Tag: firewall

Ubiquiti UniFi Security Gateway Release Notes: 4.3.49, 4.3.60, 4.4.12, 4.4.18

From 4.4.12 to 4.4.18

  • Official release notes are here.

From 4.4.8 to 4.4.12

  • Official release notes are here.
  • Fixed crash in “mcad” when there were DHCP leases with hardware addresses longer than an actual MAC address.
  • Included more packages with debug symbols available to help diagnose crashes from submitted core files.
  • Fixed crash in ubnt-util.
  • Fixed crash in “redirector”.
  • Removed GeoIP back end because of variety of problems, will be reintroduced once these issues are fixed.
  • Fixed DHCPv6 client problem causing renewal failures in some circumstances.
  • Made DDNS back end updates in preparation for expanding DDNS support in controller.
  • L2TP VPN permitted encryption algorithms tightened to remove weak ciphers.
  • Made additions to UnIFi reporting back end for IPv6.
  • USG-XG-8 Specific
    • Made several display-related fixes and improvements.
    • Made improvements to fan control to reduce noise reduction when fans are operating at low speeds.
    • Made additions to Bluetooth backend.

From 4.3.49 to 4.3.60

  • Official release notes are here.
  • Implemented route metric changing on load-balance status changes.
    • Fixes WAN failover issues with L3 adopted USGs and improves multi-WAN failover functionality generally.
  • Fixed multi-WAN regressions in 4.3.46 to 4.3.49 picked up from EdgeRouter 1.9.7.
  • Implemented new local web UI on USG.
    • Fixes a variety of long-standing bugs with old UI and adds ability to configure LAN IP and DHCP server.
  • Updated ISC DHCP version.
    • May fix problems in some edge cases with multiple DHCP WANs and recovery after ethernet link loss.
  • Added back end for custom host-uniq for PPPoE.
  • Implemented fixes for some uses of multiple routing tables (only impacts some config.gateway.json VPN configurations).

From 4.3.48 to 4.3.49

  • Official release notes are here.
  • Updated additional load-balance components from latest EdgeRouter which fixed part of multi-WAN regressions in 4.3.46-4.3.48.
  • Fixed source NAT over-matching from port-foreward hairpin-nat.
    • Previously all traffic sourced from the LAN subnet leaving the LAN interface would be translated, now narrowed to match only port forward hairpin traffic.
  • Send PADT on PPPoE disconnect which fixes an edge case where PPPoE fails to reconnect when an ISP is using a buggy PPPoE relay that doesn’t detect loss of PPP session.
  • Added contiguous option to back end for firewall rule schedules.
  • Removed unnecessary character restrictions on site to site IPsec pre-shared keys.
  • Fixed “dpi.dpi_pktinfo_send(): failure to send UGW wevent” log spam.

What to do When the UniFi Security Gateway Refuses to Upgrade

I love Ubiquiti, even their security gateway. But there is a big even in there. While most UniFi equipment is a breeze to setup, the UniFi Security Gateway (USG, USG-PRO-4) can be a nightmare. One issue that arises is when a USG has an older version of the UniFi firmware and you need to upgrade it. Here are the steps I’ve learned to take when upgrading a UniFi Security Gateway.

  1. Download from Ubiquiti’s site the latest available firmware for the USG.
  2. Rename the file upgrade.tar.
  3. Run an ethernet cable between the LAN port on the USG and your workstation.
  4. Configure a static IP address in the same subnet as the USG – by default USG’s are configured with the IP 192.168.1.1 with a subnet of 255.255.0.0.
  5. Use WinSCP (or your favorite SCP client) to connect to the USG.
  6. Enter your username and password for the USG – by default the username and password are both ubnt.
  7. Upload the upgrade.tar into the home directory for the admin user (this, for me, has always been the default folder that opens when connecting via SSH/SCP).
  8. Exit your session in WinSCP.
  9. Use PuTTY (or your favorite SSH client) to connect to the USG.
  10. Again, enter your username and password.
  11. At the command line type: sudo syswrapper.sh upgrade upgrade.tar
  12. The system will spit out information about the install and then reboot itself.
  13. When the system comes back up (solid white or blue light) you can connect to the USG again to verify that the firmware took.
  14. Use the command info to view the current firmware from the USG command line.

At this juncture you should have a successfully updated USG.

Note: I didn’t come up with this on my own, see the Ubiquiti forum thread, “Can’t upgrade USG to newer firmware.” ilkevinli provides the meat of this solution, I’ve just added window dressing and taken away (what I sometimes find to be) the confusing conversation around the solution.

There is another discussion on this topic, “USG Cloud Controller Adoption – could it be more difficult???” but I recommend against using this thread as the accepted solution isn’t quite correct.