Category     

Series 3: Firmware Release Notes

« Go Back

Information

 
Content

Notable feature changes between firmware releases

Products Supported: Series 3. Click here to identify your router.

 


Quick Links

Summary

Description

Related Articles

Notes


 

Summary

This article shows the feature changes, bug fixes, and feature additions for all Series 3 Cradlepoint firmwares from version 3.6.3 to 6.1.3.


 

Description

This article describes the notable feature changes, bug fixes, and feature additions for all Series 3 Cradlepoint routers from firmware version 3.6.3 through firmware version 6.1.1. The modem compatibility lists and new modem support lists for each release are not included here.

This information is gathered from the .PDF release note documents for each firmware release. The .PDF release notes and the firmware files themselves may be downloaded from http://www.cradlepoint.com/firmware.

Important Notes

Before upgrading to new firmware, it is always a good idea to save the configuration file from your current version. This firmware version will remove a configuration for version 3.2 or lower and will not try to keep your settings.

Revision 5.2.0 was a significant change from previous releases. Updating from prior versions to 5.0.0 through the router UI or ECM will keep all current settings. Factory resetting 5.1.0 and then reapplying a saved configuration from a pre-5.0.0 version may not reset all saved passwords correctly. Downgrading from 5.2.0 or later to an earlier version WILL force a factory reset on the router. Saving a 5.0.0 or later configuration and applying it to an earlier version will change any non-default passwords to an unknown string.
 

Firmware Version 6.2.0 (09/20/2016)

Products supported/tested:

AER3100/AER3150

AER2100

AER1600/AER1650

IBR1100/IBR1150

IBR600/IBR650

IBR600B/IBR650B

IBR350

CBA850

Note: Before upgrading to new firmware, it is always a good idea to save the configuration file from your current version. This firmware version will remove a configuration for version 3.2 or lower and will not try to keep your settings.

Modems tested (New 6.2.0 modems / modem platforms are in **bold** text)

Cradlepoint Cellular Devices (Embedded & USB Modems)

Cradlepoint AER16x0LPE - AT / AT&T (USA)
Cradlepoint AER16x0LPE - GN / T-Mobile, US Cellular (USA); Generic (North America)
Cradlepoint AER16x0LPE - SP / Sprint (USA)
AER16x0LPE - VZ / Verizon (USA)
Cradlepoint AER16x0LP4 / AT&T, T-Mobile, Verizon (USA)
Cradlepoint IBR350L / Verizon (USA)
Cradlepoint IBR350LPE - AT / AT&T (USA)
Cradlepoint IBR350LPE - GN / T-Mobile (USA); Generic (North America)
Cradlepoint IBR350LPE - SP/ Sprint (USA)
Cradlepoint IBR350LPE - VZ / Verizon (USA)
Cradlepoint IBR350P2 / AT&T (USA); Generic GSM-compatible locations (World)
Cradlepoint IBR6x0B-LP4 / AT&T, T-Mobile, Verizon (USA)
Cradlepoint IBR6x0LPE-AT / AT&T (USA)
Cradlepoint IBR6x0LPE - GN / T-Mobile, US Cellular (USA); Bell Mobility, Rogers, Telus (Canada); Generic (North America)
Cradlepoint IBR6x0LPE-SP/ Sprint (USA)
Cradlepoint IBR6x0LPE-VZ / Verizon (USA)
Cradlepoint IBR6x0LP3-EU / Generic (Europe)
Cradlepoint IBR11x0LPE-AT / AT&T (USA)
Cradlepoint IBR11x0LPE-GN / C-Spire, T-Mobile, US Cellular (USA); Bell Mobility, Rogers, Telus (Canada); Generic (North America)
Cradlepoint IBR11x0LPE-SP / Sprint (USA)
Cradlepoint IBR11x0LPE-VZ / Verizon (USA)
Cradlepoint IBR11x0LP3-EU / Generic (Europe)
Cradlepoint IBR11x0LP6 / AT&T, Sprint, T-Mobile, Verizon (USA); Generic (North America, Europe)
Cradlepoint MC400L2 / Public Safety Band 14 only (USA)
Cradlepoint MC400LPE-AT / AT&T (USA)
Cradlepoint MC400LPE-GN / T-Mobile, US Cellular (USA); Bell Mobility, Rogers, Telus (Canada); Generic (North America)
Cradlepoint MC400LPE-SP / Sprint (USA)
Cradlepoint MC400LPE-VZ / Verizon (USA)
Cradlepoint MC400LP3-EU / Generic (Europe)
Cradlepoint MC400LP4 / AT&T, T-Mobile, Verizon (USA)
Cradlepoint MC400LP6 / AT&T, Sprint, T-Mobile, Verizon (USA); Generic (North America, Europe)

 

3rd Party USB Cellular Modems

Franklin U770 (“Sprint Plug-In-Connect Tri-Mode USB Modem”) / Sprint (USA)
Huawei E3276 / Telus (Canada)
Huawei E368 (“AT&T USBConnect Force 4G”) / AT&T (USA)

Netgear AC340U (“AT&T Beam”) / AT&T (USA)
Netgear AC341U (“NETGEAR® 341U USB Modem”) / Sprint (USA)
supports Netgear firmware 4.07.01.11 and MR2 firmware 45.04.20.00
Novatel 551L LTE (“Verizon USB551L”) / Verizon (USA)
Novatel U620L (“Verizon MiFi© 4G LTE Global USB Modem U620L”) / Verizon (USA)
Novatel U679 (“4G LTE Novatel Wireless U679 Turbo Stick”) / Bell Mobility (Canada)
Pantech UML295VW (“Verizon 4G LTE USB Modem UML295 4G LTE”) / Verizon (USA)
requires Pantech firmware version L0295VWD821F.B4 or later
Portsmith PSA1U1M ("Portsmith USB Client to Analog Modem Adapter") / POTS phone providers
Sierra Wireless 308 USB (“AT&T USBConnect Shockwave”) / AT&T (USA)
Sierra Wireless 313U (“AT&T USBConnect Momentum 4G”) / AT&T (USA)
Sierra Wireless 320U (“Telstra USB 4G (Sierra AirCard 320U)”) / Telstra (Australia)
Sierra Wireless 330U (“4G LTE Sierra Wireless U330 - Turbo Stick”) / Bell Mobility (Canada)
Sierra Wireless 330U (“LTE Rocket Stick – Sierra Wireless AirCard 330U”) / Rogers (Canada)
ZTE MF683 (“T-Mobile Rocket 3.0 4G Laptop Stick”) / T-Mobile (USA)

Analog Modems

Portsmith PSA1U1M (“Portsmith USB Client to Analog Modem Adapter”) / POTS phone providers
Portsmith PS6EX1M ("Portsmith ExCard to Analog Modem Adapter”) / POTS phone providers (ExpressCard format, compatible with MBR1400s, MBR1200B, & CBA750B only)

 

New features added in this release**

(Not all features are in all products – see their respective Data Sheets)

 

  • Disable router bounce pages by default
  • Dashboard UI alert and set Attention LED if the user has not changed the default admin or WiFi passwords.
  • (SDK Beta) Updated pyserial to the latest version
  • (SDK Beta) We made a change to the manifest. A new option “auto_start” was added that controls whether the SDK application will start upon router boot. If this option does not exist, then the application will not be run. This is a change from 6.1.0 behavior and applications that automatically started in 6.1.0 will stop working until they get this change.
  • Improved SSH port forwarding
  • Allow routing policies to match on router-generated traffic
  • Respond to NTP requests based on router time without having to forward to WAN
  • 6.1.1, 6.1.2, and 6.1.3 features added to multiple products
    • See full release notes for each release below, in general:
      ▪ 6.1.1 GPS improvements and WiFi client driver
      ▪ 6.1.2 Defect fixes
      ▪ 6.1.3 Routing changes, NTP improvements
  • (CBA850) Added QoS support to the product
  • LP4 modem automatic carrier detection and modem image switching support on multiple routers

Security defects fixed

  • OpenSSL was upgraded to version 1.0.1t. No issues were known to affect our routers
  • Sanitize strings to mitigate XSRF attacks
  • Limit exposure to XSS attacks
  • When debug logging and TACACS authentication was enabled, the user’s password was showing up in log messages

Additional UI/Usability changes

  • Networking -> WiFi as WAN menu dropdowns changed from "Wireless as WAN” to “WiFi as WAN”
  • Updated Security -> Cloud-Based Security page
  • Add priority to Zone Firewall zone matching
  • Allow the user to upload the HTTPS private certificate
  • Changes to microstatus improve performance for Remote Administration
  • Combine static and policy-based routing. Make the system routing policy and table a special entry in a larger list of policies/tables used for policy routing. Allow drag-drop reordering of the routing policies to control the priorities. Generalize the UI for adding/editing/deleting policies and tables to work for both static and policy-based.
  • Improved the Policy Based Routing UI
  • Sort help results by relevance
  • Administration -> Device Control -> Device Console allows the user to save CLI history
  • Additional Routing Protocol status
  • Make DHCP server’s start and end range more informative
  • Added ability to configure IPsec responder only for DMVPN hubs from UI
  • CLI – Added the “clients” command to show currently connected clients and perform actions on them.
  • Support backup RADIUS server for WPA Enterprise in AER products
  • Renamed Web Filter Settings to Upstream Proxy Settings and improved the Network Web Filter Rules UI
  • Identities MAC and Host Address Add form should use the same entry form as Ports
  • Missing help on RIP Interfaces wizard page
  • AER1600 has 802.11b Wireless Mode for 5Ghz Radio
  • “Common Name” field in local certificate needs to be a required field
  • RIP, add split-horizon poisoned-reverse setting
  • Route map values not getting reset when set action is changed
  • Clean up edit dialog for status route
  • GRE tunnel status is not updated when configured as failover/failback tunnel
  • Added IPsec exclusion policies
  • Clarified some wording on the NHRP page
  • QoS settings for modem download was limited to 75Mbps, that number was increased to 300Mbps. WiFi as WAN or client was increased to 600Mbps. The CLI can be used to increase the QoS upload/download settings if the interface is faster than the UI allows.
  • Dashboard was changed to not display WiFi values if it is disabled
  • PoE status reports voltage with no current for externally powered CBA850
  • (AER3100) When a PD is plugged into one of the PoE ports, it may be detected as class 6 (0-4 are allowed)
  • VLAN interfaces UI does not display new VLAN added until refresh of browser
  • Zone Definition does not always match against the highest priority Zone Definition rule
  • LAN Config Name in Zone Definition that has the interfaces field left blank should set the field to "Any". When this is saved, the Zone Definition created displays "Incomplete ()" for the interface in the Zone.
  • Added help to Zone Priority
  • RIP authentication should be per interface and not per router
  • AER1600 Support link broken
  • Network scheduler help refers to an “interface” scheduler
  • Added many EMEA cellular operators to the cellular modem’s Auto APN feature
  • Added Verizon to Auto APN feature, as executed when (modem) > SIM/APN/Auth > Access Point Name (APN) is set to Default
  • LP6 (Cat 6) modem. Displays carrier aggregation (LTE-A) diagnostic information when connected
  • LP6 modem, AT&T only. Checkbox now available to disable/ enable AT&T Band 30. Enabled by default.

Defects fixed

  • Advanced NTP takes a long time to set time after VPN establishes
  • ECM ping results screen showed unexpected behavior when ping host is unreachable
  • MAC address based content filtering allows all clients access
  • Router needed to be rebooted to restore a Zscaler tunnel that disconnected
  • Wired 802.1x authentication doesn’t work after reboot while server is remote
  • Responder IPsec VPN traffic leaving wrong interface
  • DHCP Relay didn’t work with VRRP
  • Firmware version 6.1.1 adds incomplete OSPF Ranges and Virtual Links when upgraded from 6.0.2 or 6.0.5
  • SNMP Daemon crashes and restarts when using snmpbulkget and modem OIDs
  • Certificate Signing Request does not list all certificates as options in the Certificate Name dropdown
  • WiFi issues with LAN scheduler enabled
  • (CBA850) Changing name of VID while the interface is associated with a network
  • When adding Local Networks to Cloud Bases Filtering, Network Address is not showing when saved
  • GRE keepalive using GRE keys failure
  • IBR350 didn’t show the correct modem type in its name
  • Standby modem shows Red in microstatus, not Yellow
  • WAN Affinity WAN Binding Type not allowing internal modem for Port type on AER1600
  • Hotspot Services Redirect URL hidden
  • VLAN, changing name of VID while an interface is associated with a network
  • WAN Affinity causing failure check to not function
  • AER3100 showing 50% CPU utilization on default settings
  • Passthrough reservation field not able to leave blank
  • PPTP unchecked will not allow GRE traffic to pass
  • NHRP shortcut fails when default route is not out WAN
  • Unable to reserve active IPv6 lease via Active Lease Grid
  • Can’t enable PMTU discovery for VTI
  • SSH client failed connection gives no feedback from SSH session into router
  • LLDP did not return all neighbors
  • Restore and Upgrade error if Factory Reset option selected
  • Reputation file upload incorrectly reports the wrong number of lines read
  • MAC address filter rules not matching when using uppercase letters
  • Netperf will not run speed test on links in “standby” state
  • Netperf initial control tree missing
  • OpenVPN Status Exception
  • OpenVPN site-to-site: Missing Forwarding ACCEPT rules
  • Connection Manager fails to disconnect AP completely when disable is selected
  • Default information originate not implemented for RIP
  • RIP md5 auth mismatch not logged
  • DHCP relay: responding dhcp server seeing request coming from original network
  • IPsec “always on” sometimes chooses wrong WAN interface
  • Network scheduler issues:
    • doesn’t respond to timezone change
    • doesn’t suspend added BSS
    • ignored Sunday
    • is inverted from UI
  • For dial-up modems, the profile configuration now includes the SIM/APN/Auth menu

Known issues

  • Reputation Services (6.0.1). If you upload a reputation file to the router, save the configuration, factory reset, then reload the configuration file any firewall entries referencing that reputation file will fail. The reputation file is not saved in the exported configuration file.
  • If any of the router’s WAN connections (Ethernet, Wi-Fi as WAN, modem) connects to a device that has the same IP subnet as the router, the router will disable the interface and provide a Bounce Page warning that the WAN interface has a conflict (if bounce pages are enabled). Simply change the LAN IP Address on the Network Settings -> WiFi/Local Network Settings page in the UI.

LTE

  • Unless you have a specific service from your carrier, LTE modems will not generally provide an externally - available IP address. Services, such as Remote Management, will not work.

Modem

  • Franklin U770. The Modem’s Ethernet address conflicts with the default address of the Guest LAN. A warning message is placed in the log and the Guest LAN is disabled. If you change the address of the Guest LAN to a non-conflicting address, this restriction will not occur.
  • Sierra Wireless 313U, 330U. When these modems connect on 2G or 3G bands, specifically on GSM 850, they will sometimes cause interference on the USB bus, resulting in the modem not plugging properly. If this occurs, attaching the modem to a USB extension cable will generally fix the problem.
  • The following US B modems contain an embedded web server through which many modem settings are configured. To access the modem’s web pages, you must be logged in as the router administrator. Once logged in, you can then access the modem web pages at these given IP addresses: -Franklin U770 / Sprint (USA) -> 192.168.10.1
    • Netgear AC341U * / Sprint (USA) -> 192.168.1.1 (address is configurable)
    • Pantech UML295VW * Verizon (USA) -> 192.168.32.2
  • The modem web pages are available only when the modem is operating in NAT mode.


Firmware Version 6.1.3 (07/11/2016)

Products supported/tested:
AER1650

New features added in this release
(Not all features are in all products – see their respective Data Sheets)

  • NHRP Log reduction
  • Route ECM traffic separately from other router services traffic
  • NTP Improvement (System -> Administration -> System Clock)
    • Added NTP Authentication
    • Added support for multiple NTP Servers
    • Added support for the router providing NTP updates to attached clients on the LAN
  • Switch port description / labeling (Networking -> Local Networks -> Ethernet Ports).  Under the Ethernet Ports tab, each of the ports can be edited and given a name.
  • Only LAN configuration settings that affect a VPN tunnel will cause it to restart.
  • Allow the admin to configure a Syslog port (System -> Administration -> System Logging)
  • Allow the admin to configure the source IP address of multiple Router Services (ECM, NTP, Syslog, and TACACS).  Under Networking -> Routing -> Static and Policy Routing -> Route Policies, Add or Edit a policy.  Under Incoming Device, select one of the ‘lo’ (local originated) devices.

Security defects fixed

None in this release

Additional UI/Usability changes

None

Defects fixed

None

Known issues

  • Reputation Services (6.0.1).  If you upload a reputation file to the router, save the configuration, factory reset, then reload the configuration file any firewall entries referencing that reputation file will fail.  The reputation file is not saved in the exported configuration file.
  • IPSec.  Certificates do not work if Router Services used (new feature in 5.2.0)
  • If any of the router’s WAN connections (Ethernet, Wi-Fi as WAN, modem) connects to a device that has the same IP subnet as the router, the router will disable the interface and provide a Bounce Page warning that the WAN interface has a conflict. Simply change the LAN IP Address on the Network -> Local Networks -> Local IP Networks page in the UI.


LTE

Unless you have a specific service from your carrier, LTE modems will not generally provide an externally-available IP address. Services, such as Remote Management, will not work.

Modem

  • Franklin U770.  The Modem’s Ethernet address conflicts with the default address of the Guest LAN.  A warning message is placed in the log and the Guest LAN is disabled.  If you change the address of the Guest LAN to a non-conflicting address, this restriction will not occur.
  • Sierra Wireless 313U, 330U. When these modems connect on 2G or 3G bands, specifically on GSM 850, they will sometimes cause interference on the USB bus, resulting in the modem not plugging properly. If this occurs, attaching the modem to a USB extension cable will generally fix the problem.
  • The following USB modems contain an embedded web server through which many modem settings are configured. To access the modem’s web pages, you must be logged in as the router administrator. Once logged in, you can then access the modem web pages at these given IP addresses:

Franklin U770 / Sprint (USA) -> 192.168.10.1
Netgear AC341U * / Sprint (USA) -> 192.168.1.1  (address is configurable)
Pantech UML295VW * Verizon (USA) -> 192.168.32.2
* The modem web pages are available only when the modem is operating in NAT mode.



Firmware Version 6.1.2 (07/11/2016)

Products supported/tested

IBR1100/IBR1150

New features added in this release:
(Not all features are in all products – see their respective Data Sheets)

Initial LP6 Sprint release

Security Defects fixed

None in this release

Additional UI/Usability changes

  • Added “No supported GPS devices found” alert to GPS configuration page if no attached modem supports GPS.
  • Allow selected GPIOs to have configurable direction
  • Allow TAIP Vehicle ID to have characters in addition to standard alphanumeric
  • Enhanced dual SIM management and APN recovery support
  • Enhanced Cradlepoint modem firmware management

Defects fixed

  • SDK (Beta) cannot open IBR11x0 internal serial port
  • Resolved LP6 Verizon APN OTA failures on certain devices
  • Failback from SIM2 to appropriate SIM1 device is now addressed


Known issues

  • Reputation Services (6.0.1).  If you upload a reputation file to the router, save the configuration, factory reset, then reload the configuration file any firewall entries referencing that reputation file will fail.  The reputation file is not saved in the exported configuration file.
  • IPSec.  Certificates do not work if Router Services used (new feature in 5.2.0)
  • If any of the router’s WAN connections (Ethernet, Wi-Fi as WAN, modem) connects to a device that has the same IP subnet as the router, the router will disable the interface and provide a Bounce Page warning that the WAN interface has a conflict. Simply change the LAN IP Address on the Network -> Local Networks -> Local IP Networks page in the UI.


LTE

Unless you have a specific service from your carrier, LTE modems will not generally provide an externally-available IP address. Services, such as Remote Management, will not work.

Modem

  • Franklin U770.  The Modem’s Ethernet address conflicts with the default address of the Guest LAN.  A warning message is placed in the log and the Guest LAN is disabled.  If you change the address of the Guest LAN to a non-conflicting address, this restriction will not occur.
  • Sierra Wireless 313U, 330U. When these modems connect on 2G or 3G bands, specifically on GSM 850, they will sometimes cause interference on the USB bus, resulting in the modem not plugging properly. If this occurs, attaching the modem to a USB extension cable will generally fix the problem.
  • The following USB modems contain an embedded web server through which many modem settings are configured. To access the modem’s web pages, you must be logged in as the router administrator. Once logged in, you can then access the modem web pages at these given IP addresses:


Franklin U770 / Sprint (USA)                  -> 192.168.10.1
Netgear AC341U * / Sprint (USA)            -> 192.168.1.1    (address is configurable)
Pantech UML295VW * Verizon (USA)     -> 192.168.32.2

* The modem web pages are available only when the modem is operating in NAT mode.


 

Firmware Version 6.1.1 (05/02/2016)

Products supported/tested

IBR1100/IBR1150

New features added in this release:

(Not all features are in all products – see their respective Data Sheets)

  • WiFi as WAN improvements

    • To allow large concentrations of nearby Cradlepoint routers to ease contention of the WiFi RF spectrum, a new Inhibit WiFi AP checkbox option has been added to the two radio band tabs in the WiFi as WAN page. When this selection box is checked, the AP on that radio band will stop supporting any WiFi client activity. This is true even if the WAN WiFi unit is connected on the other radio band, if the inhibit checkbox is checked on the current band.
  • GPS improvements

    • Add multi-unicast functionality to GPS, allowing a single configuration for all clients. The GPS position update (e.g., NMEA, TAIP) can now be sent (unicast) to all attached devices on the device's local network. In the "Send to Servers" configuration, a drop list will show a list of local network interfaces. A single IP address or hostname can still be entered.
    • When a local network is selected, all devices given an IP address (all DHCP clients) on that network will receive the GPS update. Only UDP is supported.
    • This send to local network feature allows devices to receive GPS updates without requiring a fixed IP address.

Security defects fixed

  • None in this release

Additional UI/Usability changes:

  • Added a Status -> Local Network page

Defects fixed

  • WWAN mode dies periodically due to the STA mode driver incorrectly counting ICV errors
  • WiFi as WAN gets into a connecting/disconnecting loop and never stops trying
  • System ECM configuration help claims wrong URL default
  • CLI ping returns odd response – send 3 requests, see 5 responses
  • NMEA string too long errors
  • GPS send-to-server destination doesn’t allow hostname, just IP address
  • GPS sentences are not adding the leading zeros for longitude
  • Modem temperature is not displayed in the UI
  • Status -> Internet -> Statistics RSSI and SINR graphs are restored
  • After automatic carrier switch in a dual sim device, the link change event is now accurately displayed in the Connection Manager

Known issues

  • Reputation Services (6.0.1). If you upload a reputation file to the router, save the configuration, factory reset, then reload the configuration file any firewall entries referencing that reputation file will fail. The reputation file is not saved in the exported configuration file.
  • IPSec. Certificates do not work if Router Services used (new feature in 5.2.0)
  • If any of the router’s WAN connections (Ethernet, Wi-Fi as WAN, modem) connects to a device that has the same IP subnet as the router, the router will disable the interface and provide a Bounce Page warning that the WAN interface has a conflict. Simply change the LAN IP Address on the Network Settings->WiFi/Local Network Settings page in the UI.

LTE

  • Unless you have a specific service from your carrier, LTE modems will not generally provide an externally-available IP address. Services, such as Remote Management, will not work.

Modem

  • Franklin U770. The Modem’s Ethernet address conflicts with the default address of the Guest LAN. A warning message is placed in the log and the Guest LAN is disabled. If you change the address of the Guest LAN to a non-conflicting address, this restriction will not occur.
  • Sierra Wireless 313U, 330U. When these modems connect on 2G or 3G bands, specifically on GSM 850, they will sometimes cause interference on the USB bus, resulting in the modem not plugging properly. If this occurs, attaching the modem to a USB extension cable will generally fix the problem.
  • The following USB modems contain an embedded web server through which many modem settings are configured. To access the modem’s web pages, you must be logged in as the router administrator. Once logged in, you can then access the modem web pages at these given IP addresses:

                 Franklin U770 / Sprint (USA) -> 192.168.10.1

                 Netgear AC341U* / Sprint (USA) -> 192.168.1.1 (address is configurable)

                 Pantech UML295VW* Verizon (USA) -> 192.168.32.2

*The modem web pages are available only when the modem is operating in NAT mode.


Firmware Version 6.1.0 (02/09/2016)

New features added in this release:

(Not all features are in all products – see their respective Data Sheets)

  • Added advanced routing protocol (BGP, OSPF, RIP and RIP-NG) support with a new UI and new configuration options including protocol specific features:
    • We strongly recommend that any migrated routing protocol configuration be closely inspected after upgrading.
    • The configuration for routing protocols has changed substantially. A best effort is made to migrate existing configurations to 6.1.0, and any issues are reported in the system log. Some configurations cannot be migrated — when encountered these failures are reported in the system log and the associated router is disabled in the upgraded configuration.
    • Added route filtering to routing protocols via route maps, prefix lists, access lists and community lists as appropriate.
    • Policy-Based Routing (PBR)-lite. Policy-Based Routing allows for the configuration of multiple unique route tables and rule-based policies to tie interfaces and networks to those tables.
    • Added BGP Multipath functionality
    • Anonymous DMVPN on a spoke can handle multiple GRE keys
  • (IBR1100) WiFi Client Driver for IBR1100 5GHz radio. This is a new mode for the IBR1100 WiFi driver and it is different than the WiFi as WAN feature. WiFi as WAN is necessary when you want to continue to serve 5GHz WiFi clients. WiFi Client dedicates the 5GHz radio to connecting to an external Access Point and provides better connection stability and performance. WiFi Client can also switch from one Access Point to another in a few seconds, while WiFi as WAN takes significantly longer.
    • Note, in an environment where more than 64 external Access Points are available, the router may take longer to switch from one Access Point to another.
  • Improved GPS functionality and stability
  • Connection Manager: Added Standby to Availability list. Configuration is used to decrease failover time from one WAN interface to another.
  • VPN IKE Phase One allows incoming traffic on ports other than 500
  • Certificate Manager can generate certificates with SSL server/client extensions.
  • Allow DHCP start and end range to be the same number
  • Allow SSH-hopping from the router’s CLI to a device on its LAN.
    We've added a basic SSH client to the router. Users may SSH into any device on either WAN or LAN that is running a SSH server.
    • Configurable options include port, login name, data compression, and session ciphers.
    • Following session ciphers are supported: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc
    • Client uses aes256-ctr, aes192-ctr, aes128-ctr (PCI-compliant) ciphers by default. -Two ways to use different ciphers:
      • Set config/firewall/sshadmin/weakciphers to true and the above list is used.
      • Use –c argument along with comma separated list of ciphers (from supported list)
    • User name can be supplied with –l argument or with user@hostname pair. -If client is supplied with a number of hostnames, the last one is used.
  • Added Ability to use NAT-TO for remote networks of 0.0.0.0/0 for VPN tunnels
  • Added ability to verify peer certificates by x509 Extensions in OpenVPN.
  • (LP6 devices) Added Automatic Carrier Selection. Detects the inserted SIM and automatically selects/loads the appropriate modem firmware
  • (Cradlepoint modems) Enhancements to System>System Control>Modem Firmware to support multiple local firmware images with a single modem device
  • (CBA850) While the default configuration for this router is IP Passthrough, one of the Ethernet LAN ports can be configured to a WAN. Assuming default settings, these changes will enable a WAN Ethernet Port. Initial UI access is through the LAN port, as by default the IP Passthrough port does not allow Admin Access.
    • Set the LAN port to WAN
      • Under Networking -> Local Networks -> Local IP Networks, select the IPPT Interface and edit it. Under Access Control, enable Admin Access. Under IPv4 Settings, you can also set the IPv4 Routing Mode to a different type than IP Passthrough (NAT or Standard) if you wish.
      • Under Networking -> VLAN Interfaces, edit the ‘lan’ and set the mode to ‘WAN’. You will lose connection to the router if you are plugged into this port. -You can now connect a WAN cable to what was the LAN port, and use the IP Passthrough port as a LAN port.
    • Set the IP Passthrough port to WAN
      • Under Networking -> VLAN Interfaces, edit the ‘IPPT’ and set the mode to ‘WAN’. You will lose connection to the router if you are plugged into this port.
      • You can now connect a WAN cable to what was the IPPT port, and use the LAN port to communicate with the router.

Security defects fixed:

  • Cross-Site Scripting attack mitigation. Carve Systems, our security auditors, found two occasions where the router’s User Interface was susceptible to an external attack.
    • The WiFi Site Survey did not validate the names of the SSIDs around the router before displaying them on the WiFi as WAN page, so an external SSID with cross-site scripting payload could execute in a router admin’s browser.
    • The System log did not validate the names of external users that were not allowed to log into the router either through the UI or through SSH. If the router admin reviewed the Failed Logins they could execute code in the admin’s browser.
  • UPnP. The version of UPnP we use was vulnerable to a local DoS attack. We updated to a newer version.
  • OpenSSL. CVE-2016-0800, aka DROWN attack. The routers are not affected by this vulnerability. We updated to OpenSSL 1.0.1s as part of normal maintenance.
  • Updated the supported ciphersuite to Mozilla’s suggested compatibility ciphersuite. https://wiki.mozilla.org/Security/ServerSideTLS

Additional UI/Usability changes

  • Added a Status -> Local Network page
  • Make ZScaler policy tagging sortable
  • New Standby Feature states in Status -> Internet -> Statistics Graph
  • Hotspot Services: the Allowed Hosts editor accepts invalid host/domain names
  • Hotspot statistics are swapped
  • Cannot edit Start range or end range of DHCP Server
  • Fixed text alignment on Login page
  • Routing Protocol UI Router array sits on ‘Loading...’ on Firefox 44
  • IBR6x0 GPIO page has unsupported options available
  • Removed APN setting from First Time Setup Wizard. If automatic APN selection does not resolve to a connection, please use Connection Manager profile configuration to set APNs.
  • (Cradlepoint Verizon modems) Added support for new Verizon PLMN 311/270

Defects fixed

  • AER1600/AER3100 Factory reset at power on. For these products, do not hold the factory reset button immediately at power on, please wait 1 second until all LEDs come on and then press the factory reset button.
  • Hotspotsystem Free Hotspot Package Session Timeout does not work.
  • Unable to remote into a Cellular interface while load-balancing is enabled with a wired connection without lowering the MTU on a client PC to 1428 or lower.
  • WWAN - Erroneous data usage reported on first connect when viewed on the client router
  • Device is not checking into ECM when it should after a failover scenario
  • Unable to send device alerts if local domain is unconfigured on the router
  • GRE Tunnels not passing traffic if PPTP is unchecked
  • Radius/UAM Will Not Save 58 Character Password
  • Error message when trying to save a Custom DHCP option that is not in the dropdown list -Local Certificate (Cradlepoint Secure CA) using SHA-1
  • GPS - NMEA enhanced sentences does not log any sentences to client connections. -Display issue when altering Interfaces for a Local IP network -LAN scheduler doesn't work correctly
  • Umbrella/OpenDNS no longer connects on 6.0.x firmware and newer
  • IBR1100:Need to rework how input delay time is displayed for GPIO settings
  • VTI tunnel creating multiple pairings with a policy-based VPN -DHCP Lease Expiration time increments instead of decrements and is showing the incorect lease time to begin
  • IBR1100 with hotspot is causing router lockup and reboot
  • FW 6.0.2 doesn't display a warning when a user attempts to add more than 10 remote netwoks for VPN
  • Ignition Sensing behavior issue in 6.0.1 thru 6.0.4, router not powering down when ignition changes to low state
  • Hotspot Idle-Timeout not working
  • WiFi as WAN: WPA1 and WPA2 Enterprise not saving EAP&TTLS Authentication
  • Client List not showing wired clients
  • LLDP deadlock breaks Admin access and GET status/lldp
  • Static LAN IPv6 configuration does not work
  • tcpdump command not handling multi-word expressions correctly
  • Creating both tunnel mode and VTI mode VPNs would continually create multiple pairings between endpoints.
  • RTC battery alert on AER3100 dashboard constantly popping up despite full battery health.
  • Serial console login prompt on AER3100 does not print output from backspace correctly.
  • OpenDNS does not work on 6.0.x
  • Disabled VPN tunnels are able to go Mature
  • Static WiFi clients appearing in Client List showing old DHCP information
  • MC400LPE-VZ dual SIMs with two different APNs now allow modem to plug properly
  • Dual SIM APN and modem firmware information now displays after SIMs become active
  • Configuration changes made via SMS now display in ECM
  • Migration of v5.2.4 PPPoE rules with USB-to-Ethernet dongle are now exposed in the UI Ethernet tab

Known issues

  • Reputation Services (6.0.1). If you upload a reputation file to the router, save the configuration, factory reset, then reload the configuration file any firewall entries referencing that reputation file will fail. The reputation file is not saved in the exported configuration file.
  • IPSec. Certificates do not work if Router Services used (new feature in 5.2.0)
  • If any of the router’s WAN connections (Ethernet, Wi-Fi as WAN, modem) connects to a device that has the same IP subnet as the router, the router will disable the interface and provide a Bounce Page warning that the WAN interface has a conflict. Simply change the LAN IP Address on the Network Settings -> WiFi / Local Network Settings page in the UI.
  • The CBA850 does not support an external USB-to-Serial adapter when an internal modem is also connected to a Carrier. Please use the internal console port or an Ethernet WAN connection instead.

LTE

  • Unless you have a specific service from your carrier, LTE modems will not generally provide an externally-available IP address. Services, such as Remote Management, will not work.

Modem

  • Franklin U770. The Modem’s Ethernet address conflicts with the default address of the Guest LAN. A warning message is placed in the log and the Guest LAN is disabled. If you change the address of the Guest LAN to a non-conflicting address, this restriction will not occur.
  • Sierra Wireless 313U, 330U. When these modems connect on 2G or 3G bands, specifically on GSM 850, they will sometimes cause interference on the USB bus, resulting in the modem not plugging properly. If this occurs, attaching the modem to a USB extension cable will generally fix the problem.
  • The following USB modems contain an embedded web server through which many modem settings are configured. To access the modem’s web pages, you must be logged in as the router administrator. Once logged in, you can then access the modem web pages at these given IP addresses: Franklin U770 / Sprint (USA) -> 192.168.10.1 Netgear AC341U * / Sprint (USA) -> 192.168.1.1 (address is configurable) Pantech UML295VW * Verizon (USA) -> 192.168.32.2 NOTE: The modem web pages are available only when the modem is operating in NAT mode .
 


Firmware Version 6.0.5 (02/09/2016)

New features added in this release:
 

  • No Features, defect fix only.


Security defects fixed:
 

  • ECM configuration rollback would not work in versions 6.0.2 and 6.0.4.
  • Fixed a defect with Hotspot support that could cause a router deadlock and then reboot.


Known Issues:
 

  • Reputation Services (6.0.1). If you upload a reputation file to the router, save the configuration, factory reset, then reload the configuration file any firewall entries referencing that reputation file will fail. The reputation file is not saved in the exported configuration file.
  • IPSec. Certificates do not work if Router Services used (new feature in 5.2.0).
  • If any of the router’s WAN connections (Ethernet, Wi-Fi as WAN, modem) connects to a device that has the same IP subnet as the router, the router will disable the interface and provide a Bounce Page warning that the WAN interface has a conflict. Simply change the LAN IP Address on the Network Settings -> WiFi/Local Network Settings page in the UI.


LTE:
 

  • Unless you have a specific service from your carrier, LTE modems will not generally provide an externally-available IP address. Services, such as Remote Management, will not work.


Modem:
 

  • Franklin U770. The Modem’s Ethernet address conflicts with the default address of the Guest LAN. A warning message is placed in the log and the Guest LAN is disabled. If you change the address of the Guest LAN to a non-conflicting address, this restriction will not occur.
  • Sierra Wireless 313U, 330U. When these modems connect on 2G or 3G bands, specifically on GSM 850, they will sometimes cause interference on the USB bus, resulting in the modem not plugging properly. If this occurs, attaching the modem to a USB extension cable will generally fix the problem.
  • The following USB modems contain an embedded web server through which many modem settings are configured. To access the modem’s web pages, you must be logged in as the router administrator. Once logged in, you can then access the modem web pages at these given IP addresses:

 

                Franklin U770 / Sprint (USA)                    -> 192.168.10.1

                Netgear AC341U * / Sprint (USA)              -> 192.168.1.1 (address is configurable)

                Pantech UML295VW * / Verizon (USA)     -> 192.168.32.2

                     * The modem web pages are available only when the modem is operating in NAT mode.


 


Firmware Version 6.0.2 (12/15/2015)

New features added in this release

 

  • An updated User Interface has been provided. The menu structure has been revamped to place related features into more logical groupings. A search box has been added to provide simple keyword searches within the UI. Many of the pages include helpful links to Cradlepoint Knowledge Base articles.
  • --The Menu Structure is:
  • Quick Links: This allows the user to place favorite bookmarks in an place that is simple to use
  • Dashboard: This is an update from the previous Dashboard and presents alerts and current status
  • Connection Manager: This is where WAN Interface profiles and priorities can be more easily accessed for enablement and configuration.
  • Status: This is where information about the router’s connections, clients, and system performance can be found
  • Networking: This allows configuration for networks, tunnels, and routing
  • VLAN configuration is under its own tab now
  • Security: This allows for configuration of firewall, content filtering, and Threat Management
  • System: This allows for configuration of administrative settings, firmware updates, and system diagnostics
  • Connection Manager. Redesigned architecture to manage WAN configurations and usage. Deprecated the usage of Advanced Rules and replaced with Profile definitions and support.
  • Networking -> Local Networks -> WiFi Radio -> RADIUS Timeout. Increased Radius Timeout from 65535 seconds to 86400 seconds (1 day).
  • Security -> Identities and Zone Firewall. The firewall interface has been improved with the addition of Identities, which can be Host Addresses, Ports, MAC Addresses, Reputation Lists, and Application Sets (features depending on product). These identities can be used within the Zone Firewall to set up sophisticated policies.
  • Security -> Zone Firewall -> NAT -> Destination NAT. Destination NAT has been updated to include the ability to specify the original destination IP as well as the incoming zone.
  • Security -> Zone Firewall -> NAT -> NAT. NAT allows a one-to-one or dynamic translation of the destination IP address of incoming network traffic to a local network. All ports and protocols will be translated. Network size must match for a direct one-toone translation. If the local network range is larger than the incoming destination range then network traffic will be dynamically translated.
  • (IBR1100) Networking -> WiFi as WAN or Bridge -> Radio Configuration.
  • Changes were made to the 2.4GHz and 5GHz radios to allow the devices to attach to a Hidden SSID without needing to specify a BSSID. If you add a profile,click the “Connect to Hidden SSID” button, and do not enter a BSSID the radio will connect to hidden access points.
  • Changes were made to allow roaming while in WiFi as WAN mode. If “WiFi as WAN roaming” is selected, “Minimum Link RSSI” and “Minimum Survey RSSI” selections become available. If the router’s WiFi as WAN link RSSI is below the Minimum Link RSSI it will search for a router with the same SSID and with higher signal strength. To avoid connecting to AP’s with low signal strength, Minimum Survey RSSI can be set to choose only AP’s with RSSI above the Minimum Survey RSSI (as seen in Site Survey).
  • If you import a WiFi as WAN profile and want to roam, be sure to remove the BSSID from the profile and check the WiFi as WAN roaming checkbox. If you are adding a WiFi as WAN profile, leave the BSSID field blank and enable WiFi as WAN roaming. In both cases, please set Minimum Link RSSI and Minimum Survey RSSI according to the existing WiFi environment.
  • Note that while scanning the router’s WiFi as WAN performance will be lower than when it is not scanning.
  • Improvements were made to both 2.4GHz and 5GHz radios and their performance.
  • (IBR11x0/IBR6x0) System -> Device Alerts. An alert has been added when a GPIO changes state.
  • System -> System Control -> Device Options -> Device Console. A change was made to the ‘serial’ command for Out of Band Management. Instead of ending the serial session with Control-W, we now use Control-X. Control-W works using SSH, but when used through the UI it would close the current tab.
  • (AER31x0) Status -> Ethernet. Power over Ethernet status was added to this page.
  • Networking -> NHRP -> NHRP Editor. Multicast supports Next Hop Server and Dynamic configuration. Dynamic configuration allows multicast packets to dynamically-learned addresses.
  • Security -> Identities -> Reputation. This allows the ability to upload a file of IP addresses from a reputation service provider such as www.spamhaus.org. These addresses can be used with block or allow rules in the firewall. It also provides a way to maintain large lists of IP addresses for use as firewall attributes. Reputation file services do not work using ECM, only at the router UI.
  • Data Usage. Redesigned monitoring and configuration of data usage. Deprecated the original data usage rules and templates and replaced with new definitions in Connection Manager Profiles.


 

 

Security defects fixed:

 

  • UPnP. The version of UPnP we use is vulnerable to a local DoS attack. UPnP is disabled by default and only available on the LAN, so the exposure is minimal. We will update to a newer version in our next major release.

 

Additional UI/Usability changes: - None

 

  • System -> Diagnostics -> Speed Test -> Test Type. Added a third test type, TCP Latency/Jitter. This better reflects those measurements. Also changed the Time vs. Data constraints to better control the testing.

 

Defects fixed:

 

  • IPSec VPN: NAT to Address with 0.0.0.0/0 remote network caused exception
  • VRRP UI defaults reset
  • WiFi Bridge mode broken
  • Knowledge Base links updated to correct location
  • IPv4 DHCP options renumbered
  • Telnet Serial Redirector Linefeed option is ignored on startup until setting is toggled and resaved
  • Zscaler Internet Security did not work correctly with router Hotspot services
  • (AER3100) WiFi as WAN had issues connecting with Protected Management Frames
  • WiFi as WAN doesn’t recover from link errors
  • DHCP Relay causing abrupt error on initial restart
  • IPSec, with more than 1 VTI tunnel additional tunnels establish but don’t pass traffic
  • Zone NAT port forwarding failing with CP Secure VPN
  • OSPF Area ID length limited by UI
  • 802.1x authentication sending wrong NAS-Port Type attribute value for Ethernet clients
  • Hotspot issues with DNS resolves
  • Dashboard WiFi panel is blank
  • Unable to edit GPS Server or Client settings
  • Can’t access admin page (WiFi SSID has apostrophe in it)
  • Hotspot bounce and redirect page issues
  • PFS disabled in IPSec VPN Tunnels causes uneditable VPN Tunnel
  • (IBR1100) Ignition sensing behavior changed
  • (IBR650) Missing GPS settings
  • Port proxy rules UI available on products that do not support it

 

 

Firmware Version 6.0.1 (06/15/2015)

New features added in this release (Not all features are in all products – see their respective Data Sheets)

 

  • An updated User Interface has been provided. The menu structure has been revamped to place related features into more logical groupings. A search box has been added to provide simple keyword searches within the UI. Many of the pages include helpful links to Cradlepoint Knowledge Base articles.

 

The Menu Structure is:

 

  • Security: This allows for configuration of firewall, content filtering, and Threat Management
  • System: This allows for configuration of administrative settings, firmware updates, and system diagnostics
  • Connection Manager. Redesigned architecture to manage WAN configurations and usage. Deprecated the usage of Advanced Rules and replaced with Profile definitions and support.
  • Networking -> Local Networks -> WiFi Radio -> RADIUS Timeout. Increased Radius Timeout from 65535 seconds to 86400 seconds (1 day).
  • Security -> Identities and Zone Firewall. The firewall interface has been improved with the addition of Identities, which can be Host Addresses, Ports, MAC Addresses, Reputation Lists, and Application Sets (features depending on product). These identities can be used within the Zone Firewall to set up sophisticated policies.
  • Security -> Zone Firewall -> NAT -> Destination NAT. Destination NAT has been updated to include the ability to specify the original destination IP as well as the incoming zone.
  • Security -> Zone Firewall -> NAT -> NAT. NAT allows a one-to-one or dynamic translation of the destination IP address of incoming network traffic to a local network. All ports and protocols will be translated. Network size must match for a direct one-toone translation. If the local network range is larger than the incoming destination range then network traffic will be dynamically translated.
  • (IBR1100) Networking -> WiFi as WAN or Bridge -> Radio Configuration. - Changes were made to the 2.4GHz and 5GHz radios to allow the devices to attach to a Hidden SSID without needing to specify a BSSID. If you add a profile, click the “Connect to Hidden SSID” button, and do not enter a BSSID the radio will connect to hidden access points.
  • Changes were made to allow roaming while in WiFi as WAN mode. If “WiFi as WAN roaming” is selected, “Minimum Link RSSI” and “Minimum Survey RSSI” selections become available. If the router’s WiFi as WAN link RSSI is below the Minimum Link RSSI it will search for a router with the same SSID and with higher signal strength. To avoid connecting to AP’s with low signal strength, Minimum Survey RSSI can be set to choose only AP’s with RSSI above the Minimum Survey RSSI (as seen in Site Survey).
  • If you import a WiFi as WAN profile and want to roam, be sure to remove the BSSID from the profile and check the WiFi as WAN roaming checkbox. If you are adding a WiFi as WAN profile, leave the BSSID field blank and enable WiFi as WAN roaming. In both cases, please set Minimum Link RSSI and Minimum Survey RSSI according to the existing WiFi environment.
  • Note that while scanning the router’s WiFi as WAN performance will be lower than when it is not scanning.
  • Improvements were made to both 2.4GHz and 5GHz radios and their performance.
  • (IBR11x0/IBR6x0) System -> Device Alerts. An alert has been added when a GPIO changes state.
  • System -> System Control -> Device Options -> Device Console. A change was made to the ‘serial’ command for Out of Band Management. Instead of ending the serial session with Control-W, we now use Control-X. Control-W works using SSH, but when used through the UI it would close the current tab.
  • (AER31x0) Status -> Ethernet. Power over Ethernet status was added to this page.  Networking -> NHRP -> NHRP Editor. Multicast supports Next Hop Server and Dynamic configuration. Dynamic configuration allows multicast packets to dynamically-learned addresses.
  • Security -> Identities -> Reputation. This allows the ability to upload a file of IP addresses from a reputation service provider such as www.spamhaus.org. These addresses can be used with block or allow rules in the firewall. It also provides a way to maintain large lists of IP addresses for use as firewall attributes. Reputation file services do not work using ECM, only at the router UI.
  • Data Usage. Redesigned monitoring and configuration of data usage. Deprecated the original data usage rules and templates and replaced with new definitions in Connection Manager Profiles.

 

Security defects fixed:

 

  • We upgraded OpenSSL from 1.0.1m to 1.0.1p. No known vulnerabilities were exposed.
  • PCI DSS audit version 3.1 requires removal of SSL or early TLS support from the UI.
  • We now require TLS1.2 support to use the UI. If you need TLS1.0 or TLS1.1 support, the setting can be adjusted using the CLI at /config/system/minimumtlsversion. If Advanced Security Mode is enabled, the minimum TLS version can be set to TLS1.1. If Advanced Security Mode is not enabled, the minimum TLS version can be set to TLS1.0.
  • CLI Scripting support under /config/shell/ has been removed. The sandbox we had created to prevent unexpected access could be exploited locally. Thanks to Max Sobell of Carve Systems for reporting this. The SupportQA CLI command is still available, but works differently now.

 

Additional UI/Usability changes:

 

  • Added WiFi Protected Management Frame (PMF) enable/disable in the WiFi UI. PMF is a new feature required for WiFi Alliance interoperability testing. Some older WiFi clients have problems attaching to an Access Point that has PMF enabled.
  • Added Lock to Carrier for LPE-VZ and LPE-SP modems
  • Added support for Vodafone master / ultra SIMs
  • Extended WAN Verify IPv6 Failure Check with user-configurable Retry Interval and Retry Count

 

Defects fixed:

 

  • Webfilter code was changed to not intercept traffic on non-filtered LANs.
  • OpenVPN site to site tunnel would show tunnel up but not pass traffic
  • IPsec protected GRE tunnel to Cisco iOS router failing phase 2 when protocol is ‘any’
  • GRE over IPSec, disabling remote vpn service brings down GRE tunnel on both ends
  • NHRP cannot set multicast mode via UI
  • Duplicate static routes allowed
  • RADIUS and 802.1x. Wired 802.1x authenticator not responding to EAPOL-start when radius server through IPSec tunnel. WPA Enterprise not functioning when 802.1x is also enabled.
  • Speedtest, when run count was maxed out a custom server couldn’t be used. Custom server wouldn’t run using a hostname instead of an IP address
  • High latency on pings to CDNs on 2.4G and 5G wireless on 3100.
  • Unable to add CPSVPN interface to any zone in the firewall
  • IPSec incorrect tunnel is negotiated if two tunnels share same remote network and one of them is disabled
  • IPSec hub/spoke setup, traffic destined for hub local networks routed out of wan, Force NAT on WAN not being enforced, traffic destined for spoke network from hub not using tunnel
  • IPSec, some configs with “NAT to address” for local network would error
  • IPSec, Dead Peer Detection Failover/Failback didn’t work when router services were enabled through tunnel
  • IPSec, with more than 1 VTI tunnel additional tunnels would establish but not pass traffic
  • DHCP relay causing dnsmasq abrupt exit, error on initial restart
  • Using anonymous IPSec tunnel bound to a secondary WAN interface does not pass traffic to the remote network
  • HTTPS Content Filtering was blocking GET/POST commands
  • GPS Status Map wouldn’t load using HTTPS
  • WiFi SSID scanning, unknown Unicode characters cause exception and stops router from scanning
  • Zone Firewall, traffic matching allowed forwarding for non-default “Eth WAN” Zone was getting caught by anti-spoof filter
  • IP Passthrough would create incorrect persisting connection tracking states when the WAN was cycled
  • GPS was not queueing messages when a WAN connection is lost
  • (AER3100/AER3150/MBR1400v2) Fixed Gigabit link speed compatibility
  • OpenNHRP fails to start sometimes
  • OSPF routes not showing up in routing table
  • Wireless WAN, Site survey value for Authentication mode was not accurate if Protected Management Frames were enabled
  • Exception after RADIUS Stop packet with Hotspot Services
  • VRRP multicast traffic getting caught in IPSec full tunnel
  • Repaired the Failback policy to connect to only one interface at a time, with attempts starting with the highest priority interface

 

 

Firmware Version 5.4.2 (06/15/2015)

 

New features added in this release (Not all features are in all products – see their respective Data Sheets):

Security defects fixed:

  • None.

Additional UI/Usability changes: - None

Defects fixed:

  • (1100/1150) GPS data would not be updated if Default Time Interval was 0.
  • LLDP defect stopped it from running.
  • Speedtest run count was not incremented correctly in UI.
  • Dual Hub NHRP issue where spoke wouldn’t failback to the primary hub.
  • IPSec with ‘NAT to address’ for local net would not work

Firmware Version 5.4.1 (05/26/2015)

 

New features added in this release (Not all features are in all products – see their respective Data Sheets):

  • (600) Added GPS TAIP sentence support, System Settings -> Administration -> GPS.
  • (1100/1150) Multiple GPS Enhancements, System Settings -> Administration -> GPS.
    • Added support for sending GPS information across the DB-9 Serial port. “Send to Serial”. If any Serial Redirector services are being used, they will be shut down.
    • Added a GPS Lock LED. “General Settings”. The USB LED can be used to show if the router has a GPS fix. It will blink red if the router does not have a fix and solid green if it does.
    • Changed naming and some help for Client/Server settings. They are now “Send to Client(s) and Send to Server(s)”.
  • (1100/1150/850) Added support for USB-to-Serial adapter, System Settings -> Serial Redirector. If a USB-to-Serial adapter is used, the internal Serial port cannot be used for Serial Redirector.

Security defects fixed:

  • Dnsmasq CVE-2015-3294, we are not vulnerable to the memory scan, but we may be vulnerable to the Denial of Service attack.

Additional UI/Usability changes:

  • Add number of Satellites and GPS Lock status to the Status -> GPS Status page.

Defects fixed:

  • (1100/1150) GPS data not being received when the router has 2 SIM cards inserted.
  • (1100/1150) GPS data would not be updated if Stationary Time Interval was 0.
  • IPSec tunnel with 2 remote LAN subnets can only access one at a time.
  • Speedtest run count was incremented when using a custom server.


Firmware Version 5.4.0 (05/04/2015)

New features added in this release (Not all features are in all products – see their respective Data Sheets):

  • Point-to-point VPN Virtual Tunnel Interface (VTI) Support added. “VTI Tunnel” has been added to the modes menu in the General page of VPN configuration. VTI traffic rules must be configured in the Zone Firewall.
  • Added ability to use DMVPN aggressive and main modes both as a responder and an initiator.
  • WAN Speedtest added under System Settings / System Control. Added the ability to run a Speedtest against a Cradlepoint server up to 10 times or for an unlimited number of times against a configured non-Cradlepoint client server. The settings allow the Speedtest to be constrained by either time or the number of bytes sent.
  • Added OpenVPN support on IBR600 and improved OpenVPN use for bridging. Bridged OpenVPN interfaces must be assigned to a LAN Network under Network Settings. Routed OpenVPN tunnels can now be configured using the Zone Firewall. OpenVPN tunnels configured in Server mode can be used to generate a client configuration for mobile devices by selecting the “Generate Client Configuration” button under the OpenVPN configuration page in the UI.
  • Added OpenVPN tunnel status to UI. Number of bytes sent/received per tunnel and when the tunnel was established (server mode) or when the status numbers were updated last (p2p and client mode).
  • Added exception route and WAN binding support for NEMO
  • (2100) The number of packets scanned by the IPS engine is tunable, which can double the performance of IPS throughput.
  • (2100) Added Protected Management Frame support to 802.11ac.
  • (1100/1150) Added Stationary Time Interval reporting to GPS.
  • Added UTC along with Epoch to log time reporting.
  • IPSec. IKE Phase 2 SHA2-256 Hash was incompatible with the latest Cisco and Juniper firmware releases.
  • APN recovery. When an APN is proven to work and if later a user manually enters an incorrect APN (via “Default Override” or “Select”), the device will attempt to recover the last known working APN when the mode is reverted back to “Default”.
  • SIM PIN / PUK support. For all modems which support SIM cards (except Sprint), added the ability to enable/configure/modify the SIM’s PIN, as well as the ability to unlock the SIM card with the PUK code

Security defects fixed:

  • (2100) Port Scans did not trigger IPS Alerts
  • OpenVPN was vulnerable to a Denial of Service attack CVE-2014-8104
  • Router was vulnerable to a Denial of Service attack CVE-2015-1465

Additional UI/Usability changes:

  • Display state of connection tracking in Status UI
  • Changed the name of “CP Secure Connect” to “CP Secure VPN”.
  • We removed the ability to create a CP Secure VPN certificate in the router, ECM will provide this certificate.
  • Remote Access UI clarifications. We changed the title to “Remote Admin Restriction”.
  • Added firmware version to the UI login page.
  • Added a check to static routes to not allow a user to specify both an Interface and Gateway at the same time
  • Added full modem description (such as part number) and the detected SIM carrier to modems listed in Internet > Connection Manager > WAN Interfaces section
  • Modified a cellular modem’s IP configuration type to match the router’s IP configuration type. If IPv6 is enabled on the router, the modem type is set to IPv4v6. If IPv6 is not enabled on the router, the modem type is set to IP.

Defects fixed:

  • RADIUS wasn’t working through an IPSec tunnel after reboot.
  • Hotspot wasn’t sending RADIUS accounting on both login and logout
  • IPSec VPN, protocol ‘Any’ was the only one honoring Always On initiation mode
  • Error when importing a PEM certificate with an IP Subject Alternative Name extension
  • Importing a PEM certificate chain with CA does not import the associated CA certificate
  • GPS data not being received when IBR1100 has 2 SIM cards inserted
  • HTTPS attempts to LAN-side IP from WAN was getting refused
  • SNMP Trap server error
  • GRE tunnel doesn’t come up when the tunnel name is long
  • IPSec UI only allows you to select SHA256 even though SHA256_128 is shown
  • Improved small packet performance with concurrent Tx and Rx traffic
  • Adjusted APN Default to consider whether a blank APN is to be ignored or overwritten



irmware Version 5.3.4 (02/24/2015)

New features added in this release (Not all features are in all products – see their respective Data Sheets):

  • Split DNS support under Network Settings -> DNS Configuration -> DNS Settings.
  • Content Filtering can now work with HTTPS as well as HTTP
  • (2100) Application ID’s can now be used to match QoS rules
  • Multiple Serial Port Redirector support. At the CLI, if a multi-port USB-to-Serial Port adapter is connected to the product, the ports can be individually selected as “serial 1”, “serial 2”, etc. Only one port is available at a time.
  • Ability to send a Break command to a device attached to a serial port. Using the “serial” command at the CLI, a Ctrl-X will send a Break command to the attached device.
  • CLI access via device web UI under System Settings -> System Control -> Device Control. This allows easy access to the router’s CLI, including the ‘serial’ command.
  • (IBR1100) WiFi-as-WAN WPA2 Enterprise for 2.4GHz radio. This allows connection to a Access Point using WPA2 Enterprise authentication.
  • LLDP. Added Model Name and Firmware Revision to the LLDP string.
  • SSH. We limited the server cipher list to this subset: aes128-ctr,aes192-ctr,aes256-ctr

Security defects fixed:

  • HTTP Proxy support was added in the 5.3.0 Release as part of Content Filtering. This added a firewall rule that allowed traffic to go to the Proxy when Content Filtering was enabled. This rule was too open and allows use of the Proxy.
  • HTTP Proxy was patched to mitigate CVE-2015-1031. There are no known exploits for that vulnerability.
  • Default GRE firewall rules allowed configured tunnel route destinations to be reached by a carefully-crafted packet injected from other interfaces on-link with the WAN. This does not affect typical Internet WAN connections such as modem, DSL, or cable modem. This can only be exploited across an Ethernet WAN.

Defects fixed:

  • Management Address field in LLDP did not match the Admin Access address for the interface.
  • LLDP Wireless LAN always reported as off
  • 5.3.0 GPS migration missed the “always_poll” flag
  • Zscaler Internet Security improved the failover and failback abilities
  • “*” was not allowed in Webfilter Rules
  • LPE, LE products. If the APN was manually entered via the router’s GUI, modems would connect on LTE but some would not connect on eHRPD (3G). Patched issue to allow eHRPD connections.
  • LPE products. Repaired mismatched carrier SIM issue when modem is switched from one carrier firmware load to another

Known issues:

  • IPSec. Certificates do not work if Router Services used (new feature in 5.2.0)
  • IPSec. IKE Phase 2 SHA2-256 Hash is incompatible with the latest Cisco and Juniper firmware releases. CradlePoint routers are still compatible with each other.
  • If any of the router’s WAN connections (Ethernet, Wi-Fi as WAN, modem) connects to a device that has the same IP subnet as the router, the router will disable the interface and provide a Bounce Page warning that the WAN interface has a conflict. Simply change the LAN IP Address on the Network Settings -> WiFi / Local Network Settings page in the UI.



Firmware Version 5.3.1 (12/08/2014)

New features added in this release (Not all features are in all products – see their respective Data Sheets):

  • VLAN Redesign under Network Settings / WiFi / Local Networks / VLAN Interfaces. This includes VLAN support for WAN interfaces.
  • HTTP Proxy support was added under Network Settings / Content Filter / Upstream Proxy Settings. Proxying HTTPS traffic will not work transparently.
  • ZScaler Internet Security added to the Network Settings / Content Filter / Cloud Based Filtering/Security page.
  • LLDP support is added under System Settings / Administration / LLDP. It can be enabled for WAN or LAN, and devices that are discovered are shown under the Status / LLDP page.
  • Additional options are added to the System Settings / System Control / Ping Test to be able to set the Packet Size and Don’t Fragment.
  • (CLI only) Additional options are added to traceroute, including MTU discovery and a number of other features.
  • Allow SNMP traffic on the WAN interface when IP Passthrough mode is enabled.
  • (IBR1100) Additional TAIP support added, including multiple clients and servers (up to 4). Distance - based reporting was added.
  • (IBR1100) Enabled OpenVPN and VLAN support.
  • (2100) WiFi changes add Airtime Fairness. Airtime fairness support for the 2100 has been added. Airtime fairness distributes available wireless airtime more fairly between clients of different speeds, resulting in better performance for more capable client devices. Airtime fairness is disabled by default. It can be enabled under the Advanced WiFi Settings page for each radio.
  • (2100) Firewall integration with IPS. Network Settings / Fire wall Configuration / Application Sets allows filtering support by type of Application configurable by Zone.
  • (2100) Redesigned UI for Threat Management. Improved visibility and configuration of the 'Threat Management' categories and signatures. Added the ability to separately configure whole categories of signatures, as well as individual signatures. Added the ability to search (or filter) on the signature ID or text found in the signature description, like a CVE number.
  • (IBR6x0LPE, IBR11x00LPE, MC400LPE) Modem Multi-Carrier Software Switching. Allows for switching of modem firmware from one North American cellular carrier to another North American cellular carrier.
  • (IBR6x0LP2, IBR6x0LP3, IBR6x0LP, IBR6x0LPE, IBR11x0LP3, IBR11x0LPE, MC400LP3) Smart Operator Selection. Extension of this IBR6x0P feature to more models. When this feature is enabled and when used with a globally-provisioned SIM, the router scans for available mobile broadband networks then selects the best network based on user-configurable values.

Additional UI/Usability changes:

  • MAC Address filtering by range, allowing a range of MAC Addresses to connect to the router instead of entering multiple host MAC Addresses.
  • SNMP Password requirements when the router is in Advanced Security Mode are the same as for the Administration Password.
  • Removed ZScaler from the Enhanced Enterprise License.
  • (IBR6x0LE2, IBR6x0LPE, IBR11x0LPE, MC400LE2, MC400LPE) Modified underlying attempts and retries for more successful Sprint LTE activation results.
  • UPnP disabled by default. The setting still exists, but is not enabled.


Firmware Version 5.3.0 (12/01/2014)

 

New features added in this release (Not all features are in all products – see their respective Data Sheets):

  • VLAN Redesign under Network Settings / WiFi / Local Networks / VLAN Interfaces. This includes VLAN support for WAN interfaces.
  • HTTP Proxy support was added under Network Settings / Content Filter / Upstream Proxy Settings. Proxying HTTPS traffic will not work transparently.
  • ZScaler Internet Security added to the Network Settings / Content Filter / Cloud Based Filtering/Security page.
  • LLDP support is added under System Settings / Administration / LLDP. It can be enabled for WAN or LAN, and devices that are discovered are shown under the Status / LLDP page.
  • Additional options are added to the System Settings / System Control / Ping Test to be able to set the Packet Size and Don’t Fragment.
  • (CLI only) Additional options are added to traceroute, including MTU discovery and a number of other features.
  • Allow SNMP traffic on the WAN interface when IP Passthrough mode is enabled.
  • (IBR1100) Additional TAIP support added, including multiple clients and servers (up to 4). Distance-based reporting was added.
  • (IBR1100) Enabled OpenVPN and VLAN support.
  • (2100) WiFi changes add Airtime Fairness. Airtime fairness support for the 2100 has been added. Airtime fairness distributes available wireless airtime more fairly between clients of different speeds, resulting in better performance for more capable client devices. Airtime fairness is disabled by default. It can be enabled under the Advanced WiFi Settings page for each radio.
  • (2100) Firewall integration with IPS. Network Settings / Firewall Configuration / Application Sets allows filtering support by type of Application configurable by Zone.
  • (2100) Redesigned UI for Threat Management. Improved visibility and configuration of the 'Threat Management' categories and signatures. Added the ability to separately configure whole categories of signatures, as well as individual signatures. Added the ability to search (or filter) on the signature ID or text found in the signature description, like a CVE number.
  • (IBR6x0LPE, IBR11x00LPE, MC400LPE) Modem Multi-Carrier Software Switching. Allows for switching of modem firmware from one North American cellular carrier to another North American cellular carrier.
  • (IBR6x0LP2, IBR6x0LP3, IBR6x0LP, IBR6x0LPE, IBR11x0LP3, IBR11x0LPE, MC400LP3) Smart Operator Selection. Extension of this IBR6x0P feature to more models. When this feature is enabled and when used with a globally-provisioned SIM, the router scans for available mobile broadband networks then selects the best network based on userconfigurable values.

Additional UI/Usability changes:

  • MAC Address filtering by range, allowing a range of MAC Addresses to connect to the router instead of entering multiple host MAC Addresses.
  • SNMP Password requirements when the router is in Advanced Security Mode are the same as for the Administration Password.
  • Removed ZScaler from the Enhanced Enterprise License.
  • (IBR6x0LE2, IBR6x0LPE, IBR11x0LPE, MC400LE2, MC400LPE) Modified underlying attempts and retries for more successful Sprint LTE activation results.
  • UPnP disabled by default. The setting still exists, but is not enabled.



Firmware Version 5.2.2 (8/18/2014)

New features added in this release (Not all features are in all products – see their respective Data Sheets):

  • Cradlepoint Secure Connect (CPSC) Port Forwarding. A CPSC tunnel can now be added to a zone for Port Forwarding traffic from the tunnel. The Zone NAT rules can be created for any source zone to specify destination Port Forwarding similar to the existing WAN Port Forwarding Rules. However unlike existing WAN Port Forwarding Rules, Zone NAT rules apply to all traffic from the source zone to any destination IP not just to traffic for the WAN IP destination.
  • (IBR6x0P only) Smart Operator Selection. When this feature is enabled and when used with a globally-provisioned SIM, the router scans for available mobile broadband networks then selects the best network based on user-configurable values.

Additional UI/Usability changes:

  • Network Settings, Content Filter. The Rule Priority column can now be used for sorting.
  • System Settings -> Administration -> Local Management -> System Identifier. The filter on this was too strict and wouldn’t allow certain ASCII characters. It has been changed to allow for all ASCII characters.
  • Internet -> VPN Tunnels Pre-Shared Key. A filter was added to restrict the PSK to a too-strict subset of ASCII characters. This filter was changed to allow printable ASCII characters.
  • Network Settings -> Wi-Fi -> Local Networks. Changing Channel Selection method and refreshing the screen would cause Wi-Fi settings to show as blank.
  • Internet-> Connection Manager-> Edit-> General Settings. Added configurable retry settings to IPv4 Failure Check. Default values are those recommended by Cradlepoint for best Internet connectivity.

Defects fixed:

  • Zone Firewall GRE filtering was fixed
  • IPS Add/Removal of Signatures to the whitelist might fail was fixed
  • (IBR600/IBR650) GPIO Output not switching value with Modem Connected was fixed
  • Wired WAN (Ethernet), Active DNS doesn’t failover was fixed
  • (MC400xxx only) When the modem encounters a link down connection, the modem now correctly reports it is not connected.



Firmware Version 5.2.0 (6/30/2014)

New features added in this release (2100, MBR1400, IBR6x0, MBR1200B, CBA750B only. Not all features are in all products – see their respective Data Sheets):

  • (2100) Threat Management. Network Settings -> Threat Management is a licensable feature and provides Intrusion Prevention/Intrusion Detection.
  • Zone Firewall. Network Settings -> Firewall Configuration has been significantly changed from previous firmware versions. The most important change is the Zone Firewall implementation.
  • Router services and VPN. NTP, DNS, and Enterprise Cloud Manager will all now be pushed through a VPN tunnel if ‘Router Services’ is enabled and a remote network of 0.0.0.0/0 is configured in the VPN Tunnels -> Add Tunnel -> Remote Networks page.
  • (IBR6x0) Increase the maximum number of GRE tunnels from 5 to 10.
  • Modem Settings: APN management enhancement, added Default Override (allows for APN entry on the modem’s default profile slot). Removed Manual option. Affects all GSM and all LTE modems, including Cradlepoint and carrier-released USB modems.
  • Modem Settings: Auto APN (attempt connection on assumed home carrier APN’s if default modem APN fails to connect). Added to Cradlepoint GSM modem-based devices only: IBR6x0P, ARC/COR LP, ARC/COR LP2, ARC/COR LP3, ARC/COR LPE-AT, ARC/COR LPE-GN products

Additional UI/Usability changes:

  • Modem Settings: Home Only (lock to home carrier). Added to Cradlepoint GSM modem-based devices only: IBR6x0P, ARC/COR LP, ARC/COR LP2, ARC/COR LP3 products

Defects fixed:

  • Many OpenVPN defects have been fixed
  • Updated OpenSSL to version 1.0.1h



Firmware Version 5.1.0 (5/13/2014)

New features added in this release (2100, MBR1400, IBR6x0, MBR1200B, CBA750B only. Not all features are in all products – see their respective Data Sheets):

  • Config difference CLI command: ‘diff’ from the command line will show any configuration items that are different than the default.
  • ARP CLI command: ‘arpdump’ from the command line will dump the ARP table.
  • (IBR6x0) Prepend System ID to GPS Sentences. System Settings -> Administration -> GPS -> Include System ID.
  • (IBR6x0) Increase the maximum number of GRE tunnels from 5 to 10.
  • Network Mobility (NEMO) changes to support failover. NEMO can be configured to operate with a specific WAN and will activate when a disconnection is detected from a primary WAN connection, or BGP or VRRP detect a peer failure.

Additional UI/Usability changes:

  • Added a Red/Green indicator to the banner showing if the router is connected to ECM.
  • For Cradlepoint-based modems with supporting GPS, added ability to select between AUX and GPS ports to obtain coordinates

Defects fixed:

  • NHRP with dual WAN connections does not come back up after a WAN failover
  • SSH ‘cat’ command occasionally skips config portions
  • Special Characters in System Identifier field can cause UDHCP to fail
  • IBR600P/IBR650P only. Enabled SMS access for these devices
  • Added data throttling to resolve a USB overrun situation that resulted in the router rebooting itself



Firmware Version 5.1.0 (3/3/2014)

New features added in this release (2100, MBR1400, IBR6x0, MBR1200B, CBA750B only. Not all features are in all products – see their respective Data Sheets):
 

  • System Settings -> Certificate Management. Certificate Management is a centralized system utility to import, export, create, and remove digital certificates. Local services can access stored certificates for authentication, verification, or for other security functions. Certificates can either be imported or exported via the PEM format, or bundled with a CA certificate for import or export via the PKCS12 format. Current services utilizing Certificate Management are CP Secure Connect, IPSec VPN, and WPA Enterprise Wifi as WAN.
    • Certificates from Release 5.0 or earlier will not migrate automatically to the new Certificate Manager, and Certificates created and managed in Release 5.1 or beyond will not work if the router is downgraded to an earlier Release. A factory reset is required if Certificates are used in 5.1 or later and the router is downgraded to 5.0 or before.
  • Add ability for negation on source and destination addresses in WAN Affinity was added.
  • Internet / CP Secure Connect. Cradlepoint’s cloud VPN solution has been renamed to ‘CP Secure Connect’ and has been removed from Beta status. CP Secure Connect also supports full tunnel VPN. Full tunnel support can be created by selecting the local LAN (Ex. 192.168.0.0/24) with a remote network configured as 0.0.0.0/0.
    • CP Secure Connect will only create a single tunnel unlike IPSec that can create multiple tunnels.
    • CP Secure Connect has been removed from the Extended Enterprise License (EEL). It now has its own license.
  • Added additional Modem diagnostics to SNMP. These include CINR, SINR, RSRP, RSRQ, and a number of other values. The latest WIPIPE MIB version is 1.8 to reflect these changes.
  • Added client site visit reporting to the log that reports which clients accessed an external IP address. Network Settings -> Firewall Configuration -> Firewall Options -> Log Web Access.
  • Active and passive DNS Failure Check added to Ethernet WAN sources to make their Failure Check options match what is provided for modems.
  • (2100 only) Band-steering has been added. If a client is attached to the 2.4GHz radio on the 2100 and it is capable of using the 5.0GHz radio, it will be steered to the generally more open and higher-performing band. Band-steering is enabled whenever the SSID of the 2.4GHz and 5GHz radios are the same. Note that band steering may negatively impact connectivity in some situations, especially at long range. If you see performance or connectivity issues it is recommended that you disable band-steering by setting the 2.4GHz SSID and 5 GHz SSID to different values.
  • RADIUS timeout and retry settings have been added for Hotspot support.
  • Added the ability to prioritize VOIP packets from the LAN to the WAN when using a VPN tunnel. Any QoS DSCP codes will be copied from the inner packet to the VPN packet after VPN encryption.

Additional UI/Usability changes:

  • Modem Settings, On Demand Start Connection checkbox. When checked, the modem will connect to begin On Demand mode after plug or reset. When unchecked, the modem will not connect to begin On Demand mode after plug or reset, but will wait for LAN to WAN traffic before initiating a connection.
  • SMS interface extension. Added Help command.
  • The wireless band has been added to the Wi-Fi clients list.
  • An Asset Tag field has been added to the router under the Local Administration tab.
  • Added ability for negation on source and destination addresses in WAN affinity.

Defects fixed:

  • IE9 and IE10 UI issues when setting up VPN tunnel
  • CP Secure Connect tunnel did not re-establish after reboot
  • GRE failover was not working correctly in some conditions
  • Clients dropped off of the Clients List and returned
  • OpenDNS might have issues reconnecting after reboot, depending on the speed of the WAN reconnection
  • SSH to Serial port was scrambling data



Firmware Version 5.0.0 (11/18/13)
 

New features added in this release (MBR1400, IBR6x0, MBR1200B, CBA750B only. Not all features are in all products – see their respective Data Sheets):
  • Added support for new modems (see Modem list above).
  • VPN Improvements – Internet / OpenVPN. OpenVPN has been added to provide SSL VPN support.
  • L2TP support for a WAN interface is provided under Internet / L2TP Tunnels.
  • GRE: Failover/Failback and WAN Binding support has been added.
  • VPN Failback. This feature allows two or more VPN tunnels to be created that will failover if one connection goes down and will fail back if the higher priority connection is available. It is configured in the VPN Tunnels wizard / Dead Peer Detection page.
  • Filter packets going through the modem that do not match the network. This feature is enabled by default and can be disabled using Internet / Connection Manager / Common Defaults / Modem Settings.
  • Internet / CP Connect (Beta feature in 5.0). CP Connect tunnels can be used to create a connection to a private network.
  • Internet / WiFi as WAN. (MBR1400v2 only). WPA2 Enterprise Authentication added to Wi-Fi as WAN option.
  • Zscaler cloud-based filtering/security added under Network Settings / Content Filter / Cloud Based Filtering/Security.
  • SMS access. Now enabled for all products on this platform.
Extended Enterprise License (MBR1400v2, IBR6x0 only):
  • System Settings / Feature Licenses. An Extended Enterprise License will enable a number of features on those routers. For more information visit the Feature and Application License page on the Cradlepoint web site.
  • Routers upgrading from earlier firmware versions will automatically be granted a license to the existing features that will fall under the EEL (STP, VRRP, etc.).
Additional UI/Usability changes:
  • First Time Setup Wizard / Configuring Failure Check. Enabling Failure Check here will default Ethernet and WiFi as WAN checks to use a ping, and modems to Passive DNS.
  • Added IP WAN Subnet Filter checkbox to Modem Settings.
  • Added Enable AUX Antenna checkbox to Modem Settings. When disabled, the embedded modem’s AUX antenna is turned off.
Defects fixed:
  • PMTU issue with IPSEC/VPN
  • System Stats SINR graph moved backwards
  • GPS change. GPS was being reported in degrees and decimal degrees. Now it is reported as degrees, minutes, and seconds.
  • USB Serial hardware flow control issue
  • AT&T Beam (Netgear AC340U) now works with i2gold SIMs



Firmware Version 4.4.2 (10/08/13)
 

New features added in this release (MBR1400, IBR6x0, MBR1200B, CBA750B only): 
 
  • Added support for new modems, check Supported modem list.
Additional UI/Usability changes: 
 
  • None 
Defects fixed: 
 
  • Internet Explorer 8 only. Modem Edit button fixed.
  • DNS server list with HTTP modems. If a connection with an HTTP modem results in no DNS server list, the router will now allow the connection to continue.
  • Sub-1280 MTU on Ethernet causes WAN Disconnect.
  • Remote Admin Access Control (ACL) did not affect remote SSH. If remote SSH is enabled in 4.4.0, the ACL did not prevent connection attempts from unauthorized IP addresses.
  • Connection Manger – can’t expand Failback Configuration Settings. 
 
Firmware Version 4.4.0 (08/13/13)
 
New features added in this release (MBR1400, IBR6x0, MBR1200B, CBA750B only): 
 
  • IPv6 support has been added. IPv6 is supported on all WAN sources, and has been tested with all of the Cradlepoint internal modems and modem caps. Other modems are not  supported but may work.
    • Routing features include dynamic and static IPv6 to IPv6 routing. IPv4 Tunneling support includes 6to4, 6in4, and 6RD.
    • Failover, Failback, and Load Balancing are supported if Network Prefix Translation is enabled.
    • Features that are not supported on IPv6:
      • RADIUS/TACACS+ accounting for wireless clients and admin/CLI login
      • IP Passthrough (not needed with IPv6)
      • NAT (not needed with IPv6)
      • Bounce pages
      • UPnP
      • Network Mobility
      • DHCP Relay
      • VRRP, GRE, GRE over IPSec, OSPF, NHRP
      • Syslog
      • SNMP over the WAN (LAN works)
    • The ability to pass router-generated traffic (NTP, Enterprise Cloud Management, and Firmware Update Check) to the LAN has been added. This is useful if another router that has multiple WANs is attached as a LAN client to a Cradlepoint router (generally using the Cradlepoint router for failover if its primary WAN fails).
    • Hotspot. A new second-stage login option for redirection has been added
    • VPN Alert. An alert can be generated if a VPN tunnel goes down.
    • Allow disabling the default ‘admin’ account for the router. This can lessen the chance of a brute-force attack getting through the default account.
    • The ability to pass multicast (IGMPv2) traffic upstream on the WAN to alternate subnets connected to a host downsteam on the LAN.
    • IBR6x0 only. Via SMS to the embedded modem, allow remote access to obtain modem and router status when a modem is unable to establish a cellular data connection. See the User Guide for SMS description, supported products, access instructions and commands. 
Additional UI/Usability changes: 
 
  • Change position of data in the Status -> Statistics page to make it more readable.
  • Enhanced APN and Profile management in Wan Configuration -> SIM/APN/Auth Settings. APN and Profile configuration has been extended to provide enhanced APN and Profile configuration and selection.
  • Added option to select a preferred carrier operator network in Wan Configuration->Modem Settings-> Network Selection Mode. If a specific carrier is selected (as indicated by the PLMN), automatic roaming to other networks is disallowed. 
 
New features added in this release: 
 
  • A defect was found in 4.2.0 and fixed in 4.2.1 that affects future upgrades. Using the Manual Firmware Upload for future firmware uploads will appear to work but default configuration settings for new features will not be set correctly. This issue does not exist with Automatic (Internet) updates or updates using Wipipe Central. Please upgrade to 4.2.1 before upgrading to a later version if you wish to use Manual Firmware Upload.
  • Workarounds are:
    • Use the Automatic update (preferred method)
    • Update to 4.2.1 before updating to 4.3 or beyond
    • On the System Settings/System Software page in the UI, use Backup Current Settings to save your current configuration. Then use Firmware Upgrade and System Config Restore to update firmware and set the configuration at the same time. Using the Restore Settings popup, always select and restore your configuration settings before selecting your firmware file and starting the firmware upgrade.
  • Feature Licensing has been added (MBR1400v2/IBR600/IBR650). System Settings -> Feature Licenses has been added to enable features that require a specific license from Cradlepoint.
  • NEMO (Network Mobility) support has been added (MBR1400v2/IBR600/IBR650). Network Mobility (RFC-5177) support has been added to register up to 8 mobile networks directly with a Home Agent, and automatically configure the requisite GRE tunnel. The NEMO configuration can be found under the Internet Category. NEMO support is enabled using a feature key and can be enabled under System Settings -> Feature Licenses.
  • 802.1x Ethernet port security has been added (MBR1400v2/IBR600/IBR650). Network Settings -> (WiFi) Local Networks -> Local Network Editor -> Wired 802.1x. This allows configuring an authentication server that will accept authentication requests from devices attached to wired Ethernet ports. If the wired clients cannot provide authentication, they are not allowed to connect to the Router’s networks. This has been tested with Linux, Windows OS, and Mac OS clients.
  • VPN Tunnel to allow secondary remote gateway in a single tunnel. We now allow the user to chain the VPN policies to failover from one to another as needed. If one tunnel fails, usually because its WAN interface goes down, the system can automatically fail over to another VPN tunnel. Internet / VPN Tunnels -> Add Tunnel -> Failover tunnel.
  • (IBR600 only) Increase the number of allowed WiFi clients from 32 to 64. 
Additional UI/Usability changes: 
  • Internet Explorer 10 Compatibility View support. 
  • An option was added to the IP Passthrough Setup Wizard for subnet selection. The options are to automatically create a subnet or to force /24 Subnet for compatibility with some other common network equipment. 

 

Firmware Version 4.3.2 (07/15/13)
 

New features added in this release: 
 
  • Enterprise Cloud Manager (ECM) (all products except for MBR95): Enterprise Cloud Manager is the replacement for WiPipe Central.
    • Created client service and UI for connecting to Cradlepoint Enterprise Cloud Manager (ECM) (http://www.cradlepoint.com/products/enterprise-cloud-manager). Requires a valid ECM username and password.
    • Added 'ecm' command line tool for controlling and monitoring the ECM client. This includes the ability to register the router with the ECM service provided you have already subscribed and have valid credentials.
    • Added ECM web based management user interface (System Settings -> Enterprise Cloud Manager).
    • Moved WiPipe Central user interface to the “Enterprise Cloud Manager” page.
    • Support for WiPipe Central or ECM management where ECM takes precedence.
  • (MBR1400s, CBA750b, IBR6x0 only), Modem Firmware update is available for select Cradlepoint internal modems (IBR6x0LE, LP, LP2-EU) and MC200 modem caps. Internet->Connection Manager- >Control->Firmware. Modem firmware update has been added to the Connection Manager. The modem firmware can be updated by one of two methods, Automatic and Manual.
    • Automatic update allows the supported modem’s firmware to be updated with a newer version of firmware located on Cradlepoint's firmware server. By default, the router will automatically check for modem firmware updates when a supported modem is plugged in and an Internet connection is available. The admin can uncheck the "Automatically check for new firmware" checkbox under Internet->Connection Manager->Edit->Modem Settings to stop the router from automatically checking for new modem firmware. The admin can manually check for an update by pressing the "Check Again" button. Once an update has been detected, the admin can start the modem update by selecting the "Automatic (Internet)" button.
    • Manual update allows the admin to load new firmware directly to the modem by selecting the file with the "Choose File" button and selecting the "Begin Firmware Upgrade" button to start the update process. 
 
Additional UI/Usability changes: 
  • None 
Defects fixed since 4.3.0: 
 
  • Fix for MBR95 showing SNMP in the UI
  • Improvement for MBR1400 when rapidly changing WiFi configuration the router may require a power cycle.
  • Fix for Daylight Savings time causing Scheduled Reboot to happen repeatedly within the hour. 
 

Firmware Version 4.2.0 (02/25/2013)
 

 

Networking features (MBR1400 HW v2.0, IBR600/650):
  • NHRP (Next Hop Resolution Protocol) routing has been added. NHRP can be used to implement a dynamic tunneling form of VPN using a combination of keyed GRE tunnels, VPN and dynamic routing protocols. This can be thought of as a meshed layout over a VPN allowing connected devices to communicate between each other. Two phases are currently supported, with phase 1 using NHRP to inform a hub (VPN concentrator) about dynamically appearing spokes (routers attached to the hub) and phase 2 allowing for communication between spokes using a routing protocol (OSPF, BGP or RIP).

New Features added in this release (MBR1400 HW v2.0, MBR1400, IBR600/650, CBA750B):

  • DHCP Relay. Network -> WiFi/Local Networks -> "Edit" a Local IP Network -> DHCP Tab. DHCP Relay allows relaying of DHCP requests from subnets without DHCP servers to one (or more) DHCP servers on other subnets.
  • Per-client Web filtering. Network Settings -> Content Filter -> MAC Address WebFilter Rules. WebFilter rules and default filtering actions can be assigned to MAC Addresses.
  • Per-client Data Usage. Internet -> Client Data Usage. Client Data Usage tracks the WAN data used by each client connected to the router.
  • The Administration username and password can be configured to use RADIUS or TACACS+. Under System Settings - > Administration -> Router Security if the Advanced Security Mode is checked, the Authentication Mode can be selected as either Local Users or RADIUS or TACACS+. If WAN connectivity is lost when using RADIUS or TACACS+. the Local User Password can be used.
  • (IBR600/IBR650 only) GPS Additions. The GPS can be configured to provide NMEA GGA, VTG, and/or RMC sentences. Every internal modem type does not support all three sentences.

Modem Changes:

  • Added connection mode switching options with Sierra Wireless 313U modem.

Additional UI/Usability Changes:

  • NOTE: Many 4.x Firewall Configuration settings have changed as they were specific to the previous 3.x firewall implementation. Please check your firewall settings.

Defects fixed since 4.1.0:

  • Data Usage UI page was not updating correctly on MBR95
  • Data Usage data did not update correctly on MBR95 unless the user went into the UI
  • Hotspot usage statistics: The stats from one session to the next appeared to be the same even though the sessions were completely different
  • Fixed WiFi-as-WAN issue connecting MBR95 to MiFi 4620L
  • Status/Internet Connections -> Statistics -> Connection Uptime was changed from seconds to days:hours:minutes


Firmware version 4.1.1 (12/03/2012)
(Support added for MBR95)
 
Networking features (IBR600/650):

  • OSPF (Open Shortest Path First) routing has been added
  • BGP (Border Gateway Protocol) routing has been added
  • RIPv1 and RIPv2 (Routing Information Protocol) routing has been added
  • STP (Spanning Tree Protocol, IEEE 802.1D-1998) bridged Ethernet LAN support
  • Multicast Proxy support has been added
  • VRRP (Virtual Router Redundancy Protocol) support has been added

Limitations of these Networking features:

  • No SNMP support for these feature has been added yet
  • No OSPF (Open Shortest Path First) multi-hardware support has been added yet
  • Routing Protocols will not propagate a default route at this time

Major features added since 4.0.3 (MBR1400, IBR600/IBR650, CBR400/CBR450):

  • DSCP/DiffServe (Differentiated Services Code Point) QoS support has been added

Major features added since 4.0.3 (all products unless otherwise stated):

  • MAC filtering on Ethernet as well as WiFi. The Network Settings -> MAC Filter/MAC Logging page will allow yu to whitelist or blacklist MAC Addresses
  • Multiple Content Filtering Instances have been added. Instead of having single set of content filters for the entire router, you can have different filters per network. This enables you to have different filters on your Primary vs your Guest network, for example.
  • Failback timer (Connection Manager -> Edit WAN Device -> Advanced Failback Configuration has been changed from a maximum of 300 seconds to 14400 seconds (4 hours)
  • (MBR1200B only) Disable Attention LED. For people who don't like their MBR1200B showing a Red Attention LED when no WAN connection is available, System Settings -> Administration -> Local Management -> Disable Attention LED
  • The WiFi client count is now a link to the Status -> Client List page
  • (IBR600/IBR650 only) Ability to configure the number of stored GPS NMEA messages for Store-and-Forward has been added. System Settings -> Administration -> Number of Stored NMEA messages
  • If you change the router's administration password, the session cookie that allows you to remain in the router's UI using the previous password will be invalidated and you will be logged out of the router's admin UI. You will be required to log in using the new password.

Modem Changes:

  • Specific connection modes in LTE/HSPA+ combination modems can now be selected

Defects fixed since 4.0.3:

  • IP Passthrough bypass was not working consistently
  • AT Passthrough/QXDM only worked on 3G devices
  • AT&T Momentum did not work in IP Passthrough mode
  • Broken SSL connections would lock up the UI server

Firmware version 4.0.3 (09/24/2012)
 
4.0.X is a significant re-architecture of Cradlepoint firmware.  Many new features and capabilities are available.  Modem, VPN IPSec, and LAN-to-WAN performance have all been improved.

Networking features (MBR1400, IBR600/650):

 

  • VPN Certificate support tested with Cisco, Juniper, and CheckPoint routers
  • IP Passthrough: Ethernet WAN to LAN with failover to modem is available
  • Networking improvements: Better IP Filtering, more powerful routing (per-interface routing_, rule-based policy routing
  • QoS: Improved bandwidth & priority traffic shaping (CBQ to HTB as a queing discipline, Fair Queing added). QoS can handle FTP/PPTP now.
  • Hotspot: Improved client rate limiting
  • WAN Affinity improvements: No longer have FTP/PPTP limitations, possible VPN tunnel failover
  • SSH to Serial console, and SSH to Telnet console.  A user can open up Remote Administration -> Allow Remote SSH Access and from the router's CLI either use a USB-to-Serial cable or an Ethernet Telnet session to an attached device.
  • ALG Support (SIP, FTP, PPTP, TFTP, IRC) is available on the Firewall page
  • Load Balance schedule selection. A user may now select either Round-Robin, Rate, Spillover, or Data Usage as a Load Balance algorithm
  • Improved UPnP support, including "Type 2" NAT support on PS3

Modem changes:

  • Most high-speed modems (HSPA+ and LTE) should see higher upload and download performance in 4.0 than in 3.0
  • Sprint Network-Initiated PRL and modem firmware updates can be accepted and scheduled for non-peak times under the Internet -> Connection Manager -> <Modem> -> Edit -> Modem Settings.  If you do not see these UI items, your modem does not support this feature

New features added in this release (all products):

  • Many improvements have been made to overall system stability and performance
  • The CBR450/CBR400 in particular work better under stress (high network loads or VPN tunnels) than they used to


Additional UI/Usability changes:

  • WAN Affinity Settings for GRE.  The ability to tie GRE to a specific WAN interface has been removed from the UI.  Standard WAN Affinity rules work with GRE now.  As VPN has special considerations, it continues to have specific WAN Affinity settings
  • Note: Many firewall configuration settings have changed as they were specific to the previous firewall implementation. Please check your firewall settings.
  • OpenDNS Filtering. Network Settings -> Content Filter -> OpenDNS Content Filtering. The ability to pick generic GOOD/BETTER/BEST pre-defined filtering has been removed as it is no longer supported by OpenDNS. Subscribers to OpenDNS can use the updated integration to apply their web filtering settings. To find out more and purchase an OpenDNS Enterprise subscription go to http://www.opendns.com/business-solutions/?cradlepoint
  • Status -> System Statistics page now shows byte totals as well as graphs.
  • The Historical Data graph on the Data Usage page was removed
  • Some additional fields have been added to the Dashboard, such as the router's MAC Address
  • APN (Access Point Name) selection has been added to the First Time Setup Wizard
  • System Settings -> Managed Services -> SNMP Configuration now has the ability to set system Contact, Name, and Location
  • Service Mode (LTE, EVDO, etc.) for any attached modem has been added to the login screen

Defects fixed since 3.6.3:

  • WPA2 Enterprise/RADIUS settings can be set with any WiFi interface, not just the primary
  • Improved WiFi-as-WAN reconnection ability
  • A number of Data Usage Management defects have been fixed
  • The System Statistics page shows disconnects/reconnects better than it used to

 

 

Firmware version 3.6.3 (06/27/2012)
 
Feature changes/fixes:

  • Fix for Sprint Datalink network issues
  • Fix for LG AD600 authentication
  • Fix for network scheduling

 

 No major features added since 3.6.1
 


Related Articles/Links


Published Date: 09/20/2016

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com
 

Open as PDF 

 
Knowledge Home | Product