Changelog ############# VT AIR 24.04 ********************* #. Interface Groups: Allow interfaces to be grouped. At the moment the group can only be used in NAT rules. #. Active/Active Firewall Cluster: In the VRRP IP options a new field sets the default destination for an VRRP IP. This allows for an Active/Active Firewall Cluster where each firewall can have active VRRP IPs. The clients in the network need to have different Gateways to either use Firewall 1 or Firewall 2. In case of a failover one Firewall will hold all IPs. #. Gateway Check in the routing daemon: The Gateway Check is now moved to the dedicated vtair-routing daemon for faster and more reliable Gateway failovers. #. HAProxy Custom Error Page: Error pages are now configurable and can be used in combination with ACLs and Actions to customize when a page is show. #. WebVPN 2FA Support: A new option allows to use the VT AIR 2FA in the User settings for the WebVPN. #. Other Changes: * Kernel Update to 6.6 LTS * SNMP add write for VT AIR OIDs * Fix IPSec interface check when multiple phase1 share one interface * WLAN Client option for SSID and Password * Fix logserver changes are not applied * HASync also sync the Captive Portal Database * HAProxy make Actions sortable * HAProxy option to have one backend per host name * HAProxy fix ACL IPs with a large amount of entries * IPSec logfile from diagnostics page * OpenVPN logfile from diagnostics page * OpenVPN Copy ask for new Name * Field for Kernel boot options * HAProxy move to nbthreads instead of processes * WebVPN RDP new option for default keyboard layout * HAProxy add client certificate option Optional or Required * HAProxy health check for LDAP * Dynamic Routing Diagnostics show internal routing database * IPSec Phase 1 new IPComp option * Aliase Entries introduce paging for large amount of entries VT AIR 24.01 ********************* #. LTE450: Support for the new LTE450 network #. Password Change: At first login a password must be set for the admin user before the GUI is available. This is a major change to the previous default password and is required to comply with new security regulations. #. SNMP: New custom SNMP endpoints to read the data of Wireguard, IPSec, OpenVPN Server and OpenVPN Client #. New Database Backend Connector: The database connector in VT AIR was rewritten to provide better stability and circumvent situations when the database is busy. #. Firewall Sets: The firewall backend uses more Sets now which speed up the firewall rule load time especially for large setups and geoips. #. States Sync: Option to write synced states directly into the state table instead of using the external cache. This allows for faster failover but higher costs during sync. #. Other Changes: * Fix a race condition where the cache could be filled with old data * User Download own Wireguard Profile * Dashboard Firewall, IDS, WAF Alert when Logger is disabled * Network Object import lists with Mac Addresses * Work queue has more details now in diagnostics * WebVPN add User, Password and Domain field * Fix for Captive Portal HASync of Files * Firewall uses the new ipsec Identifier * A Security Patch Repository is added when the update licence expires * Fix DHCP Pool lease lifetime option * Fix bond in bridge change not triggering a change * Fix Captive Portal interface change not triggering a change * Firewall setting for default policy * Captive Portal Diagnostics show traffic data * Intrusion Detection Report Excel Table Report * Certificates list view show extra information like DNS * Fix Interface Stats Diagnostics data not showing correct date * DNS fix no restart after interface change * WAF various fixes for excluding rules, parsing ajax requests and setting default data VT AIR 23.10 ********************* #. WAF Engine: The Web Application Firewall engine is changed to Coraza. Modsecurity is end of life soon and we transition over to the new engine. It also allows more efficient integration into HAProxy with the spoa interface. Alow with this change, a custom error html page can be set on each HAProxy backend. #. Routing Backend The static routing backend is outsourced to a new daemon vtair-routing. All static and mpls routes are now handled by this need routing daemon which is far more efficient than our previous implementation. #. Rename LTE All GUI entries that had LTE in it are now renamed to Cellular. Since we support 5G now we decided to go with a more generic name. #. Zero Tier One Support for multiple Zero Tier One connections #. Password Change If a user wants to change the own password, the old password will be required as well now. #. Password Strenght Indicator For all passwords, we added a strength indicator to see how good the password is #. Login Attempts Are now logged and shown in the Diagnostics under GUI Logins. All attempts are logged, regardless of success. #. Running Services Will show their corresponding ports in the diagnostics service page. #. Connected Devices All open connections to the VT AIR itself can be seen in the Diagnostics under Firewall - Host Connections #. User OpenVPN Profile Download Users can now download their own OpenVPN Profile in the Profile section when logged into the WebGUI #. IPSec Phase 1 Fallback Another Phase 1 can be picked as a backup tunnel to start in case of the original Phase 1 being down. A Ping check needs to be configured along with the Fallback tunnel to check if the remote endpoint is available. #. IPSec Interface for multiple Phase 1 If the networks in the Phase 2 do not overlap, an IPSec Interface can now be used by multiple Phase 1. This makes the management of firewall rules and routes easier as the interface will carry all the different traffic. #. Other Changes: * Webserver IP can now be picked by interface IPs and Virtual IPs * Cache gateway status up/down in the backend for faster processing * Letsencrypt can now be used with HAProxy in Webserver mode * The backup restore progress has more details in the GUI now and shows information until the end * Diagnostics Firewallrule Output is now streamed from the Webserver. On large setups the page blocked the entire webserver. * WPA Supplicant uses the default wpa_supplicant-wired service name now instead of a custom one * More choices for the ICMPv6 types in firewall rules * Diagnostics DHCP the apply change banner is now sticky at the top of the screen when scrolling for better visibility * Improvements and speedups when using DHCP Interfaces during startup * Improvements in detecting when interfaces go up and down * Fix for VRRP status was sometimes not shown correctly * OpenVPN show interface name in the settings of the tunnel * Firewallrule deletion show warning that open states are unaffected * IPSec Diagnostics has a new overview list page of all connections * HAProxy TCP mode allow certificates and client certificate authentication * HAProxy added a new a global custom config section * Fix the use of CRLs with HAProxy * Fix the AND / OR logic in HAProxy * Fix radvd needs IPv6 DNS server and does not start with IPv4 (RFC8106) * Fix webproxy spelling error for splice * Interface IPv6 track config can now utilize the ID to fix a subnet to an interface * Fix DNAT IPv6 was missing the [] to seperate the port * Fix Webproxy transparent proxy did not prperly work with IPv6 since the localhost address can not be used for sending (RFC4291) * ACME DNS Handle has a description field now * Fix Network Objects dynamic entries need to be validated one by one * Fix loganalyzer can not save certain json data * DHCP Server allow pools with a single IP * DHCP Server expose the reclaim parameter * Unifi App Image will have a volume created automatically on creation * Fix VRRP Master/Backup status setting under load VT AIR 23.07 ********************* #. XDP DDoS Protection: DDoS Firewall Rules are now loaded into XDP which allows for much faster drop rates and protection. A generic XDP programm is now loaded on non native XDP Interfaces if XDP is enabled for the DDoS protection. Intrusion Protection can now also mark flows/states for dropping in XDP when a drop rule hits, allowing for a much faster drop rate of bad traffic. #. DDoS more options: DDoS options are now more fine grained. It is possible to either count dropped traffic (default) or all traffic against the DDoS rate limit. Additional options are always available for SYN and ICMP packets to cover specialized DDoS attack cases. #. LTE Support second SIM Card: LTE modems with a second SIM card can be configured in the GUI now with automatic SIM card switching. This allows to utilize both SIM card slots and if a Gateway of one connection goes down, the Gateway check can trigger a SIM card change. Only one SIM card can be activate at a given time. There is also a GUI option in the diagnostics section of LTE to manually change the SIM card slot. #. Firewall Option to Disable XDP for a flow: If XDP is enabled you can now exclude flows through a firewall rule options. It is useful for QoS or Diagnostics. #. IPSec Hardware Offload Setting: In case of a Mellanox NIC that supports IPSec offload you can enable the setting in the GUI #. Faster Gateway configuration at boot: The default Gateway will be added faster now on boot if possible. This will work for static Gateways and DHCP Gateways. #. Option to show Hostname in header: Show the hostname of the VT AIR in the header and in the login screen. This way you can more easily identify which VT AIR you are on #. VRF Support: Virtual routing and forwarding allows for better seperation of network interfaces and routes. One can now group interfaces by VRF and VRF also allows the creation of a Layer 3 VPN (L3VPN) in combination with our dynamic routing options. VRF can be added in the Interface configuration and added to each assigned Interface in the advanced options. #. SNMP Conntrack States: Export the number of used conntrack states to SNMP #. HAProxy more Options: The configuration of SSL and Cipher Parameter is now possible in the GUI. #. Firewall Detect Possible Duplicate Rules: Each Interface Firewall and Global Firewall Rule has a new option in the GUI to show possible duplicate rules. VT AIR checks the 6 tupple (Source IP, Destination IP, Source Port, Destination Port, Protocol, Interface) to check if there is another rule that might cover the same rule. We do not check any extra options though so a manual check has to be performed. The design requires the firewall service to run first and fill up the data for the check. The same goes for changes of firewall rules which need to be applied first before the new data set is available. #. Firewall Optimizations: We use Sets now for Network Objects and especially Geo IPs, this is a config generation change only. The change allows us to only load used Objects which will speed up firewall rule loading by a lot especically for setups utilizing the Geo IP data. There are no changes to the GUI and it is backend change only. #. Other GUI Changes: * Rename XDP Offloader to XDP * Update to the Copyright list of used packages |br| |br| #. Other Changes: * API Schema file is now only rewritten on a version change to make the GUI start faster * Cleanup of old logrotate files in the config directory * Fix for addons not available across worker processes * Fix for Letsencrypt DNS Handles not beeing HASynced to the secondary firewall * Fix for Interface and VirtualIP can have the same IP Address on the same interface * Fix for LTE Interface has no Link Local IPv6 address in some cases * Fix for Wired WPA Supplicant not having a fake SSID * Fix for Bridge interface members and DHCP Server not beeing in the correct state when the GUI starts. They are now reloaded upon the GUI start so we can control interface changes correctly * HAProxy delete certificates that are not in use by any Frontend anymore * HAProxy duplicate backend do not also duplicate the ACL and Verdict rules in the Frontend * Bootup load firewall rules faster * WLAN and WWAN interfaces create a stable naming of wwanX and wlanX * SNMP fix bridge OID values * Support for 5G modems * Fix Gateway Monitoring not always recording data for diagnostics * Logcleanup can now shrink /var/log to the configured RAM Disk size if RAM disk is enabled * Fix QoS Tab is created for non eligible interfaces VT AIR 23.04 ********************* #. eXpress Data Path flow offloader (XDP) #. SNMP allow for multiple Trap Server #. SNMP custom traps #. Services can have non existing Virtual IPs on standby #. LTE Dual Stack fixes VT AIR 23.01 ********************* #. DNS Firewall extend lists #. Webfilter extend lists #. DHCP Static Entry as Firewall Object #. IPSec allow start and trap at the same time #. Captive Portal Voucher #. Captive Portal Redirect to another VT AIR #. Docker Backup Script #. Webfilter more options in the GUI for Man in the Middle and redirect, as well as logging #. Webfilter add LDAP Support #. Change Diagnostic Data to influxdb VT AIR 22.10 ********************* #. Firewall Rule TCPDump #. Firewall Rule Trace #. Interface HASync #. Add Multiple Options for DNS, DHCP, VirtualIP #. Config Default Templates #. Syslog TLS Option #. Routing Backend Refactoring for faster speed #. Gateway changes custom scripts #. Firewall better custom rule GUI #. GUI Updates and Factory Defaults output improvements #. Certificate P12 also import CA #. Network Object Entries reordering #. Allow to select default firewall rule tab #. Firewall temp rules with expiration date #. New radius backend library VT AIR 22.07 ********************* #. IPv6 Network Prefix Translation #. Windows AD Client for Identity Awareness #. PC Client for Identity Awareness #. Service Speed Improvements #. Rename Alias to Network Objects #. Select fields are now searchable in the Webgui #. Firewall fields for IPs and Ports are changed to real time search fields #. Firewall Rule support raw syntax #. DNS Diagnostics #. Diagnostics IP Addresses country flags #. IPSec Identifier simplification #. OpenVPN Diagnostics show encryption for each connected client #. DHCP Server TFTP iPXE Support #. QinQ choose VLAN Type #. Intrusion Detection Option to exclude internal traffic #. DynDNS Cron option for time based checks #. Letsencrypt renew support custom script #. Interface create option for default firewall rules VT AIR 22.04 ********************* #. Kernel Update to 5.15 #. Move Firewall Rules between Global and Interface #. AWS Alias list #. Allow all Interfaces to be disabled #. Firewall Rule show order #. DNS Domain allow exact match and all subdomains #. Webfilter Virus Scan whitelist domains #. DHCP Static IP lease checks #. Improve States Diagnostics #. QoS use only base interfaces #. HASync optimizations #. Firewall Rule delete button in edit screen #. XLXS Export for firewall settings #. Read Only Group #. Zerotier Addon VT AIR 22.01 ********************* #. Systat Sum interfaces #. WAF Dashboard #. BGP Passive Neighbor #. HASync Onboarding #. HA Sync Sign and Warning Secondary #. GeoIP Continents #. OpenVPN Custom Overrides #. Firewall Rule Divider #. CSR Sign with CA #. OpenVPN Remove Peer to Peer #. Disk Mail Root Notifications #. VRRP needs a static or dhcp IP #. Auto Update change #. Logfile Cleaner #. HAProxy ssl #. DNS Domain Overrides allow multiple #. VRRP Fail on disk error #. DNS Domain Firewall Rules #. AWS and Azure #. Webserver disable TLS 1.0 and TLS 1.1 and DHE Algorithm #. OpenSSH disable DHE Algorithm VT AIR 21.10 ********************* #. Update to Debian 11 #. Intrusion Detection Events Dashboard #. Firewall Events Dashboard #. Dynamic Routing Custom Config Options #. Intrusion Detection Email Reports #. Dynamic Routing BPD Support #. Dynamic Routing IS-IS Support #. CSR Import #. Wireguard Fast Peer Creation #. High Availability Unicast Option (VRRP and States Sync) #. Restructuring of the Diagnostics Menu #. IPSec EAP Radius Support #. LTE Diagnostics enhancements #. Support for page size on list views like Firewall #. Route Diagnostics shows Protocol Name #. VRRP Fix for IPv4 and IPv6 Support #. Authenticator 802.1X enhancements and diagnostics #. OpenVPN Shared Key Config fixes #. IPSec fix for AES-GCM in Phase 1 #. OpenVPN Restart on Gateway change VT AIR 21.07 ********************* #. DDoS Firewall Early Drop #. Suricata DDoS Firewall Blocking #. Suricata Update Rules or Groups #. Gateway Check History #. Web Application Firewall #. HAProxy Proxy Option #. Wireguard VRRP Master Option #. Firewall Rules Delete All #. Intrusion Protection VT AIR Pro Rules Support #. Gateway Force Down Option #. Letsencrypt DNS Authentication VT AIR 2.2.9 ********************* #. State Counter #. GRO Fix #. Netflow Export #. App Container Environment Variables #. MPLS LDP #. OpenVPN GUI Improvements #. CPU Profiles #. Fixes VT AIR 2.2.8 ********************* #. Captive Portal User Authentication #. VirtualIP Alias can have a Netmask #. Intrusion Detection option Drop First #. DHCP Options NTP Fix #. OpenVPN User Authentication Diagnostics Fix #. Captive Portal is part of the base Installation #. Intrusion Detection Diagnostics add a protocol dropdown #. IP reverse DNS for Firewall and Intrusion Detection Diagnostics #. App Definition Copy #. Identity Management #. User based Firewall Rules #. VirtualIP Carp setting for start mode (Master/Backup) #. IPSec fixes and options for close/open/dpd #. SDWAN support (Preview) #. Linux Kernel 5.10 (LTS) VT AIR 2.2.7 ********************* #. App Control (Application Firewall Rules) #. Security Dashboard #. VXLAN Support #. WebVPN Groups Support #. Webfilter SSL Man in the Middle Support #. Webfilter Auto Detect PAC File #. Sudo Support #. IPSec Ping Check #. OpenVPN Copy Option #. Webfilter is part of the base Installation #. Intrusion Detection show predefined rules #. Wireguard Copy Option #. Route remove if Gateway is down VT AIR 2.2.6 ********************* #. New WebVPN Addon #. Intrusion Detection is part of the base system #. Intrusion Detection Speedups #. SNAT output interfaces #. Firewall rules trace #. Google IPs as Alias #. Notification Messages for Interface, Gateway, Virtual IP change #. Web Filter (Squid) Fixes #. Wireguard Config Import #. Wireguard MTU option #. Wireguard Routing Table option #. Web Filter change blacklist #. Audit Log Export #. MPLS Support #. Multipath Routes Support #. Docker Fixes and Show Ports in the GUI #. Users and Groups are moved to their own Menu item #. GUI Login requires System Admin (Admin) or System User (User) group membership VT AIR 2.2.5 ********************* #. LTE fix SIM PIN leading zero is removed #. Captiveportal fixes for OSX/iPhone #. Apply Change now checks for in progress on the Webgui #. Firewall Rule Routing Table Back Direction #. Dashboard Traffic Widget can be added multiple times #. IPSec Allow All/Any as Interface #. Captive Portal Timeout for clients #. Alias/CP Hostnames are now resolved more accurately #. HAProxy Backend Sticky Table #. Wireguard DNS Server #. Wireguard Multiple IP Addresses #. Wireguard Peer Export #. Wirguard QRCode for config exports #. PPPoE Interface Master Only #. SHDSL Mode und PAM #. Default Certificate can be removed #. Dashboard Columns can be set #. Firewall Diagnostics show current ruleset #. CPU Mitigation can be enabled/disabled #. SNMP Temperature export VT AIR 2.2.4 ********************* #. Squid ClamAV Virus Scanner #. Squid Shallala Blacklist #. IPSec Diagnostics shows Encryption Paramter #. LTE Roaming Option #. Diagnostics have auto reload enabled #. IPSec Support additional Algorithms (AES-CCM, ChaCha20) #. GRETAP Support (Layer 2) #. PCrypt for parallel encryption speedup #. LDAP Automatic User Sync #. Auto Update Report Emails #. DynDNS Strato Support #. 802.1X Authenticator Addon #. Firewall Custom Rules in GUI #. WireGuard VPN Support VT AIR 2.2.3 ********************* #. Escape Virtual IP Password #. LTE Templates for Providers #. Update Pages shows individual updates #. Traffic Widget option for PPS #. Backup Name includes hostname and time #. State Deletion of Offloaded Connections #. Rate Limit SSH to VT AIR #. IPSec Secondary Authentication #. IPSec Client Connection Support #. IPSec Support for EAP-TLS, EAP-MD5, EAP-MSChapv2 #. Squid Proxy Addon #. Auditlogs for SHDSL, VDSL, LTE, Apps #. LTE Autoconnect and Refresh Fixes #. Captive Portal Updates #. IPSec Fix Problems with Certificate Authentication #. DHCP Client Leasetime Field Added #. Certificate only requires CNAME #. GRE Keepalive Support #. SNMP Fixed Interface MIBs for VT AIR Models internal interfaces #. Fixes VT AIR 2.2.2 ********************* #. Fixes #. Firewall Time Support #. VDSL Diagnostics #. ARP Table Settings #. QoS Bridge #. LTE Diagnostics #. Certificate Creation on User Page #. Two Factor Authentication GUI + OpenVPN #. Captive Portal VT AIR 2.2.1 ********************* #. Fixes #. VDSL Settings and Diagnostics #. Update Email Schedule for Updates #. Portal Backup of config #. NAT and Firewall Search #. Copyright in GUI for all packages #. GRE over IPSec fixes #. GRE responder for keepalive IPv4 #. QoS Flow offload fixes VT AIR 2.2.0 ********************* #. Fixes #. LDAP Sync User Groups #. NAT Reflection Netmask #. OpenVPN Gateways can be selected #. QoS Flowtable fix #. Session Timeout can be configured #. Login IPs can be whitelisted #. Diagnostics for NTP #. DynDNS Home Support VT AIR 2.1.3 ********************* #. Fixes #. Geo IPs #. Office365 Firewall Rules #. DNS Blacklists VT AIR 2.1.2 ********************* #. Fixes #. Bond ARP Check #. SNAT Routing Table VT AIR 2.1.1 ********************* #. Portal Connection Management #. Bond in Bridge #. Bond xmit policy #. Gateway Groups Diagnostics #. DNAT Routing Table VT AIR 2.1.0 ********************* #. Bridge Layer2 Firewall Rules #. Flowtable Implementation #. Remote Access Daemon #. Bugfixes VT AIR 2.0.0 ********************* #. Config Mode #. Suricata for IDS/IPS #. UPNP IPv6 Support #. Software Raid Support and Diagnostics #. Syslogs for more Services #. Auto RAID 1 Installation #. App Armor VT AIR 1.6.0 ********************* #. Email Alerts for Updates #. Strongswan Swanctrl #. Allow for IPSec Interfaces #. Backup/Restore fix #. P12 Certificate Import #. WPA Supplicant for wired Interfaces #. IPSec multiple source IPs #. UPNPNat working #. Letsencrypt Support #. Firewall Helper VT AIR 1.5.0 ********************* #. Addon Apcups #. Addon Ntopng #. DHCP Mac Deny #. TCPDump file download #. RRD Graphs #. SMART Status Hard Drives #. Systemctl for Firewall #. OpenVPN Server Authentication Server VT AIR 1.4.0 ********************* #. User Authentication Radius #. User Authentication LDAP #. Addon Avahi #. Addon IGMPProxy #. High Availability Config Sync #. High Availability VRRP #. High Availibilty Firewall States Sync #. Service changes for HA #. LAGG set active port #. SHDSL Option to disable modem #. Wake on LAN VT AIR 1.3.0 ********************* #. Fix Users ssh key #. Limiter Support #. Fix Reset to factory defaults #. Ability to change settings after restore before reload #. Addon Structure #. HAProxy Addon #. Hostname Support for Firewall and IPSec #. HWInterface Support #. Webgui File Manager #. VRRP Select Track Interfaces #. SFP and Bridge Diagnostics #. OpenVPN Importer VT AIR 1.2.0 ********************* #. QoS #. Flowtables for fast forwarding #. Track Interface #. DHCPv6 Prefix Delegation #. Bugfixes #. DNS over TLS #. Dynamic DNS #. Fix firewall rule logging VT AIR 1.1.0 ********************* #. Fix IP detection problem in Axes behind reverse proxy #. Add Routing Tables and the ability to assign them via Firewall Rules #. Add Gateway Fallback and Loadbalancing #. Handle all Gateways in code now #. QinQ Interface Support #. Allow VTI in Bonds #. Fix backup to exclude certain data #. MLPPP Support #. Gateway Monitoring fixes #. OpenVPN fixes #. OpenVPN enable certificate + user authentication #. GUI fixes VT AIR 1.0.1 ********************* #. fix consumer mixin bug VT AIR 1.0.0 ********************* #. Inital Release