26. Changelog

26.1. VT AIR 24.01

  1. LTE450:

    Support for the new LTE450 network

  2. Password Change:

    At first login a password must be set for the admin user before the GUI is available. This is a major change to the previous default password and is required to comply with new security regulations.

  3. SNMP:

    New custom SNMP endpoints to read the data of Wireguard, IPSec, OpenVPN Server and OpenVPN Client

  4. New Database Backend Connector:

    The database connector in VT AIR was rewritten to provide better stability and circumvent situations when the database is busy.

  5. Firewall Sets:

    The firewall backend uses more Sets now which speed up the firewall rule load time especially for large setups and geoips.

  6. States Sync:

    Option to write synced states directly into the state table instead of using the external cache. This allows for faster failover but higher costs during sync.

  7. Other Changes:

    • Fix a race condition where the cache could be filled with old data

    • User Download own Wireguard Profile

    • Dashboard Firewall, IDS, WAF Alert when Logger is disabled

    • Network Object import lists with Mac Addresses

    • Work queue has more details now in diagnostics

    • WebVPN add User, Password and Domain field

    • Fix for Captive Portal HASync of Files

    • Firewall uses the new ipsec Identifier

    • A Security Patch Repository is added when the update licence expires

    • Fix DHCP Pool lease lifetime option

    • Fix bond in bridge change not triggering a change

    • Fix Captive Portal interface change not triggering a change

    • Firewall setting for default policy

    • Captive Portal Diagnostics show traffic data

    • Intrusion Detection Report Excel Table Report

    • Certificates list view show extra information like DNS

    • Fix Interface Stats Diagnostics data not showing correct date

    • DNS fix no restart after interface change

    • WAF various fixes for excluding rules, parsing ajax requests and setting default data

26.2. VT AIR 23.10

  1. WAF Engine:

    The Web Application Firewall engine is changed to Coraza. Modsecurity is end of life soon and we transition over to the new engine. It also allows more efficient integration into HAProxy with the spoa interface. Alow with this change, a custom error html page can be set on each HAProxy backend.

  2. Routing Backend

    The static routing backend is outsourced to a new daemon vtair-routing. All static and mpls routes are now handled by this need routing daemon which is far more efficient than our previous implementation.

  3. Rename LTE

    All GUI entries that had LTE in it are now renamed to Cellular. Since we support 5G now we decided to go with a more generic name.

  4. Zero Tier One

    Support for multiple Zero Tier One connections

  5. Password Change

    If a user wants to change the own password, the old password will be required as well now.

  6. Password Strenght Indicator

    For all passwords, we added a strength indicator to see how good the password is

  7. Login Attempts

    Are now logged and shown in the Diagnostics under GUI Logins. All attempts are logged, regardless of success.

  8. Running Services

    Will show their corresponding ports in the diagnostics service page.

  9. Connected Devices

    All open connections to the VT AIR itself can be seen in the Diagnostics under Firewall - Host Connections

  10. User OpenVPN Profile Download

    Users can now download their own OpenVPN Profile in the Profile section when logged into the WebGUI

  11. IPSec Phase 1 Fallback

    Another Phase 1 can be picked as a backup tunnel to start in case of the original Phase 1 being down. A Ping check needs to be configured along with the Fallback tunnel to check if the remote endpoint is available.

  12. IPSec Interface for multiple Phase 1

    If the networks in the Phase 2 do not overlap, an IPSec Interface can now be used by multiple Phase 1. This makes the management of firewall rules and routes easier as the interface will carry all the different traffic.

  13. Other Changes:

    • Webserver IP can now be picked by interface IPs and Virtual IPs

    • Cache gateway status up/down in the backend for faster processing

    • Letsencrypt can now be used with HAProxy in Webserver mode

    • The backup restore progress has more details in the GUI now and shows information until the end

    • Diagnostics Firewallrule Output is now streamed from the Webserver. On large setups the page blocked the entire webserver.

    • WPA Supplicant uses the default wpa_supplicant-wired service name now instead of a custom one

    • More choices for the ICMPv6 types in firewall rules

    • Diagnostics DHCP the apply change banner is now sticky at the top of the screen when scrolling for better visibility

    • Improvements and speedups when using DHCP Interfaces during startup

    • Improvements in detecting when interfaces go up and down

    • Fix for VRRP status was sometimes not shown correctly

    • OpenVPN show interface name in the settings of the tunnel

    • Firewallrule deletion show warning that open states are unaffected

    • IPSec Diagnostics has a new overview list page of all connections

    • HAProxy TCP mode allow certificates and client certificate authentication

    • HAProxy added a new a global custom config section

    • Fix the use of CRLs with HAProxy

    • Fix the AND / OR logic in HAProxy

    • Fix radvd needs IPv6 DNS server and does not start with IPv4 (RFC8106)

    • Fix webproxy spelling error for splice

    • Interface IPv6 track config can now utilize the ID to fix a subnet to an interface

    • Fix DNAT IPv6 was missing the [] to seperate the port

    • Fix Webproxy transparent proxy did not prperly work with IPv6 since the localhost address can not be used for sending (RFC4291)

    • ACME DNS Handle has a description field now

    • Fix Network Objects dynamic entries need to be validated one by one

    • Fix loganalyzer can not save certain json data

    • DHCP Server allow pools with a single IP

    • DHCP Server expose the reclaim parameter

    • Unifi App Image will have a volume created automatically on creation

    • Fix VRRP Master/Backup status setting under load

26.3. VT AIR 23.07

  1. XDP DDoS Protection:

    DDoS Firewall Rules are now loaded into XDP which allows for much faster drop rates and protection. A generic XDP programm is now loaded on non native XDP Interfaces if XDP is enabled for the DDoS protection. Intrusion Protection can now also mark flows/states for dropping in XDP when a drop rule hits, allowing for a much faster drop rate of bad traffic.

  2. DDoS more options:

    DDoS options are now more fine grained. It is possible to either count dropped traffic (default) or all traffic against the DDoS rate limit. Additional options are always available for SYN and ICMP packets to cover specialized DDoS attack cases.

  3. LTE Support second SIM Card:

    LTE modems with a second SIM card can be configured in the GUI now with automatic SIM card switching. This allows to utilize both SIM card slots and if a Gateway of one connection goes down, the Gateway check can trigger a SIM card change. Only one SIM card can be activate at a given time. There is also a GUI option in the diagnostics section of LTE to manually change the SIM card slot.

  4. Firewall Option to Disable XDP for a flow:

    If XDP is enabled you can now exclude flows through a firewall rule options. It is useful for QoS or Diagnostics.

  5. IPSec Hardware Offload Setting:

    In case of a Mellanox NIC that supports IPSec offload you can enable the setting in the GUI

  6. Faster Gateway configuration at boot:

    The default Gateway will be added faster now on boot if possible. This will work for static Gateways and DHCP Gateways.

  7. Option to show Hostname in header:

    Show the hostname of the VT AIR in the header and in the login screen. This way you can more easily identify which VT AIR you are on

  8. VRF Support:

    Virtual routing and forwarding allows for better seperation of network interfaces and routes. One can now group interfaces by VRF and VRF also allows the creation of a Layer 3 VPN (L3VPN) in combination with our dynamic routing options. VRF can be added in the Interface configuration and added to each assigned Interface in the advanced options.

  9. SNMP Conntrack States:

    Export the number of used conntrack states to SNMP

  10. HAProxy more Options:

    The configuration of SSL and Cipher Parameter is now possible in the GUI.

  11. Firewall Detect Possible Duplicate Rules:

    Each Interface Firewall and Global Firewall Rule has a new option in the GUI to show possible duplicate rules. VT AIR checks the 6 tupple (Source IP, Destination IP, Source Port, Destination Port, Protocol, Interface) to check if there is another rule that might cover the same rule. We do not check any extra options though so a manual check has to be performed. The design requires the firewall service to run first and fill up the data for the check. The same goes for changes of firewall rules which need to be applied first before the new data set is available.

  12. Firewall Optimizations:

    We use Sets now for Network Objects and especially Geo IPs, this is a config generation change only. The change allows us to only load used Objects which will speed up firewall rule loading by a lot especically for setups utilizing the Geo IP data. There are no changes to the GUI and it is backend change only.

  13. Other GUI Changes:

    • Rename XDP Offloader to XDP

    • Update to the Copyright list of used packages

  14. Other Changes:

    • API Schema file is now only rewritten on a version change to make the GUI start faster

    • Cleanup of old logrotate files in the config directory

    • Fix for addons not available across worker processes

    • Fix for Letsencrypt DNS Handles not beeing HASynced to the secondary firewall

    • Fix for Interface and VirtualIP can have the same IP Address on the same interface

    • Fix for LTE Interface has no Link Local IPv6 address in some cases

    • Fix for Wired WPA Supplicant not having a fake SSID

    • Fix for Bridge interface members and DHCP Server not beeing in the correct state when the GUI starts. They are now reloaded upon the GUI start so we can control interface changes correctly

    • HAProxy delete certificates that are not in use by any Frontend anymore

    • HAProxy duplicate backend do not also duplicate the ACL and Verdict rules in the Frontend

    • Bootup load firewall rules faster

    • WLAN and WWAN interfaces create a stable naming of wwanX and wlanX

    • SNMP fix bridge OID values

    • Support for 5G modems

    • Fix Gateway Monitoring not always recording data for diagnostics

    • Logcleanup can now shrink /var/log to the configured RAM Disk size if RAM disk is enabled

    • Fix QoS Tab is created for non eligible interfaces

26.4. VT AIR 23.04

  1. eXpress Data Path flow offloader (XDP)

  2. SNMP allow for multiple Trap Server

  3. SNMP custom traps

  4. Services can have non existing Virtual IPs on standby

  5. LTE Dual Stack fixes

26.5. VT AIR 23.01

  1. DNS Firewall extend lists

  2. Webfilter extend lists

  3. DHCP Static Entry as Firewall Object

  4. IPSec allow start and trap at the same time

  5. Captive Portal Voucher

  6. Captive Portal Redirect to another VT AIR

  7. Docker Backup Script

  8. Webfilter more options in the GUI for Man in the Middle and redirect, as well as logging

  9. Webfilter add LDAP Support

  10. Change Diagnostic Data to influxdb

26.6. VT AIR 22.10

  1. Firewall Rule TCPDump

  2. Firewall Rule Trace

  3. Interface HASync

  4. Add Multiple Options for DNS, DHCP, VirtualIP

  5. Config Default Templates

  6. Syslog TLS Option

  7. Routing Backend Refactoring for faster speed

  8. Gateway changes custom scripts

  9. Firewall better custom rule GUI

  10. GUI Updates and Factory Defaults output improvements

  11. Certificate P12 also import CA

  12. Network Object Entries reordering

  13. Allow to select default firewall rule tab

  14. Firewall temp rules with expiration date

  15. New radius backend library

26.7. VT AIR 22.07

  1. IPv6 Network Prefix Translation

  2. Windows AD Client for Identity Awareness

  3. PC Client for Identity Awareness

  4. Service Speed Improvements

  5. Rename Alias to Network Objects

  6. Select fields are now searchable in the Webgui

  7. Firewall fields for IPs and Ports are changed to real time search fields

  8. Firewall Rule support raw syntax

  9. DNS Diagnostics

  10. Diagnostics IP Addresses country flags

  11. IPSec Identifier simplification

  12. OpenVPN Diagnostics show encryption for each connected client

  13. DHCP Server TFTP iPXE Support

  14. QinQ choose VLAN Type

  15. Intrusion Detection Option to exclude internal traffic

  16. DynDNS Cron option for time based checks

  17. Letsencrypt renew support custom script

  18. Interface create option for default firewall rules

26.8. VT AIR 22.04

  1. Kernel Update to 5.15

  2. Move Firewall Rules between Global and Interface

  3. AWS Alias list

  4. Allow all Interfaces to be disabled

  5. Firewall Rule show order

  6. DNS Domain allow exact match and all subdomains

  7. Webfilter Virus Scan whitelist domains

  8. DHCP Static IP lease checks

  9. Improve States Diagnostics

  10. QoS use only base interfaces

  11. HASync optimizations

  12. Firewall Rule delete button in edit screen

  13. XLXS Export for firewall settings

  14. Read Only Group

  15. Zerotier Addon

26.9. VT AIR 22.01

  1. Systat Sum interfaces

  2. WAF Dashboard

  3. BGP Passive Neighbor

  4. HASync Onboarding

  5. HA Sync Sign and Warning Secondary

  6. GeoIP Continents

  7. OpenVPN Custom Overrides

  8. Firewall Rule Divider

  9. CSR Sign with CA

  10. OpenVPN Remove Peer to Peer

  11. Disk Mail Root Notifications

  12. VRRP needs a static or dhcp IP

  13. Auto Update change

  14. Logfile Cleaner

  15. HAProxy ssl

  16. DNS Domain Overrides allow multiple

  17. VRRP Fail on disk error

  18. DNS Domain Firewall Rules

  19. AWS and Azure

  20. Webserver disable TLS 1.0 and TLS 1.1 and DHE Algorithm

  21. OpenSSH disable DHE Algorithm

26.10. VT AIR 21.10

  1. Update to Debian 11

  2. Intrusion Detection Events Dashboard

  3. Firewall Events Dashboard

  4. Dynamic Routing Custom Config Options

  5. Intrusion Detection Email Reports

  6. Dynamic Routing BPD Support

  7. Dynamic Routing IS-IS Support

  8. CSR Import

  9. Wireguard Fast Peer Creation

  10. High Availability Unicast Option (VRRP and States Sync)

  11. Restructuring of the Diagnostics Menu

  12. IPSec EAP Radius Support

  13. LTE Diagnostics enhancements

  14. Support for page size on list views like Firewall

  15. Route Diagnostics shows Protocol Name

  16. VRRP Fix for IPv4 and IPv6 Support

  17. Authenticator 802.1X enhancements and diagnostics

  18. OpenVPN Shared Key Config fixes

  19. IPSec fix for AES-GCM in Phase 1

  20. OpenVPN Restart on Gateway change

26.11. VT AIR 21.07

  1. DDoS Firewall Early Drop

  2. Suricata DDoS Firewall Blocking

  3. Suricata Update Rules or Groups

  4. Gateway Check History

  5. Web Application Firewall

  6. HAProxy Proxy Option

  7. Wireguard VRRP Master Option

  8. Firewall Rules Delete All

  9. Intrusion Protection VT AIR Pro Rules Support

  10. Gateway Force Down Option

  11. Letsencrypt DNS Authentication

26.12. VT AIR 2.2.9

  1. State Counter

  2. GRO Fix

  3. Netflow Export

  4. App Container Environment Variables

  5. MPLS LDP

  6. OpenVPN GUI Improvements

  7. CPU Profiles

  8. Fixes

26.13. VT AIR 2.2.8

  1. Captive Portal User Authentication

  2. VirtualIP Alias can have a Netmask

  3. Intrusion Detection option Drop First

  4. DHCP Options NTP Fix

  5. OpenVPN User Authentication Diagnostics Fix

  6. Captive Portal is part of the base Installation

  7. Intrusion Detection Diagnostics add a protocol dropdown

  8. IP reverse DNS for Firewall and Intrusion Detection Diagnostics

  9. App Definition Copy

  10. Identity Management

  11. User based Firewall Rules

  12. VirtualIP Carp setting for start mode (Master/Backup)

  13. IPSec fixes and options for close/open/dpd

  14. SDWAN support (Preview)

  15. Linux Kernel 5.10 (LTS)

26.14. VT AIR 2.2.7

  1. App Control (Application Firewall Rules)

  2. Security Dashboard

  3. VXLAN Support

  4. WebVPN Groups Support

  5. Webfilter SSL Man in the Middle Support

  6. Webfilter Auto Detect PAC File

  7. Sudo Support

  8. IPSec Ping Check

  9. OpenVPN Copy Option

  10. Webfilter is part of the base Installation

  11. Intrusion Detection show predefined rules

  12. Wireguard Copy Option

  13. Route remove if Gateway is down

26.15. VT AIR 2.2.6

  1. New WebVPN Addon

  2. Intrusion Detection is part of the base system

  3. Intrusion Detection Speedups

  4. SNAT output interfaces

  5. Firewall rules trace

  6. Google IPs as Alias

  7. Notification Messages for Interface, Gateway, Virtual IP change

  8. Web Filter (Squid) Fixes

  9. Wireguard Config Import

  10. Wireguard MTU option

  11. Wireguard Routing Table option

  12. Web Filter change blacklist

  13. Audit Log Export

  14. MPLS Support

  15. Multipath Routes Support

  16. Docker Fixes and Show Ports in the GUI

  17. Users and Groups are moved to their own Menu item

  18. GUI Login requires System Admin (Admin) or System User (User) group membership

26.16. VT AIR 2.2.5

  1. LTE fix SIM PIN leading zero is removed

  2. Captiveportal fixes for OSX/iPhone

  3. Apply Change now checks for in progress on the Webgui

  4. Firewall Rule Routing Table Back Direction

  5. Dashboard Traffic Widget can be added multiple times

  6. IPSec Allow All/Any as Interface

  7. Captive Portal Timeout for clients

  8. Alias/CP Hostnames are now resolved more accurately

  9. HAProxy Backend Sticky Table

  10. Wireguard DNS Server

  11. Wireguard Multiple IP Addresses

  12. Wireguard Peer Export

  13. Wirguard QRCode for config exports

  14. PPPoE Interface Master Only

  15. SHDSL Mode und PAM

  16. Default Certificate can be removed

  17. Dashboard Columns can be set

  18. Firewall Diagnostics show current ruleset

  19. CPU Mitigation can be enabled/disabled

  20. SNMP Temperature export

26.17. VT AIR 2.2.4

  1. Squid ClamAV Virus Scanner

  2. Squid Shallala Blacklist

  3. IPSec Diagnostics shows Encryption Paramter

  4. LTE Roaming Option

  5. Diagnostics have auto reload enabled

  6. IPSec Support additional Algorithms (AES-CCM, ChaCha20)

  7. GRETAP Support (Layer 2)

  8. PCrypt for parallel encryption speedup

  9. LDAP Automatic User Sync

  10. Auto Update Report Emails

  11. DynDNS Strato Support

  12. 802.1X Authenticator Addon

  13. Firewall Custom Rules in GUI

  14. WireGuard VPN Support

26.18. VT AIR 2.2.3

  1. Escape Virtual IP Password

  2. LTE Templates for Providers

  3. Update Pages shows individual updates

  4. Traffic Widget option for PPS

  5. Backup Name includes hostname and time

  6. State Deletion of Offloaded Connections

  7. Rate Limit SSH to VT AIR

  8. IPSec Secondary Authentication

  9. IPSec Client Connection Support

  10. IPSec Support for EAP-TLS, EAP-MD5, EAP-MSChapv2

  11. Squid Proxy Addon

  12. Auditlogs for SHDSL, VDSL, LTE, Apps

  13. LTE Autoconnect and Refresh Fixes

  14. Captive Portal Updates

  15. IPSec Fix Problems with Certificate Authentication

  16. DHCP Client Leasetime Field Added

  17. Certificate only requires CNAME

  18. GRE Keepalive Support

  19. SNMP Fixed Interface MIBs for VT AIR Models internal interfaces

  20. Fixes

26.19. VT AIR 2.2.2

  1. Fixes

  2. Firewall Time Support

  3. VDSL Diagnostics

  4. ARP Table Settings

  5. QoS Bridge

  6. LTE Diagnostics

  7. Certificate Creation on User Page

  8. Two Factor Authentication GUI + OpenVPN

  9. Captive Portal

26.20. VT AIR 2.2.1

  1. Fixes

  2. VDSL Settings and Diagnostics

  3. Update Email Schedule for Updates

  4. Portal Backup of config

  5. NAT and Firewall Search

  6. Copyright in GUI for all packages

  7. GRE over IPSec fixes

  8. GRE responder for keepalive IPv4

  9. QoS Flow offload fixes

26.21. VT AIR 2.2.0

  1. Fixes

  2. LDAP Sync User Groups

  3. NAT Reflection Netmask

  4. OpenVPN Gateways can be selected

  5. QoS Flowtable fix

  6. Session Timeout can be configured

  7. Login IPs can be whitelisted

  8. Diagnostics for NTP

  9. DynDNS Home Support

26.22. VT AIR 2.1.3

  1. Fixes

  2. Geo IPs

  3. Office365 Firewall Rules

  4. DNS Blacklists

26.23. VT AIR 2.1.2

  1. Fixes

  2. Bond ARP Check

  3. SNAT Routing Table

26.24. VT AIR 2.1.1

  1. Portal Connection Management

  2. Bond in Bridge

  3. Bond xmit policy

  4. Gateway Groups Diagnostics

  5. DNAT Routing Table

26.25. VT AIR 2.1.0

  1. Bridge Layer2 Firewall Rules

  2. Flowtable Implementation

  3. Remote Access Daemon

  4. Bugfixes

26.26. VT AIR 2.0.0

  1. Config Mode

  2. Suricata for IDS/IPS

  3. UPNP IPv6 Support

  4. Software Raid Support and Diagnostics

  5. Syslogs for more Services

  6. Auto RAID 1 Installation

  7. App Armor

26.27. VT AIR 1.6.0

  1. Email Alerts for Updates

  2. Strongswan Swanctrl

  3. Allow for IPSec Interfaces

  4. Backup/Restore fix

  5. P12 Certificate Import

  6. WPA Supplicant for wired Interfaces

  7. IPSec multiple source IPs

  8. UPNPNat working

  9. Letsencrypt Support

  10. Firewall Helper

26.28. VT AIR 1.5.0

  1. Addon Apcups

  2. Addon Ntopng

  3. DHCP Mac Deny

  4. TCPDump file download

  5. RRD Graphs

  6. SMART Status Hard Drives

  7. Systemctl for Firewall

  8. OpenVPN Server Authentication Server

26.29. VT AIR 1.4.0

  1. User Authentication Radius

  2. User Authentication LDAP

  3. Addon Avahi

  4. Addon IGMPProxy

  5. High Availability Config Sync

  6. High Availability VRRP

  7. High Availibilty Firewall States Sync

  8. Service changes for HA

  9. LAGG set active port

  10. SHDSL Option to disable modem

  11. Wake on LAN

26.30. VT AIR 1.3.0

  1. Fix Users ssh key

  2. Limiter Support

  3. Fix Reset to factory defaults

  4. Ability to change settings after restore before reload

  5. Addon Structure

  6. HAProxy Addon

  7. Hostname Support for Firewall and IPSec

  8. HWInterface Support

  9. Webgui File Manager

  10. VRRP Select Track Interfaces

  11. SFP and Bridge Diagnostics

  12. OpenVPN Importer

26.31. VT AIR 1.2.0

  1. QoS

  2. Flowtables for fast forwarding

  3. Track Interface

  4. DHCPv6 Prefix Delegation

  5. Bugfixes

  6. DNS over TLS

  7. Dynamic DNS

  8. Fix firewall rule logging

26.32. VT AIR 1.1.0

  1. Fix IP detection problem in Axes behind reverse proxy

  2. Add Routing Tables and the ability to assign them via Firewall Rules

  3. Add Gateway Fallback and Loadbalancing

  4. Handle all Gateways in code now

  5. QinQ Interface Support

  6. Allow VTI in Bonds

  7. Fix backup to exclude certain data

  8. MLPPP Support

  9. Gateway Monitoring fixes

  10. OpenVPN fixes

  11. OpenVPN enable certificate + user authentication

  12. GUI fixes

26.33. VT AIR 1.0.1

  1. fix consumer mixin bug

26.34. VT AIR 1.0.0

  1. Inital Release