[Cerowrt-devel] Edgerouter 1.7.0alpha3 release with smart queuing

Dave Taht dave.taht at gmail.com
Mon Apr 6 19:43:50 EDT 2015

Those of you fiddling with the edgerouters have something more to test now.

(I note that there seems also to be pretty complete openwrt support
for them also.)

I have 1 of each, but no time to test right now.

---------- Forwarded message ----------
From: Ubiquiti Community <community_noreply at ubnt.com>
Date: Mon, Apr 6, 2015 at 3:22 PM
Subject: UBNT-ancheng mentioned you in Ubiquiti Networks
To: dave.taht at gmail.com

Hi dtaht2,

UBNT-ancheng (Ubiquiti Employee) mentioned you in a post! Join the
conversation below:


Alpha release v1.7.0alpha3

New software release v1.7.0alpha3 is now available here:

ERLite-3 and ERPoe-5 (3-port and 5-port models):
ER-8 and ERPro-8 (8-port models):

This release adds new "traffic analysis" (that works with offload)
feature and "smart queue" (FQ-CoDel + HTB) feature and also many
enhancements and bug fixes. More details can be found in the release
notes below. Please give it a try and let's discuss any issues here.
Thanks very much!

[Release Notes v1.7.0alpha3]


Changes in v1.7.0alpha3

New features

[Web UI] Add new "Traffic Analysis" feature:

A few things to note: Currently, the initial implementation provides
the TX/RX stats of individual IP addresses. More "granular" stats will
be added too of course. This feature is integrated with the offload
feature, so unlike NetFlow (flow accounting), it does not disable
offload. Conversely, stats are not available for traffic that is not
offloaded. The current implementation does not handle all cases yet
and have some limitations, for example, non-NATed traffic is not
handled, stats may be incomplete in some cases, etc. We will certainly
be addressing these. Flow stats are "aged out" after 30 minutes
currently, so for example, the RX bytes stat may go down noticeably 30
minutes after a big download finishes. Even though this works with
offload, obviously it does still add some overhead. Therefore if the
feature is not needed for example, it can be disabled using the
following command: sudo sh -c "echo 0 >/proc/cavium/ipv4/export"(This
will be made configurable in the system configuration.)While we
continue working on improving the feature, please give it a try and
let us know your feedback/suggestions/etc. Thanks!

[QoS] Add new "smart queue" feature providing FQ-CoDel + HTB function.
For example, assuming the WAN interface is "eth2" and the WAN link
provides 10 Mbps and 50 Mbps for the upload and download bandwidth,
respectively, then a basic configuration looks like the following: set
traffic-control smart-queue sq1 interface eth2 set traffic-control
smart-queue sq1 rate-up 10mbit set traffic-control smart-queue sq1
rate-down 50mbit commitA few things to note: The actual rate limits
will be set to 95% of the specified value, so you could experiment
with different values if necessary. Dynamic interfaces are also
supported, for example: set traffic-control smart-queue sq1 interface
pppoe0This works even if the dynamic interface does not exist yet, in
which case the policy will be applied later when the interface comes
up. Note that when setting the first interface, there is currently a
spurious error message "Insufficient arguments for option
intf-unique", which can be ignored. Currently this feature conflicts
with the existing "traffic-policy" configuration, so the two should
not be applied to the same interface at the same time. Also as
discussed previously, the HTB rate limiting is computation intensive,
and therefore above a certain rate the rate limiting would not work
well (cannot achieve the specified rate). Currently a warning is
implemented to indicate the specified rates are above such a threshold
(however it does not fail the commit). This threshold (applied to the
sum of "rate-up" and "rate-down") is platform-specific and the current
values are: ERLite-3 and ERPoe-5: 200 Mbps ER-8: 450 Mbps ERPro-8: 550
MbpsOf course this will also depend on other factors such as load on
the router etc., so these are just general guidelines and it may
require some testing to find the limitations in a particular
environment.The FQ-CoDel function have been in discussion for some
time. In particular we would like to thank @dtaht2 , who contributed
the original backport patches for fq_codel and also provided
invaluable information on the subject! Many other community members
participated and contributed as well, including but not limited to
@ConnorM @psydafke @wkweksl @jzaw @berrybartels @martyh @levicki
@Josh_SPITwSPOTS @twinkletoes @Zerofail @chaicka @ryan3531
@request_timeout @bcdouglas @kai_h @videomatic3 @zbeyuz @leeandy
@Ric878 @CiscoKid85 @shado @Sugaroverdose @r4m3u5 @WisTech @paszczus
@Arnold2222 @final (who implemented a Web UI wizard for the script!)
@amishgenius @mackintire @moeller0 @Xand @BillyPrefect @erictooth
@waheuler @jjonsson @asat @cinnamw @skyflash @axp @Djursland01 for
example here and here.

Please help test this new feature and provide feedback, and if testing
goes well, we will be adding Web UI page for configuring this too of
course! Thanks!

Enhancements and bug fixes

[Web UI] Fix validation issue for IPv6 network notation. Reported by
@loke  here. [Web UI] Add peer description for IPsec site-to-site
page. Suggested by @chrish13 here. [Web UI] Fix handling of space
character for dynamic DNS "Web-skip" configuration. Reported by
@tucker here. [Web UI] Reorder config settings for system log in
System tab and disable level input if server is not configured.
Discussed with @petecarlson here. [Web UI] Fix deletion of bridge
interface. Reported by @Paetur . [Web UI] Fix display issue of VLAN
interfaces under parent interfaces whose name end in "0". Reported by
community members including @dcplaya @MountainPatrick @nlpdk @jndfx22
@RyLeeRyno @jjonsson @britannic @dragon2611 @Cznet for example in
these threads: 1 2 3. [HW offload] Allow offload to be used with
"modify table" action (for policy-based routing) in "modify" firewall
rules. [PPPoE server] Add configuration option for enabling MPPE
encryption (default disabled). To enable: set service pppoe-server
encryption enableThis allows airOS PPPoE client to connect if
"encryption" is enabled on the client. Reported by and discussed with
@ajbtv2 @Paetur @Twoopi86 here and here. [System] Only start internal
telnetd (for Web UI "CLI window") if Web UI is enabled. Discussed with
community members including @ryan3531 @mrjester @Xand @rjh2805 @budcar
@apleschu @GaryGapinski @zx2c4  for example in these threads: 1 2 3 4.
[System] Fix handling of negative temperature readings from the
temperature sensors. Reported by @Magician . [System] Implement
potential fix for Web UI backend process issue. [System] Use temporary
file during save operation. Patch contributed by community member
final [MSS clamping] Add support for clamping "all" traffic set
firewall options mss-clamp interface-type allDiscussed with community
members, for example @drac here. [MSS clamping] Apply MSS clamping in
both directions. Discussed with @bjck @Adze1502 here. [Firewall/NAT]
Fix address group validation for /32 addresses. Reported by @Zubr
here. [Bridge] Fix implementation issue with the "bridged-conntrack"
setting introduced in 1.7.0alpha2. This can now be disabled (default)
unless connection tracking for bridged traffic is required, in which
case it can be enabled by: set interfaces bridge br0 bridged-conntrack
enable [Interface] Fix validation to prevent configuration of
mirror/redirect on "switched" interfaces (which does not work).
[Static route] Add description setting to static routes configuration.
For example: set protocols static route next-hop
description 'lab network'Discussed with community members for example
@ttt_travis here. [NetFlow] Fix "clear flow-accounting counters"
command to also clear egress counters. Reported by @zx900e20 here.
[CLI] Fix "commit-archive" to send whole config (ignore "edit level").
Patch contributed by community member @final (discussed here). [CLI]
Allow multiple IP addresses for static host mapping. Patch contributed
by community member @zx2c4 here. [DHCPv6 PD] Allow "prefix-only"
configuration. For example: set interfaces ethernet eth1 pppoe 1
dhcpv6-pd prefix-onlyReported and fix suggested by @Mephi here. [VRRP]
Allow VRRP to be configured on switch and bridge interfaces. Suggested
and tested by @Sergiy here.

Updated software components

Update PHP to 5.4.39: Fix CVE-2015-2301, CVE-2015-2787, CVE-2015-2348,
CVE-2015-2305, CVE-2015-2331, CVE-2015-0235, CVE-2015-0273,
CVE-2014-9705, CVE-2015-0231, CVE-2014-9427, CVE-2015-0232,
CVE-2014-9652 Update bind9 to 1:9.8.4.dfsg.P1-6+nmu2+deb7u4: Fix
CVE-2015-1349 Update dbus to 1.6.8-1+deb7u6: Fix CVE-2015-0245 Update
gnupg to 1.4.12-7+deb7u7: Fix CVE-2014-3591, CVE-2015-0837,
CVE-2015-1606 Update eglibc to 2.13-38+deb7u8: Fix CVE-2015-1472,
CVE-2015-1473, CVE-2012-3406, CVE-2014-4043, CVE-2014-9402,
CVE-2013-7424 Update libcomerr2 to 1.42.5-1.1+deb7u1: Fix
CVE-2015-0247, CVE-2015-1572 Update libgcrypt11 to 1.5.0-5+deb7u3: Fix
CVE-2014-3591, CVE-2015-0837 Update gnutls26 to 2.12.20-8+deb7u3: Fix
CVE-2015-0294, CVE-2015-0282 Update libssh2 to 1.4.2-1.1+deb7u1: Fix
CVE-2015-1782 Update openssl to 1.0.1e-2+deb7u16: Fix CVE-2015-0286,
CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293,
CVE-2015-0209, CVE-2015-0288, CVE-2014-3571, CVE-2015-0209 Update
openvpn to 2.3.2-7~bpo70+2: Use newer version from Wheezy backports.
Suggested by @rolfl here. Update sudo to 1.8.5p2-1+nmu2: Fix
CVE-2014-9680 Update tcpdump to 4.3.0-1+deb7u2: Fix CVE-2015-0261,
CVE-2015-2153, CVE-2015-2154, CVE-2015-2155

Changes in v1.7.0alpha2

See the previous release notes


Ubiquiti Networks sent this message to dave.taht at gmail.com.
You are receiving this email because you were @mentioned.

To control which emails we send you please go to, manage your
subscription & notification settings or unsubscribe.

Dave Täht
We CAN make better hardware, ourselves, beat bufferbloat, and take
back control of the edge of the internet! If we work together, on
making it:


More information about the Cerowrt-devel mailing list