Ubiquiti UniFi Security Gateway Firmware Release Notes: 4.4.50-4.4.51

Official Release Notes

Features

  • Added firmware support for netconsole configuration provisioned by the controller (using config under Settings–>Site).

Improvements

  • If IDS/IPS signature update fails for any reason an alert is now sent to the controller with information about the problem. Other improvements also made to signature update process.
  • Now limits permitted SSH MAC algorithms to OpenSSH’s most recent defaults, disabling some older options.
  • Switched speed test to speed.ui.com
  • Now supports latest hardware revision of USG3.
  • Changed certificate generation parameters for USG’s local web UI so it creates and maintains certificates in accordance with new requirements in macOS Catalina and iOS 13.
  • 4.4.51
    • PPPoE client security update fixes a vulnerability that allows an attacker on the same broadcast domain as your WAN to crash the pppd process, potentially allowing remote code execution.

Bugfixes

  • Fixed GeoIP signature updates.
  • Fixed crash in guest redirector service where a host header is missing in the request.
  • No longer makes unifi resolve to 127.0.0.1 when USG goes into self-run.
  • IDS/IPS signature updates triggered during bootup are delayed until internet connectivity is established.
  • Changed DDNS client configuration format to ensure credentials and hostname are used only with the associated provider.

Ubiquiti UniFi Security Gateway Firmware Release Notes: 4.4.36-4.4.44

Official Release Notes

Since 4.4.41

  • Added compatibility check for some newly-manufacturer USG Pro systems so they upgrade successfully.
  • Made kernel security updates for NFLX-2019-001: TCP-based remote denial of service vulnerabilities.
    • These are relevant to the source/destination of TCP connections, not intermediate network devices like the role typically played by the USG.

Since 4.4.36

  • Fixed config application and changes for QoS Tag setting on WAN. Previously config changes may have resulted in a commit error or not been applied until reboot.
  • Fixed a problem with IPsec VPNs with multi-WAN in load balance mode.
  • Now offer more prominent warning upon SSH login that config changes made locally will be removed by controller upon next provision.
  • Removed logging of ALIEN drops from IDS/IPS because of log spam and performance issues. May return as a configurable option in the future.
  • It is unclear whether this has been fixed or whether they are simply noting that the problem exists: in circumstances where multiple alerts are generated in a short period of time (in IDS/IPS) the utmdaemon process may not de-allocate the memory allocated to handling those alerts which will lead to memory utilization increasing for each alert and only decreasing with a reboot.
  • A DHCP WAN bug with GeoIP has been fixed. In some configurations, GeoIP filtering could block DHCP requests from the USG leaving it unable to obtain an IP from the ISP. This DHCP traffic is now always permitted regardless of GeoIP location.
  • Omitted sensitive data in ‘show tech-support’ output.
  • Increased maximum dnsmasq DHCP leases to 1 million. Previously was set to dnsmasq’s default of 1000, much less than USG is capable of.
  • Fixed “soft lockup” crashes. Increased watchdog threshold so normal, expected conditions don’t cause a crash. This is primarily applicable to the USG3 when under extreme CPU load, usually from IDS/IPS and heavy traffic loads.
  • Fixed use of OSPF and ‘passive-interface default.’
  • Reduced delay in host-table stats in informs. Reports guests as expired faster, as well as reflecting other client statistic faster in some cases.
  • Added backend functionality to IPS for upcoming controller feature.
  • Fixed USG-XG-8 ethernet driver bug on copper interface with VLAN tagging. Previously at 1500 MTU the largest passable frame was 1496 with 802.1Q tag. Now 1500 MTU plus VLAN tag. Did not impact SFP+ ports.
  • Fixed speed test servers with port in URL. Tis was leading to speed tests not working.
  • Fixed three denial of service vulnerabilities (CVE-2019-12106, CVE-2019-12108, CVE-2019-12019) in miniupnpd. Where UPnP is enabled (disabled by default), hosts on the LAN can crash the UPnP service. There is no potential impact beyond making UPnP stop functioning until reboot.

Ubiquiti UniFi Security Gateway Release Notes: 4.4.21, 4.4.22

4.4.21 to 4.4.22

See official release notes.

  • Fixed commit error that was generated when multiple provisions were made of the same configuration.
  • Fixed regression in local web UI introduced in 4.4.21.
  • Fixed potential loop in signature fetching for IDS/IPS.
  • Improved dnsmasq reloading, increased sacalability of hostfile-update feature.
  • Fixed application of config changes on running system in source-validation/uRPF.
  • Updated tzdata (time zones) to version 2018d.
  • USG-XG-8 Only
    • Interface speed is now sent to LCM (display).

4.4.18 to 4.4.21

See official release notes.

  • Added back end port remapping in 5.8.x and newer controller versions.
  • Fixed premature expiring of TCP connection states for long-lived idle connections.
  • Made back end improvements to RADIUS server that remove character restrictions on passwords (‘ and ” now usable).
  • IDS/IPS was upgraded to Suricata 4.0.4 which provides minor performance and back end improvements as well as some bug fixes.
  • CPU utilization had increased in 4.4.18 for gathering statistics, mcad, and ubnt-util, brought back down to normal levels.
  • Resolved a memory leak in mcad.
  • Made back end improvements for dnsmasq, specifically DHCP server handling of hostnames of DHCP reservations.
  • dnsmasq is no longer limited to /8, /16, and /24 networks.
  • Disabled deprecated SSh ciphers.
  • Removed “noccp” from xl2tpd configuration, there should be no reason to disable and some Windows L2TP clients require it.
  • Removed offload scheduler due to performance degradations in some configurations which utilized rate limiting user groups.
  • Fixed a hung connection issue with FTP by importing an FTP contrack fix, only occurred with unusual formatting of 227 message.
  • Fixed use of external guest portal through USG.
  • USG-XG-G Only
    • Updated LCM firmware.
    • Updated Bluetooth back end.
    • Upgraded kernel version to resolve high/growing CU usage from migration processes.
    • Allow disabling of autonegotiation on eth0 port.

Ubiquiti UniFi Security Gateway Release Notes: 4.3.49, 4.3.60, 4.4.12, 4.4.18

From 4.4.12 to 4.4.18

  • Official release notes are here.

From 4.4.8 to 4.4.12

  • Official release notes are here.
  • Fixed crash in “mcad” when there were DHCP leases with hardware addresses longer than an actual MAC address.
  • Included more packages with debug symbols available to help diagnose crashes from submitted core files.
  • Fixed crash in ubnt-util.
  • Fixed crash in “redirector”.
  • Removed GeoIP back end because of variety of problems, will be reintroduced once these issues are fixed.
  • Fixed DHCPv6 client problem causing renewal failures in some circumstances.
  • Made DDNS back end updates in preparation for expanding DDNS support in controller.
  • L2TP VPN permitted encryption algorithms tightened to remove weak ciphers.
  • Made additions to UnIFi reporting back end for IPv6.
  • USG-XG-8 Specific
    • Made several display-related fixes and improvements.
    • Made improvements to fan control to reduce noise reduction when fans are operating at low speeds.
    • Made additions to Bluetooth backend.

From 4.3.49 to 4.3.60

  • Official release notes are here.
  • Implemented route metric changing on load-balance status changes.
    • Fixes WAN failover issues with L3 adopted USGs and improves multi-WAN failover functionality generally.
  • Fixed multi-WAN regressions in 4.3.46 to 4.3.49 picked up from EdgeRouter 1.9.7.
  • Implemented new local web UI on USG.
    • Fixes a variety of long-standing bugs with old UI and adds ability to configure LAN IP and DHCP server.
  • Updated ISC DHCP version.
    • May fix problems in some edge cases with multiple DHCP WANs and recovery after ethernet link loss.
  • Added back end for custom host-uniq for PPPoE.
  • Implemented fixes for some uses of multiple routing tables (only impacts some config.gateway.json VPN configurations).

From 4.3.48 to 4.3.49

  • Official release notes are here.
  • Updated additional load-balance components from latest EdgeRouter which fixed part of multi-WAN regressions in 4.3.46-4.3.48.
  • Fixed source NAT over-matching from port-foreward hairpin-nat.
    • Previously all traffic sourced from the LAN subnet leaving the LAN interface would be translated, now narrowed to match only port forward hairpin traffic.
  • Send PADT on PPPoE disconnect which fixes an edge case where PPPoE fails to reconnect when an ISP is using a buggy PPPoE relay that doesn’t detect loss of PPP session.
  • Added contiguous option to back end for firewall rule schedules.
  • Removed unnecessary character restrictions on site to site IPsec pre-shared keys.
  • Fixed “dpi.dpi_pktinfo_send(): failure to send UGW wevent” log spam.

What to do When the UniFi Security Gateway Refuses to Upgrade

I love Ubiquiti, even their security gateway. But there is a big even in there. While most UniFi equipment is a breeze to setup, the UniFi Security Gateway (USG, USG-PRO-4) can be a nightmare. One issue that arises is when a USG has an older version of the UniFi firmware and you need to upgrade it. Here are the steps I’ve learned to take when upgrading a UniFi Security Gateway.

  1. Download from Ubiquiti’s site the latest available firmware for the USG.
  2. Rename the file upgrade.tar.
  3. Run an ethernet cable between the LAN port on the USG and your workstation.
  4. Configure a static IP address in the same subnet as the USG – by default USG’s are configured with the IP 192.168.1.1 with a subnet of 255.255.0.0.
  5. Use WinSCP (or your favorite SCP client) to connect to the USG.
  6. Enter your username and password for the USG – by default the username and password are both ubnt.
  7. Upload the upgrade.tar into the home directory for the admin user (this, for me, has always been the default folder that opens when connecting via SSH/SCP).
  8. Exit your session in WinSCP.
  9. Use PuTTY (or your favorite SSH client) to connect to the USG.
  10. Again, enter your username and password.
  11. At the command line type: sudo syswrapper.sh upgrade upgrade.tar
  12. The system will spit out information about the install and then reboot itself.
  13. When the system comes back up (solid white or blue light) you can connect to the USG again to verify that the firmware took.
  14. Use the command info to view the current firmware from the USG command line.

At this juncture you should have a successfully updated USG.

Note: I didn’t come up with this on my own, see the Ubiquiti forum thread, “Can’t upgrade USG to newer firmware.” ilkevinli provides the meat of this solution, I’ve just added window dressing and taken away (what I sometimes find to be) the confusing conversation around the solution.

There is another discussion on this topic, “USG Cloud Controller Adoption – could it be more difficult???” but I recommend against using this thread as the accepted solution isn’t quite correct.

Ubiquiti UniFi SDN Controller Software Release Notes: 5.5.19

Why?

  • Ubiquiti does versioning differently (I’m not saying wrong). While this is 5.5.19, most folks won’t be going from 5.5.18 to 5.5.19 and seeing only minor changes. Rather most of us are moving from 5.4.x (or earlier) to 5.5.19.
  • Ubiquiti is great in many ways, but their documentation (including release notes) are, imho, disappointing. I hope this will provide them with some ideas for how they could improve their release notes.
  • I have a hard time processing the seemingly random jumble of enhancements and fixes as found in Ubiquiti’s release notes, so this is partially to help myself understand the entirety of what is changing.
  • I hope that it will be helpful to others who use Ubiquiti and might be facing similar frustrations.

Help!

So, this really isn’t done. I’ll keep working on it, but I wanted to release something before it became too ancient and useless altogether. I’m hoping that folks will help flesh out some of the items I haven’t had a chance to flesh out in the comments and reduce the workload…really, sorting through all these release notes is quite the undertaking.

Warning

At some point these release notes may be good enough to rely upon instead of Ubiquiti’s official release notes. That time is not now. This was my first attempt, I learned a lot of lessons I’ll implement with my next set of release notes, but this is practical for me, and I don’t have unlimited oodles of time to sit around rewriting release notes. 🙂

Maybe there won’t ever need to be another set of release notes I provide. Maybe Ubiquiti will take the torch right out of my hands. Please, Ubiquit, do. 🙂

RADIUS

  • USG: Added support for FreeRADIUS (Settings –> Services –> Radius).
  • Removed RADIUS VLAN from wireless networks.
  • Allow RADIUS Profile secret to accept any string.
  • Hide RADIUS Profile secret for read-only admins.
  • Fixed RADIUS profile migration issue.
  • Added validation for RADIUS profile VLAN mode.
  • Removed BETA badge from RADIUS assigned VLAN for Wireless Network.
  • Extended RADIUS server validation so it does not allow disabling if there is a device that uses the Default Profile.
  • Used RADIUS assigned VLAN only for WPA-EAP.
  • Changed Revoke RADIUS user to Delete with new icon.

Hotspot/Guest Portal

  • Added Hotspot Analytics.
  • Relocated Hotspot 2.0 to Services section.
  • Fixed display HotSpot Analytics page when Guest Portal is disabled.
  • Added free-trial authorization column to Guests list in HotSpot Manager.
  • Added Gateway column in Payments and Social Views in HotSpot Manager.
  • Added HotSpot Manager link to site switched.
  • Disallowed SVG upload for guest portal images.
  • Changed guest authorization status to display expiration date when expired.
  • Now use Angular templates by default in Guest Authorization Settings.
  • Removed “new” badge from Angular templates and removed “beta” badge from template overrides and languages.
  • Fixed expiration dropdown on Guest Control settings page.
  • Display link to Hotspot Manager in Site Switcher only if Guest Portal is enabled.
  • Improved vouchers quota.

Statistics

  • Added Device Performance (CPU/Memory) on Statistics Page.
  • Added granularity to statistics (5m/1h/1d).
  • Fixed Statistics Overview initializer.
  • Switch Statistics now show when a device is connected to a port.
  • Now show only adopted APs in Recent Activities in Statistics.

Dashboard

  • Made Dashboard widgets configurable.
  • Made performance improvements to the Dashboard.
  • VPN status now displayed on dashboard.
  • Fixed content of tooltips on Dashboard page.
  • Increased precision of throughput chart on Dashboard page.
  • Adapt no data / no security gateway messages on Dashboard page.

VPN

  • Added L2TP over IPsec option for remote user VPN config.
  • Fixed Enabled VPN Client (VPN Network Settings).
  • Renamed vpn client to vpn type.
  • Enabled disabling of site-to-site VPN.
  • Show L2TP remote user VPN on dashboard and remote user VPN insights.
  • Improved VPN health status.

Firewall

  • Fixed changing rules order in firewall.
  • Enabled editing firewall settings when no USG is adopted.
  • Limited group name to 31 characters for firewalls.

WLAN

  • Raised the WLAN group load balance limit to 200.
  • Added WLAN broadcast/multicast blocking.
  • Added WLAN MAC ACL.
  • Added PMF controller to WLAN group settings.
  • Allow displaying WLAN schedule in 24 hour format when “Use 24-hour time” preference is on.

Insights

  • Improved Insights –> Switch stats.

APs

  • Added ability to batch restart APs.
  • Fixed group AP editing issue.
  • Added ability to mark rogue APs as known.
  • Added Access Point (AP) tagging.

DNS/DHCP

  • Added DHCP Default Domain Support.
  • Added FQDN or local validation to domain name.
  • Renamed Name Server placeholder to DNS Server.

Installs/Backups/Upgrades

  • Fixed various Auto Backup setting issues.
  • Adjusted unifi.init so it detects Oracle JDK 8 installed via PPA.
  • DB migration improvements.
  • Added progress bar for backup upload.
  • Added Migrate Site (Export Site) Wizard.

Clients

  • Rename all-time top client.
  • Allow batch editing of clients.
  • Added first seen column to Known Clients List page.

Migration/Cloud

  • Fixed a DB migration issue which caused stats to not be visible in the UI post upgrade when upgrading from <=5.4.x.
  • Showed DB migration progress.

Additional HW Support

Bundled Software

VoIP

  • USG: Removed deprecated VoIP configuration.
  • Removed VoIP option from available network purposes. (Old networks configured with VoIP are removed upon upgrade).
  • Removed VoIP Interface from Controller.

Minor Visuals

  • Updated color used for upload/download values.
  • Added special icons for UCK (aka UniFi Cloud Key) client.
  • Added color to RF scan results.
  • Added missing SFP module info tooltips for UniFi Switch.
  • Made various topology view improvements.
  • Display channel names in a new, consistent way.
  • Fixed tooltip position.
  • Animated map menu.
  • Highlighted Topology paths.
  • SVG Map zooming improved.
  • Fixed pending change tag color.
  • Allowed AP properties WLAN table to wrap.
  • Added button for toggling clients visibility on Topology View.
  • Added device configuration warning bar with real time input updates.
  • Made topology improvements.
  • Map Marker Button icon position has been tweaked.
  • Added save and close buttons to preferences.
  • Small UI improvements.
  • Updated firewall rule button styles.
  • Showed AP channel utilization in Properties and Devices list page.
  • Use bps instead of bytes per second.
  • Greyed out disabled WLAN rows in Property Panel.
  • Improved chart animations.
  • Added – as placeholder.
  • Prohibited deselecting current device in Performance view.
  • Added icon to switch port list.
  • Added admin overview (in site overview area).
  • Improve locate button behavior.
  • Improved date picker.
  • Improved Cloud Connection error tooltip.
  • Improved header icons.
  • Move the AP channel utilization graph into the header.
  • Handling ESC on cloud access modal.
  • Added expand/collapse icon to device list actions column.
  • Disallowed SVG image type in Maps.
  • Improved dynamic Dashboard.
  • Improved loading DPI statistics.
  • Improved Topology view.
  • Improved Image Map performance.

Misc Changes

  • Improved topology detection.
  • USG3: Enabled LAN2 support.
  • Minimum Rate Control now v2.
  • Added validation for USG/USW SNMP community string.
  • Set next hop for static route as default.
  • Set maximum SSDI length to 32 characters.
  • Improved Notify Device Requirement performance.
  • Removed config.properties USG ICMP items.
  • Ability to configure data retention for each granularity of statistics in settings/maintenance.
  • Added Force Provision button to Properties/Manage Device.
  • Show terminal for UAP-AC-IW.
  • Prohibited 0.0.0.0 as an address-group member (isn’t a valid entry in the firmware).
  • Improved some backend validations.
  • Enabled finding device on map in read only mode.
  • Display only historical rx/tx bytes on Known Clients page.
  • Enabled by default MSS clamping on VTI.
  • Added option to report WebRTC connection errors to the cloud.
  • Use lower scale Throughput graph to increase rendering performance on Safari/iOS.
  • Enabled tunneled reply by default.
  • Update OUI table.
  • Hid UGW port remap if UGW4 exists.
  • Use monthly value as default occurrence in Auto Backup settings.
  • Restore open panel functionality from device marker on map.
  • Enable reset button after hotspot package removal.
  • Improved placeholders and regular expressions.
  • Added pagination in Settings / Network List.
  • Security improvements.
  • Signed Windows installer package.
  • Removed restricted U-NII-2C channels when Canada country code is set.
  • Added memory and load average to device list columns.
  • Updated validation hint for maximum number of stations in wireless network group.
  • Allow cancel migration of device.
  • Improved LAN address identification on USG.
  • Restrict 5 minutes data retention.
  • Switch port usage graph: prevent displaying connected both Device and Client.
  • Improved WebRTC debugging.
  • Generated a SHA512 password if device firmware is capable of it.
  • Removed TLSv1 from default SSL protocols for Java 7/8.
  • Allowed antenna gain of 0.
  • Increased broadcast and multicast MAC limit to 256 per site.
  • Added HSTS support (disabled by default). Can be controlled via system.properties only.
  • Made various backend improvements.
  • Added user group override notice, client list user group column.
  • Added LAG support to AP > Network Configuration (AC-HD only)
  • Added limited amount of LAN DHCP leases notice.
  • Added minRSSI noise floor notice.
  • Improved email templates.

Bugs

  • Fixed a bug causing duplicate downlinks to show in controller UI.
  • Fixed issue with unused cache not clear as expected (causing controller to die because of memory leak).
  • Redesigned inputs for date picking.
  • Devices now grey out entries when WLAN group is off.
  • Fixed site settings save error.
  • Fixed issue with sending large files over WebRTC (e.g. backups).
  • Fixed an issue with fixed IP handling.
  • Fixed auto backup data retention days.
  • Fix Not Authorized/Bad Request on first launch after accepting SDN Invitation.
  • Fix WAN load balance config, so that it actually provisions to the USG.
  • Fixed initial value of data retention days.
  • Fixed slow database backup.
  • Fixed USG/USG-P4 port labels.
  • Fixed client status ordering.
  • Changed Revoke button to Delete button on Admins list.
  • Fixed success messages on saving configuration.
  • Fixed latency color in legend on Throughput graph.
  • Fixed wired uplink stats on AC-HD when using bonding.
  • Fixed an issue when trying to register controller with UniFi cloud tie in (unifi.ubnt.com).
  • Fix device menu when toggling small/normal markers on Map page.
  • Fix icons on clients graph on Dashboard page.
  • Fix speed test column chart.
  • Fix USG badge and tooltip on DPI settings page.
  • Fix typo in validation hints for IP.
  • Fixed 404 error when switching sites while editing.
  • Fixed email validation.
  • Fixed port forward validations.
  • Fixed domain name validation.
  • Fixed issue with controller causing too many directs (controller side fix for UNIFI-457).
  • Fixed issue with community string changing to public, regardless of configured value.
  • Fixed displaying sections on Guest Control settings page.
  • Fixed clickable area of alerts full screen button.
  • Fixed refreshing networks in switch property panel on network add/remove.
  • Fixed issue where local DNS record for UniFi may not provision when using USG.
  • Fixed an issue with current day stats being improperly calculated.
  • Fixed firewall rule validation.
  • Fixed problem with enabling Cloud Access.
  • Fixed an issue when granting admin privileges on a site.
  • Fixed services link not visible on mobiles.
  • Fixed removing items on WebRTC connection.
  • Fixed saving settings > controller.
  • Fixed clearing statistics.
  • Fixed panel expand/collapse icon aliasing.
  • Fixed uplink status when using bonding on AC-HD.
  • Fixed an issue with the remote IP in WebRTC logging, previously was always 127.0.0.1
  • Fixed import/export function. The configuration tab will not be visible after import.
  • Fixed available manual negotiation options for 10GBASE-T ports.
  • Added autofocus on 2FA token field.

Languages

  • Added beta warning for languages other than English.
  • Added Turkish translations.
  • Added Danish, Norwegian, and Turkish language support to Hotspot Portal.
  • Added support for Catalan, Norwegian (Bokmal) and Slovak languages to HotSpot.
  • Made Edit Account frame bigger to make enough room for labels in all languages.
  • Fixed speed test ping translation.
  • Updated translated.
  • Updated translations.
  • Added Catalan translations.