Last update:
09/04/2008 Current version:
1.235 Latest beta version:
1.3b15
Beta versions: 1.3b
This page provides information about the 1.3b series of m0n0wall beta versions and the changes introduced in them,
and you may also download the latest 1.3b beta version image below.
m0n0wall 1.3b is based on FreeBSD 6.x and has better hardware support than the FreeBSD 4.x
based versions (up to version 1.23x), as well as a few new features. However, it also
has higher hardware requirements.
Remember that beta versions may contain bugs and are not intended for use in sensitive production environments.
1.3b15 (10/11/2008)
WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
added support for AICCU (a tool for dynamically configuring IPv6 tunnels
from SixXS, allowing
users with dynamic WAN IP addresses to use tunnels)
Note that only heartbeat tunnels are supported at this time (no AYIYA)
updated kernel to 6.3-RELEASE-p5 (ICMPv6 denial of service fix; IPv6
NDP routing vulnerability fix)
fixed IPv6-ICMP firewall rule type matching
added patch to enable custom next-server and filename options for
static mappings in DHCP server (by Stephen Erisman)
WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
consolidated net45xx, net48xx and wrap images into a single "embedded"
image
an official VM for VMware is now provided with this and all future versions
modified boot loader for embedded images to use the serial speed set by
the BIOS (and no longer a fixed speed as soon as the kernel boots),
as in 1.2x releases
imported "install on Hard Drive" feature (console menu) from AskoziaPBX; this
allows one to install an image on HD/CF by first booting with the cdrom
version of m0n0wall
removed SIP proxy (not much feedback from users; used a considerable amount of
space)
imported ipnat source port randomization patch from FreeBSD CVS
(important when running DNS servers behind m0n0wall with NAT turned on);
added new option to System: Advanced page to control the port range used
for random source port allocation during outbound NAT (default is
1024 - 64535; portrange sysctls have been adjusted accordingly)
fixed a long standing bug with regenerating firewall rules (including
automatically generated ones) that reference the WAN interface when the
WAN IP address changes
changed ZoneEdit update server name to dynamic.zoneedit.com
show driver names for network interfaces (obtained from dmesg) when
assigning interfaces to make it a bit easier for the user to choose
updated Dnsmasq to 2.45
fixed broken time zones (hard links in zoneinfo.tgz)
fixed "RSA Cert Subject" choice for My Identifier on IPsec VPN Mobile Client
setup page (reported by rdnzl)
don't allow the interface's network or broadcast address to be used in
the DHCP client range, and also make sure that the interface's own
address does not fall within the range
made behavior of Interfaces: LAN page more intelligent (only disable
DHCP server if the IPv4 address has actually changed; do not require
reboot if only IPv6 address changed)
updated PHP to 4.4.9
1.3b13 (07/13/2008)
WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
added support for IPv6-in-IPv4 tunnels on WAN (for use with tunnel brokers)
added support for IPv6 over PPPoE/PPTP (WAN)
fixed issue where firewall rules on PPTP VPN (and access to m0n0wall's own
services, like ping or DNS, from a PPTP VPN client) wouldn't work if incoming
GRE packets were matched by a traffic shaper rule on WAN
for wrap image, show whether we're running on a WRAP or ALIX board on
the system status page
updated Dnsmasq to 2.43 (query source port randomization)
fixed "Register DHCP leases in DNS forwarder" option
1.3b12 (07/07/2008)
Known bug: DNS forwarder doesn't work when "Register DHCP leases in DNS forwarder" option is enabled
WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
automatically generate self-signed SSL certificate when switching from
HTTP to HTTPS (CN = current hostname); also add a button to generate a
self-signed certificate on demand on the System: Advanced page
make captive portal "disable concurrent logins" function compare usernames
in a case-insensitive manner
fix polling setting on optional interfaces
add ipnat fix (from ipfilter mailing list) to prevent a (rare) case of
kernel panic when ipnat sees a fragment of a TCP packet, and that
fragment is not the first one
remove PPPoE/PPTP dial-on-demand feature. Still doesn't work properly,
nobody has enough interest in it to fix it, and most people probably
don't need it anyway
remove bpalogin - looks like it's dead
updated Dnsmasq to 2.42
don't run captive portal reauthentication (if enabled) for MAC
pass-through clients (patch by Peter Allgeyer)
repeat banner each time the console menu is displayed
1.3b11 (04/05/2008)
WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
fixed IPsec to prefer new SAs over old SAs by default (should solve problems with tunnels not working after an interruption or peer IP address change)
added DPD (Dead Peer Detection) option to IPsec tunnels (default off as before)
added asn1dn option to IPsec identifier types to be compatible with what Openswan expects when using certs instead of PSKs
(contributed by Wes Morgan)
fixed SVG traffic/CPU graphs under IE7 (by Daniel S. Haischt)
1.3b10 (03/01/2008)
allow fragmented ESP and NAT-T encapsulated IPsec packets when using the integrated IPsec support (should solve MTU issues)
added patch to make mini_httpd accept intermediate SSL CA certificates
use NTP vendor pool zone for m0n0wall instead of pool.ntp.org (this will also be automatically replaced
in existing installations on the first boot)
fix MSNTP to properly handle server hostnames that start with a digit
updated base system to FreeBSD 6.3-RELEASE-p1
copied dhclient-script from m0n0wall 1.233 (in an attempt at solving the sporadic DHCP renewal problems reported by some users)
fix MPD WAN PPPoE/PPTP auto-reconnect issue
webGUI HTML tidyness fixes by Daniel S. Haischt
put IPSTEALTH in kernel config so that it can be enabled via sysctl if needed
updated ipsec-tools to 0.7
1.3b9 (01/15/2008)
added patch for trap 12 kernel panics on Nokia IP110/IP120/IP130
increased MFS root size by 1 MB to avoid problems with large configs
fixed bridging with interfaces that support hardware TX checksumming (by turning it off for bridged interfaces)
1.3b8 (01/12/2008)
DHCP next-server and filename settings are now exposed through the webGUI
upgraded MPD to version 4.4 (also fixes PPP secondary DNS reject issue with AT&T/Bellsouth)
PPTP VPN RADIUS IP setting removed (always enabled in MPD 4)
updated PHP to 4.4.8
1.3b7 (12/26/2007)
fixed kernel panic when using IPsec and the traffic shaper at the same
time (see FreeBSD PR kern/119036)
fixed SIP proxy when using PPPoE/PPTP mode on WAN interface
added support for IPsec tunnels with (possibly dynamic) remote host names
(instead of fixed IP addresses); the host name is polled at regular intervals
(default 60 seconds), and if the IP address that it maps to changes, IPsec
is reconfigured. Note that this will also cause other (non-dynamic) tunnels
to be briefly interrupted.
added firewall support for decapsulated IPsec packets (new pseudo-interface
"IPsec" in firewall rule editor); this is on by default, but the default
configuration contains a "pass all" rule on the new IPsec pseudo-
interface (and this is also added automatically for existing configurations),
which can then be deleted to actually filter IPsec VPN traffic
enabled larger client subnet sizes (= more concurrent connections) for
PPTP VPN server (up to 256); change subnet size on PPTP VPN
setup page if desired
fixed filtering bridge when used in conjunction with traffic shaper
captive portal reliability fixes
ensure that the pruning process is always run on all active users
properly handle sessions that have not passed any traffic by the time they end
improve locking
updated timezone data
stop discriminating against nge(4) (National Semiconductor PCI Gigabit Ethernet) adapters
fix DHCP release button on interface status page
updated FreeBSD to 6.2-RELEASE-p9
updated ipfilter to 4.1.28 (fixes lockup issues from 1.3b5)
known issue: the system can lock up under heavy load due to a bug in ipfilter 4.1.23 –
see this mailing list post for a description and fixed pre-release images
added siproxd for transparent SIP proxying/masquerading and
simple registrar service (by mwiget)
added vr(4) driver VLAN fix (for ALIX etc.)
sisX interface names are now automatically changed to vrX when running on ALIX
added reset button driver for ALIX
upgraded ipfilter to 4.1.23
fixed FIN handling in ipnat FTP proxy
changed logo/license/footer to include registered trademark sign
console speed for WRAP image is now 38400 as this has always been the
default for new WRAP (and ALIX) boards anyway
modified WRAP image kernel to also work with ALIX.2 (added vr device and
USB EHCI + CPU soft reset patches to wrap kernel; tested on prototype board)
for ALIX, interfaces need to be re-assigned (vr* instead of sis*)
patched hostapd to support writing PID file; start hostapd with -B
flag (fixes problem with wireless interfaces that have WPA enabled
not being initialized properly on boot)
recompiled MPD with current MSS/dial-on-demand patches (also fixes idle timeout bug)
removed code that auto-selects subnet mask on LAN and OPT setup
pages (it"s confusing and doesn"t necessarily get it right)
added kernel patch for fragment bug in ipfilter (contributed by Frank Edwards)
modified kernel patch to handle ipnat+dummynet in ip_input -> should fix problems
with captive portal not reporting downloaded data per user properly when the
traffic shaper is on, and also makes per-user bandwidth limits work again
added ural(4) to list of recognized wireless NICs
removed "-P" option from boot.config again (doesn't work properly with USB keyboards)
added kbdmux to kernel config of generic-pc(-cdrom) -> should fix problems with USB keyboards
WARNING: the generic-pc image no longer fits on 8 MB CF cards! (>= 10 MB required)
enabled NAT-T support for IPsec VPN (enable via webGUI)
compiled SNMP agent with support for memory usage information MIB
back-ported MSS clamping fix from MPD 4.0b5 to MPD 3.18 (fixes MTU problems with PPPoE client)
enabled hostap for wireless cards supported by the ral(4) driver
forced PIO mode for ATA driver to work around problems with quirky hardware (IDE controllers, CF cards)
automatic keyboard detection for generic-pc(-cdrom); fallback to serial console if no keyboard found
enabled AES for IPsec phase 1
Captive portal fix (jdegraeve): now always sends the session time in RADIUS accounting messages
instead of only sending it within an Accounting-Stop.
This should make most prepaid systems work again.
1.3b1 (12/16/2006)
Note: a bug has been identified in MPD 3.18 (TCP MSS clamping is only applied to inbound and
not outbound packets). This affects PPPoE users, who are advised to wait for the next beta version (1.3b2).
changed base system to FreeBSD 6.2-RC1 (final 1.3 version will be based on FreeBSD 6.2-RELEASE)
WARNING: the generic-pc image no longer fits on 8 MB CF cards! (>= 10 MB required)
added support for new wireless features in FreeBSD 6
Atheros cards are finally supported!
channel selection on interface setup page now reflects actual capabilities of card
wireless status page shows scanned APs in client mode and associated stations in hostap mode
WPA support is expected in the next release
for generic-pc-cdrom, the configuration may now also be stored on an USB memory stick
(instead of a floppy disk). m0n0wall will automatically probe for an USB stick with
an FAT file system first, and if this fails, fall back to the floppy drive.
Note that this release can also be booted directly from a USB memory stick on most PCs
(simply install the generic-pc image to your USB memory stick with physdiskwrite),
so generic-pc-cdrom is now only for machines that either don't have USB at all or
that can't boot from USB due to BIOS limitations.
removed MTU option from Interfaces: WAN page. This used to control TCP MSS
adjustment, but since the non-NAT-dependent MSS fixup patch kludged into ipnat
has not been ported to ipfilter 4 (and is an ugly hack at best anyway), MSS
fixup is now automatically applied for PPPoE connections (where it is actually
needed) using MPD's integrated feature and shouldn't be necessary in other cases
a rather intrusive kernel patch was required to make concurrent traffic shaping + NAT on the
WAN interface possible; if you rely on this feature, please test it well and report any problems
Version: 1.3b15 Release date: 10/11/2008
Which image do I need?
Choose your platform:
Based on your selection, you should use the image.
If you're already running a previous version of m0n0wall on a Soekris or PC Engines board, download the
"embedded" image and rename it to reflect your current platform in order to upgrade via the
webGUI (i.e. replace "embedded" in the filename by "net45xx", "net48xx" or "wrap").
embedded
generic-pc
embedded-1.3b15.img Type: raw CF image for Soekris and PC Engines boards Size: 6.94 MB MD5: 9d936676ca28128e217319cfa6a7540e SHA256: 54cb406bebb5dc48cfe6623136405236 \ eb9cd3ae06a61ccca07c83e3f709cc85
generic-pc-1.3b15.img Type: raw CF/HD/USB drive image for generic PCs Size: 8.19 MB MD5: 9cc4dc5f7b7791aeaee504afecfafa5e SHA256: b2b51c3dfbc2cc6aac18310a65cb9a1b \ 07e9d3015e34e6e0ffbf36ad9cf1fa25
