release

Compared to the current stable firmware, this cutting edge release also includes all the changes of the September 14th, 2013 cutting edge release. If you are ugprading from a stable firmware to this release instead of the previous cutting edge firmware release, please also consult the releases notes of the September 14th, 2013 cutting edge release. The most important change compared to the last stable release is:

Viprinet now supports access control lists. Using this you can define which IPs and subnets from LAN or WAN/VPN may access services. Upon firmware upgrade, a set of default rules will be created. These are designed in a way not to interfere with existing installations, and it is recommended to tighten them.

For example AdminDesk access currently is allowed both on HTTP and HTTPS from everywhere, while we recommend only allowing HTTPS from the Internet.

Due to the new ACLs the AdminDesk SSL certificate settings have moved from "[ AdminDesk ] LAN settings" to "[ AdminDesk ] Integrated services". Should you have installed your own custom SSL certificate, you will have to re-install it after firmware upgrade.

All SNMP settings also got moved to "[ AdminDesk ] Integrated services". After firmware upgrade, you will have to re-configure SNMP.

List of changes compared to the previous Cutting Edge Firmware Release

New features

  • Complete overhaul of the LTE module monitoring code. This firmware now for the first time fully supports our 10-01031 and 10-01032 modules designed for USA and Canada. It also is much better at analyzing used technologies, and will also report the current frequency/Band that is used.
  • The Viprinet router startup code has been optimized. Starting a Viprinet Hub that has tons of Tunnels is now much quicker than before.
  • The routers now have a maximum number of Tunnels that can be configured. 
    PLEASE NOTE: This doesn't mean the router will actually be able to serve this many tunnels at the same time at acceptable performance - this also depends on the number of Channels per tunnel and complexity of QoS rules.
    ​Here are the maximum number of tunnels per product:
    • 300: 25
    • 500: 25
    • 1600/1610/2610/1620/2620: 50
    • 1000/1020: 100
    • 2000/2020: 150
    • 5000/5010: 500
  • Until now, the Hub redundancy system was exclusively using Ethernet broadcasts for the Hubs to communicate with each other. Due to a technical limitation in the used communication protocol, Hubs could only share configuration files if their compressed size has been below 64k. Sadly there was no way for the user to judge on how big the current configuration would be. If the compressed config was above 64k, the Hub Redundancy system would fail syncing configuration files. For some Hub 5010 installations with a high number of tunnels and QoS configs this limitation was hit in real life.
    In addition the broadcasting protocol had a design problem - with a lot of VPN Hubs operating at the same time, it was possible for multiple Hubs to send their configuration to the Hotspare at exactly the same time. In this case due to fragmentation this could result in no config being received by the Hotspare. This problem got worse if multiple Hotspares were running for a single redundancy group.
    We have improved the Hub redundancy system in that the main communication still runs over Broadcasts, but that for config transfers now a direct TCP connection to the Hotspare is established. Due to this, the size of Hub configs to be synched now is unlimited. The new protocol has been designed in a way that is downward-compatible. This means that Hotspare Hubs running the current cutting edge firmware can still serve production Hubs who run the stable firmware and don't yet are able to sync configs using TCP. We still recommend having all Hubs in a redundancy group using the same firmware release, though.
  • Until now, Viprinet routers would sometimes mark traffic flows as unroutable if the tunnel was down while the flow got established. Since the last stable firmware release, this got even stricter: Any traffic flow that was established before the tunnel was up would be marked unroutable forever. This was not expected to be a problem - most sane protocols would abort and reconnect. This isn't the case for e.g. ISAKMP of IPSec, which is a brain dead protocol - it always uses UDP source and destination port 500 by convention. This makes it impossible to differentiate these ISAKMP flows, and obviously causes also huge problems with NAT gateways. In Viprinet, if an IPSec Gateway would establish an IPSec tunnel before the Viprinet tunnel was up (for example because the Viprinet router got rebooted, but the IPSec gateway didn't), this would cause the ISAKMP flow to be marked unroutable forever. This is because the IPSec Gateway would never "abort", and even if it would, a new IPSec setup would look like the old one - as UDP source and destination ports would never change.
    Due to this, if the IPSec Gateway didn't use sane timeouts, this could lead to IPsec tunnels through a Viprinet tunnel to get stuck forever.
    This didn't cause any problem with IPSec gateways we have tested internally because with these, if the ISAKMP handshake fails, they wait a couple of seconds before retrying. By then, in the Viprinet router the UDP port 500 flow will have timed out, and the new ISAKMP setup will be regarded as a new flow, which due to the Viprinet tunnel now being up is marked routable.
    As we have learned, that's not how all IPSec gateways behave - some are hammering without any back-off in case the ISAKMP handshake doesn't work. That's a stupid design, but it is what it is.
    We have changed the routing design inside the Viprinet router to cope with these kinds of problems, while still getting optimal performance.
    Traffic flows marked as invalid/unroutable will now be rechecked every 2 seconds if in the meantime it became possible to route them. This way we neither have high load caused by systems flooding the router with unroutable destination IPs (which would enable some form of DoS), nor do we have a problem with protocols that hammer with always the same flow while the Viprinet tunnel is not up yet.
    ​It is impossible to test with all available IPSec gateway combinations, but with those that we have tested IPSec tunnels now typically get (re-)established within a couple of seconds after the Viprinet VPN Tunnel has come (back) up.

Bug fixes

  • The previous cutting edge firmware release didn't work with 50-00500 project router series. This one does again.
  • A bug was fixed which could in rare situations cause a tunnel channel to abort connecting to the VPN Hub with an SSL handshake error.

Cutting Edge Firmware Release September 14th, 2013 – Version 2013090230/2013090900

This cutting edge Firmware release brings a couple of new features including ACLs, a connectivity diagnostics tool and automated trial licenses for optional router features.

This release is fully compatible with the Stable Firmware released on August 12th. It is therefore OK to run the Cutting Edge Firmware on Routers, while the Hubs are running the Stable release.​

New features

  • For all local services (DNS, AdminDesk HTTP/HTTPS, SSH CLI, SNMP) there now are access control lists. Using this you can define which IPs and subnets from LAN or WAN/VPN may access services. Upon firmware upgrade, a set of default rules will be created. These are designed in a way not to interfere with existing installations, and it is recommended to tighten them. For example AdminDesk access currently is allowed both on HTTP and HTTPS from everywhere, while we recommend allowing only HTTPS from the Internet.
    PLEASE NOTE: Due to the new ACLs the AdminDesk SSL certificate settings have moved from “[ AdminDesk ] LAN settings” to “[ AdminDesk ] Integrated services”. Should you have installed your own custom SSL certificate, you will have to re-install it after firmware upgrade.
    PLEASE NOTE: All SNMP settings also got moved to “[ AdminDesk ] Integrated services”. After firmware upgrade, you will have to re-configure SNMP.
  • There is now a fully automated diagnostics tool available, which will test throughput, packet loss etc for all interfaces. For VPN Nodes, local modules and also all modules from stacked routers are measured, as is VPN performance. For VPN Hubs, only the throughput of LAN and WAN interfaces are measured.
    Using this tool doing first diagnostics in all kinds of “I'm not getting the performance I've expected” kind of cases becomes far easier. We highly recommend you make good use of this tool.
    You can find the “Connectivity diagnostics tool” inside the “Logging & Maintenance” settings (old web interface only, not yet available in the new Web interface beta).
  • If you wish to test optional router features, you may now generate a free 30 days trial license at https://license.vipri.net/trial.php using the Trial Token listed inside the router’s “Product features License Manager”.
    This web service will generate an activated license file that you then add inside the web interface. The generated license will activate all optional features of the router for a period of four weeks. It may be extended once using the web server, but afterwards the license remains locked for a month. Please note that at the end of the trial phase, the router will automatically reboot.
    Please note that Viprinet support will no longer manually issue trial licenses for router features. Please use the self-service system instead.
    The total of current Bandwidths from/to WAN of all channels is now available as a data source for the tunnel in the Monitoring API.  
  • Some performance improvements, which result in all products roughly being able to have 5-10% more bonding capacity.

Bug fixes

  • There have been problems both with Hubs 5000 and Hubs 5010 that under certain circumstances the LAN interface could block, no longer receiving any packets. These problems have been fixed.
  • There have been multiple bugs in regards of the Hub Redundancy system. If you would run a big number of VPN Hubs in a LAN segment in a data center, sometimes config file sharing would not work. Also, running multiple Hotspare Hubs for the same Hotspare group (which is a good idea) could sometimes (rarely) cause two Hotspare Hubs to take over the identity of a dropped out active Hub at the same time, causing an address conflict. All these bugs have been fixed, and running multiple Hotspares for a Redundancy group now works fine.
  • Sometimes under rare circumstances, IP flows running through a VPN Tunnel could get stuck. In this case you would see “10001 packets in WANPacketHeap” in the log. This sometimes was seen with flows that run “forever” (like IPSec tunnels through a Viprinet tunnel) on systems where the Viprinet VPN Tunnel would often disconnect due to unstable WAN links. Flows no longer should get stuck in this case now.
  • If BondingTCPOptimizer was used, certain corrupted TCP packets could cause a memory leak. A very high stream of these packets (for example in a DoS attack) sooner or later could make the router reboot.
  • Small bugfix for BondingTCPOptimizer – with very slow servers, retransmissions of SYN packets could cause weird behavior. Seen in real-life with Samsung TVs and German VOD service Maxdome.
  • Conflict resolution while restarting of stacked routers got improved.

Cutting Edge Firmware Releases Notes, Version 2013070830/2013071601 (Multichannel VPN Router 500/510: Version 2013071130/2013071601)

A new cutting Edge Firmware is available now.

Focus for this release has been:

  • Lots of improvements on the channel autotuning
  • Stability fixes for Node stacking
  • VLAN support on Nodes (no license required)
  • Metric tons of fixes for Ethernet auto-negotiation. Turning off auto-neg and settings fixed parameters now
  • finally works for all products, all LAN and WAN interfaces, and all Ethernet modules.
  • Addition of Required Link Stability to QoS classes which allows you to exclude unstable channels for QoS
  • classes where packet loss or jitter is critical (for example VoIP)
  • Much improved HTTP download test tool, integrated test traffic generator into Hubs/Routers
  • Protection against DNS Amplification attacks

Here is the list of changes in detail:

Improvements

  • Highly improved channel bandwidth autotuning. You will now get much better results for all kinds of lines, especially Sat links. Hybrid autotuning will now get much better results on its initial tests on VPN Tunnels that are idle. Congestion on the channel will much less drastically slash down Max Bandwidth To WAN, which means you will see better performance on WAN links that have surges of packet loss.
  • VLANs on Nodes are now supported in the following way:
    • In the LAN settings, there is now a "Allow route-back" option. If enabled, traffic coming in from a VLAN can be routed back to the same or a different VLAN – in other words, VLAN segments may talk to each other. If disabled, traffic coming in from the LAN with a destination on the LAN instead will be dropped, so the VLANs are completely separated in this case and all may only talk to the VPN Tunnel.
    • On the Node, you have the option “Allow all VLANs to talk to tunnel”. If that is enabled, all VLANs can talk to the tunnel; if disabled, only VLAN0 can.
    • In the WAN/VPN Routing settings on the Hub, you also have an “allow route-back” option. If disabled, traffic coming in from the Tunnel which would go back to the same tunnel (see above) again will be dropped.

Using these features, you can implement both a Node which has a local VLAN that is not allowed to talk to the VPN but to the remaining LAN, and you can also have a setup where you have multiple VLANs that really should be separated from each other but be able to speak to the VPN (for example, both a corporate network and a public visitor WLAN).

Please note that VLAN tags are NOT transported through the tunnel. On the Hub side, all traffic still will come out of a single tunnel with a single Tunnel Segmentation ID. If you need to deal with the networks routed separately, you need to create a VLAN on the Hub and route all traffic from the tunnel to a next-hop in this VLAN, where you separate the traffic according to their source IPs into different multiple VLANs again.

  • All Routers and Hubs now have an integrated HTTP test traffic generator which can be enabled at [ AdminDesk ] [ Logging & Maintenance ] Allow HTTP test downloads

If enabled, HTTP test downloads can be done from this router without requiring any sort of authentication. This should only be enabled while you are running tests yourself and turned off for production systems.

If enabled, a stream of random data can be downloaded from this router using the following URL:

http://[your router IP]/exec?module=download&speed=Speed&size=Size

Speed is in Bits per Second, 1K means 1 Kbit/s, 1M means 1 MBit/s, 1G means 1 Gbit/s. The speed parameter is optional. If this parameter is not given, the maximum possible link speed will be used. The maximum allowed value is 1G.

Size is the Size to download in Bytes, 1K means 1 KByte, 1M means 1 MByte, 1G means 1 GByte. The size parameter is optional, if not given, 16 GByte is assumed, which is also the maximum allowed value.

  • Viprinet routers now contain a security feature to protect against the most common form of the DNS amplification attack – a single IP now is only allowed to do 2 ANY requests within 60 seconds. We still recommend implementing more advanced DNS Amp attack protections in your core firewall.
  • The download test tool available in the LAN settings and module settings has been extended and improved a lot. It can now download test files from a world-wide content delivery network provided by Viprinet, which will automatically chose the Edge server nearest to you, or – if the Hub is using the Cutting Edge firmware – download from the Hub traffic generator. You now therefore have a tool which you can easily use to test for connectivity and throughput problems with WAN interfaces, and can easily check where your bandwidth bottleneck is. Use it!
  • In the channel fine tuning settings, you can now define a minimum Link stability a channel is expected to have, with a warning getting sent to the log system in case the link stability goes lower than this value. For non-moving installations, a non-broken link should have more than 90% of stability, for moving vehicles it depends on the typical coverage. Using this setting, you can make it easier to automatically get notified of link problems (for example, a SIM card running into the traffic limit).
  • The monitoring API used by the Viprinet Monitoring tool caused quite a lot of CPU load on the monitored router. That load has been decreased.
  • In the past, the configuration system (both web interface and CLI) would use a global lock which could lock up the routing core for several seconds – for example, while you were applying LAN settings, the router would not route packets. This global lock now has been removed, and working in the web interface should no longer have drastic effects on the routing performance of Viprinet routers.

Bug fixes

  • A high number of SNMP bugs has been fixed. Most importantly, Hot spare Hubs that take over / replace a Hub now will correctly report normal full Viprinet SNMP on the IPs taken over, and give Hotspare SNMP replies on the Hotspare IP.
  • SNMP no longer will change OIDs of other Tunnels if a Tunnel got deleted.
  • SNMP VPNRouterCPULoad, VPNRouterCPUTemperature, VPNRouterSystemTemperature are now implemented.
  • Due to a race condition, Node Stacking would sometimes crash in failover situations. Also, the “Failed to open slot for stacking” bug is fixed, as is the internal error 23239482394811Aa.
  • Turning off configured stacking would result in the wrong error message “[Stacking] This router does not have the stacking featured licensed. Can not start stacking!”
  • A Node Stacking slave would not stop the internal DHCP server in some cases. This would cause two DHCPs to run on the LAN, which caused problems.
  • The firmware online updater always required you to click “check for updates now” TWICE to get an actual result. Now the first click works.
  • ADSL modules sometimes have problems to get the module info read. We have increased the timeout for waiting for the modems diagnostics report reply. Please report to Viprinet in case you still get error messages trying to read module info from an ADSL module.
  • Everything related to “Ethernet speed and auto-negotiation settings” has been reworked. There had been bugs that turning off auto-negotiation didn't work for some products and some Ethernet modules, bugs that turned off auto-negotiation was ignored on next router reboot, and tons of more bugs. All of these have been fixed, and we have validated that manually setting Ethernet parameters now works with all products and modules, also across reboots.
  • The “Reconnect” function of Fast/Gigabit Ethernet modules no longer causes a PHY Reset / Ethernet​ Autonegotiation to restart. If you want that, reset the module instead.
  • Using VLANs and an MTU of 1500 didn't work with Fast Ethernet Modules (but it did with Gigabit Ethernet modules). It now works with both.
  • In reality, the routing core often would send more average bandwidth on a Channel than the Maximum Allowed Bandwidth to WAN would allow due to rounding errors. On some link types, this resulted in the link getting overloaded and the latency going up despite of perfectly correct autotuning results. These rounding errors have been fixed.
  • In the current stable firmware release, changing anything about LAN settings including LAN Aliases will become effective even before you hit “Apply Settings”. This could also cause unclean state if you were in the middle of creating a LAN Alias.
  • If “Allow remote service connections” was turned on, then turned off, remote service connections actually still were possible until your rebooted the router. Turning this off now will have immediate effect as expected.
  • The download test tool very often would abort “due to high CPU load”, even if the CPU load wasn't that high.
zum Anfang