Release Notes for DrayTek Vigor 3900 (UK/Ireland)

Release Notes for DrayTek Vigor 3900 (UK/Ireland)
Firmware Version
Release Type
Build Date
Release Date
Revision
Applicable Models
Locale
1.3.3 (Formal Release)
Critical – Upgrade recommended immediately
22nd March 2018
22nd March 2018
7640
Vigor 3900
UK & Ireland Only
New Features
(None)
Improvements
1. Improvement related to frmware security
Known Issue
1. High Availability - Updatng from a frmware version <=1.1.0.2: Due to signifcant changes to
High Availability functonalityy existng HA confguraton will be cleared during the update
process and it will be necessary to reconfgure High Availability afer the update
2. L2TP Tunnel - Disable "Force IPsec with L2TP" opton in VPN and Remote Access] > PPP
General Setup] to allow a standard L2TP tunnely otherwise the L2TP server will allow L2TP
with IPsec only
3. IP Filter - F/W 1.2.0 onwards changes the behaviour of the IP Filter. Afer upgrade some IP
Filter rules may need to be reconfgured. Please read the "Filter Rule Actons" segment of
this guide for more informaton on the changes: htp://www.draytek.co.uk/support/guides/
kb-3900-ipflter-basics
Important Note - Upgrading Firmware
Do not upgrade directly from 1.0.5 (and earlier) to 1.3.3.
Due to diferences in the Web UI and functonality the router MUST frst be upgraded to at least
1.0.7.1 prior to upgrading to 1.3.3.
Upgrade your router to Version 1.0.7.1 or later frsty and aferwards upgrade the router to Version
1.3.3.
Upgrade Instructions
It is recommended that you take a confguraton backup
prior to upgrading the frmware. This can be done from
the router's system maintenance menu.
To upgrade frmwarey select 'firmware umpg rade ' from
the router's system maintenance menu and select the
correct fle.
Manual Upgrade
If you cannot access the router's menuy you can put the router into 'TFTP' mode by holding the
RESET whilst turning the unit on and then use the Firmware Utlity. That will enable TFTP mode.
TFTP mode is indicated by all LEDs fashing. This mode will also be automatcally enabled by the
router if there is a frmware/seengs abnormality. Upgrading from the web interface is easier and
recommended – this manual mode is only needed if the web interface is inaccessible.
Firmware Version
Release Type
Build Date
Release Date
Revision
Applicable Models
Locale
1.3.2 (Formal Release)
Regular – Upgrade recommended when convenient
24th November 2017
12th December 2017
7459
Vigor 3900
UK & Ireland Only
New Features
1. Fast NAT functonality added to improve outbound NAT throughput by bypassing frewall
processing for specifed local subnet(s) going through selected WAN interfaces.
Confgured in NAT] > Fast NAT]
Improvements
1. Updated DNSMasq to improve securityy for more details please read this security advisory:
htps://www.draytek.co.uk/informaton/our-technology/dnsmasq-vulnerability
2. Confgured and functoning URL/Web Category Profles could display as a blank profle in the
web interface
3. Syslog output would report the rate unit as Kbps when seeng the Filtering Rate (Mbps) in
Firewall] > DoS Defense] > Switch Rate Limit] > Storm Filter]
4. Access Barrier for HTTPS management could potentally block an authentcated HTTPS
management session
5. Corrected a potental error which might result in fooding a WAN interface removed from
the Load Balance Pool
6. The Counter value for URL/Web Category Filter rules could not increment when blocking
HTTPS websites
7. LDAP with Bind Type set to “Regular Mode” – When clicking the Search buton for Base DNy
the router would atempt to bind with Rooty which caused compatbility issues with
Windows LDAP servers
8. HTTPS fltering behaviour was incorrect when fltering with a keyword of “.”
9. Improved reliability of fltering by File Extension with the Firewall
10. High Availability failover did not occur when all WANs failed on the primary router
11. Multple subnets available through a VPN Trunk in Backup mode were unavailable when
Primary Interface VPN tunnel dropped and the Backup Interface VPN tunnel became actve
12. VPN tunnels were unable to route trafc if a PPPoE WAN was disconnectedy remained ofine
for over 12 hours and was then reconnected
13. Dial Out IPsec VPN could not establish if VPN server hostname started with a number (0-9)
14. Afer upgrade from frmware 1.2.2y VPN and Remote Access] > Connecton Management]
could not display profle names for IPsec VPN tunnelsy displaying a “Lack of Ptype” error
15. Web Portal could confict with IP flter rules
16. Improved Bandwidth Management] > Bandwidth Limit] rate limitng algorithm
17. AP Management broadcast packets no longer send through VPN tunnelsy this can be enabled
in AP Management] > General Setup] by enabling “Pass-Through VPN”
18. Improved Web Portal login page load tmes
19. QoS profles and Firewall Filter Rules can now specify up to 200 Service Type Objects
20. IPsec VPN stability improvements
Known Issue
1. High Availability - Updatng from a frmware version <=1.1.0.2: Due to signifcant changes to
High Availability functonalityy existng HA confguraton will be cleared during the update
process and it will be necessary to reconfgure High Availability afer the update
2. L2TP Tunnel - Disable "Force IPsec with L2TP" opton in VPN and Remote Access] > PPP
General Setup] to allow a standard L2TP tunnely otherwise the L2TP server will allow L2TP
with IPsec only
3. IP Filter - F/W 1.2.0 onwards Changes the behaviour of the IP Filter. Afer upgrade some IP
Filter rules may need to be reconfgured. Please read the "Filter Rule Actons" segment of
this guide for more informaton on the changes: htp://www.draytek.co.uk/support/guides/
kb-3900-ipflter-basics
Firmware Version
Release Type
Build Date
Release Date
Revision
Applicable Models
Locale
1.3.1 (Formal Release)
Regular – Upgrade recommended when convenient
11th July 2017
27th July 2017
7156
Vigor 3900
UK & Ireland Only
New Features
1. Fast Route functonality added to improve throughput by bypassing frewall processing for
specifed routed subnets (VPN tunnels etc.). Located in Routng] > Fast Route].
Improvements
1. Resolved an issue that could stop the router from resolving DNS hostnamesy this would
afect any services that resolve hostnames to IP addressesy such as Content Filteringy NTPy
Mail Alerty DNS Server etc.
2. Improvements to Samba service to ensure immunity to CVE-2017-7494
3. Updated SSH server
4. Updated App Enforcement signatures to improve handling / blocking of:
a. Hotspot
b. UltraSurf
c. PPstream
d. Google Hangouts
5. NAT] > Server Load Balance] can now balance based on “Source IP”
6. Central AP Management can select all managed VigorAPs to apply WLAN Profles / AP
Maintenance tasks
7. Resolved an issue with User Management] > Web Portal] and SMS authentcaton
8. User Management] > User Profle] > Apply All tab could not alter PPTP seengs
9. IPsec VPN tunnels could not re-establish VPN connecton over specifed “Failover to” WAN
10. Resolved an issue with IPv6 when using an IPv6 WAN confgured for DHCPv6 PD (IAID)
11. iPad / iPhone devices with iOS 10.3.1 and later could not establish IKEv2 VPN tunnel
12. XAuth VPN tunnel could not authentcate if the password contained “#” or “.” characters
13. The router could not perform DDNS update for “Strato” Dynamic DNS
14. Improved PPPoE server efciency
15. IPv6 Ping Diagnostcs would not display the ping result
16. Resolved a display issue with Switch Management’s Switch Hierarchy view
Known Issue
1.
2.
3.
High Availability - Updatng from a frmware version <=1.1.0.2: Due to signifcant
changes to High Availability functonalityy existng HA confguraton will be cleared during
the update process. Reconfgure High Availability afer updatng the frmware.
Disable "Force IPsec with L2TP" opton in VPN and Remote Access] > PPP General
Setup] to allow a standard L2TP tunnely otherwise the L2TP server will allow L2TP with
IPsec only
F/W 1.2.0 onwards Changes the behaviour of the IP Filter. Afer upgrade some IP Filter
rules may need to be reconfgured. Please read the "Filter Rule Actons" segment of this
guide for more informaton on the changes:
htp://www.draytek.co.uk/support/guides/kb-3900-ipflter-basics
Firmware Version
Release Type
Build Date
Release Date
Revision
Applicable Models
Locale
1.3.0 (Formal Release)
Regular – Upgrade recommended when convenient
26th April 2017
17th May 2017
7020
Vigor 3900
UK & Ireland Only
New Features
1.
2.
3.
4.
5.
6.
7.
8.
Support for GRE Tunnel under VPN and Remote Access] > VPN Profles] > GRE] for
compatbility with Cisco routers
Support for IKEv2 IPsec VPN tunnels
XAuth authentcaton support for IPsec Remote Dial-In Teleworker VPN tunnels
Central AP Management support – manage up to 50 VigorAP access points
Central Switch Management support – manage up to 10 VigorSwitch switches
New interface with improved design for mobile devices available through:
htps://<router IP>/mobile
Support for DNSSEC added in Applicatons] > DNS Security]
NAT] > Server Load Balance] added
Improvements
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
The router will notfy when another DHCP server is detected
DHCP optons can now specify DHCP Gateway IP Address
Support dynamic prefx for IPv6 LAN
WAN Interfaces will default to DHCP when enabled
High Availability Hot Standby mode can now be switched manually
Firewall now has a Guest group in Filter Setup] to apply rules to Guest Profle users
If Firewall – Default Policy is set to Blocky opton added to “Block All Incoming Trafc”
Bandwidth Limit now supports “Auto Adjust to make best use of available bandwidth”
opton
Bandwidth Limit & Session Limit can now be applied to User Objectsy Groups & LDAP
Added VPN Disconnect Alert Delay to Notfcaton Object] > Advanced Seeng]
StartTLS Connecton Security supported in Mail Service Object] & Mail Alert
Added an opton to disable User Login Mail Alert
Mail Alerts for WAN Status changes now include the WAN IP
HTTPS Management can now be enforced using Enforce HTTPS Management optony
forwards HTTP access atempts to the HTTPS interface
SSH interface now supports SHA2 authentcaton
Timezone confgured in Time and Date seengs now defaults to UK
Trafc Graph now displays CPU and Coprocessor usage history graphs
Added Apply Seengs to VigorAP secton to TR-069 confguraton
Support for scheduled reboot on weekdays only
Improvements to the Fail to Ban & Access Barrier functons
LAN DNS now supports wildcards
LAN DNS profles can now perform conditonal DNS forwarding when the Type of the LAN
DNS profle is set to FORWARD
Dynamic DNS now supports HTTPS
Dynamic DNS now supports User Defned mode for custom API confguraton
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
Google Domains added to Dynamic DNS
OpenDNS added to Dynamic DNS
Ping & Trace Route diagnostcs can now select which WAN IP Alias to send through
Added View buton to Certfcate Management to view loaded certfcate details
Search functonality added to:
a. IP Objects & Groups
b. Service Type Objects & Groups
c. Keyword / DNS Objects
d. User Profles
e. VPN Profles
f. NAT Port Redirecton rules
Web Portal can now redirect to specifed LAN DNS address instead of IP
User Management] > Web Portal] – Login History added
Clean Deadline buton added to Guest Profle to renew usage tme of selected account(s)
Guest Profle accounts can specify max simultaneous logins
Added Search Buton in LDAP to allow users to view and select the Base DN/Group DN
LDAP now supports SSL connecton to LDAP Server
Improvements to the RADIUS confguraton page
NAT] > Port Redirecton] can specify allowed Source IP Objects to allow only specifed IPs to
access port forwards without making Firewall Filter Rules
Policy Route rules can select Service Type Objects instead of manually specifying ports
Policy Route rules can now specify Time Objects to apply rules during specifed tmes only
Added a priority graph to Policy Route rulesy click “(?)” to view
Support for SPF/TXT DNS Records for WAN Inbound Load Balance
VPN Profles can now be renamed
VPN Profles now display Status icon to indicate connecton state
SSL VPN port can be confgured separately from HTTPS management interface
SSL VPN can be disabled on individual WAN interfaces in Access Control] to allow NAT Port
Redirectons to be confgured with that porty to the WAN interface with SSL VPN disabled
Allowed WAN interfaces for PPTP VPN server can be selected in VPN and Remote Access] >
PPP General Setup]
IPsec VPN can be set as Default Route/Gateway with Apply NAT Policy enabled for that VPN
User Profles can specify allowed VPN Dial-In tmes by selectng Time Objects
IPsec proposal DH Group now defaults to G5 (1536-bit)
Multple SAs (Security Associatons) added to IPsec VPN profles to specify additonal Local &
Remote subnets
Central VPN Management is now able to confgure SSL VPN tunnels
Known Issue
1.
2.
3.
High Availability - Updatng from a frmware version <=1.1.0.2: Due to signifcant
changes to High Availability functonalityy existng HA confguraton will be cleared during
the update process. Reconfgure High Availability afer the update
Disable "Force IPsec with L2TP" opton in VPN and Remote Access] > PPP General
Setup] to allow a standard L2TP tunnely otherwise the L2TP server will allow L2TP with
IPsec only
F/W 1.2.0 onwards Changes the behaviour of the IP Filter. Afer upgrade some IP Filter
rules may need to be reconfgured. Please read the "Filter Rule Actons" segment of this
guide for more informaton on the changes: htps://www.draytek.co.uk/support/guides/
kb-3900-ipflter-basics
Firmware Version
Release Date
Build Date
Revision
Applicable Models
Locale
1.2.2 (Formal Release)
22nd November 2016
13th October 2016
r6591
Vigor 3900
UK ONLY
New Features
(None)
Improvement
1.
2.
3.
4.
5.
6.
FTP connectons in Actve mode were not passed correctly through NAT
When using Diagnostcs] > Data Flow Monitor] > Packet Monitory results could not be
fltered by Host
Resolved an issue that could cause higher than normal memory usage with some router
confguratons
When confguring a User Management profle for VPN with MOTP enabledy it could not
be saved without entering a password
TTL values were reported incorrectly in the Diagnostcs] > Session Table]
Improved connectvity for Mac OS X SmartVPN clients
Known Issues
1.
2.
3.
High Availability - Updatng from a frmware version <=1.1.0.2: Due to signifcant
changes to High Availability functonalityy existng HA confguraton will be cleared during
the update process and it will be necessary to reconfgure High Availability afer the
update
Disable "Force IPsec with L2TP" opton in VPN and Remote Access] > PPP General
Setup] to allow a standard L2TP tunnely otherwise the L2TP server will allow L2TP with
IPsec only
F/W 1.2.0 onwards Changes the behaviour of the IP Filter. Afer upgrade some IP Filter
rules may need to be reconfgured. Please read the "Filter Rule Actons" segment of this
guide for more informaton on the changes:
htp://www.draytek.co.uk/support/guides/kb-3900-ipflter-basics
Firmware Version
Release Date
Build Date
Revision
Applicable Models
Locale
1.2.1 (Formal Release)
7th September 2016
24th August 2016
r6454
Vigor 3900
UK ONLY
New Features
1.
2.
3.
4.
The router's Online Status can display "Remote DSL" informaton from a Vigor 130 or
Vigor 120v2 modem connected to the router's WAN ports
Support WAN Load Balance by Sessiony confgured in Routng] > Default Route]y the
default is IP-based Load Balancing
Packet Monitor facility added to Diagnostcs] > Data Flow Monitor] to capture
WAN/LAN packets and download as a .pcap fle
Web Content Filter Query Server can now be specifed in Objects Seeng] > Web
Category Object] > Query Server] tab
Improvement
1.
2.
3.
4.
5.
6.
NAT efciency improvements
SSL VPN supports Idle Timeout and Reconnect
APP-Enforcement Signature updated to improve handling of:
i. IM-Google Hangouts
ii. Protocol-DNS
iii. HTTP
iv. SSL/TLS
v. Tunnel-Ultrasurf
vi. VoIP-RC
vii. WebHD-HTTP_Upload
Web interface response tme improved when displaying large numbers of Profles (User
Profley IP Objectsy etc)
Improved TCP SYN+FIN fltering mechanism
Auto DDoS defense added to reduce CPU load if DDoS occurs
Known Issues
1.
2.
3.
High Availability - Updatng from a frmware version <=1.1.0.2: Due to signifcant
changes to High Availability functonalityy existng HA confguraton will be cleared during
the update process and it will be necessary to reconfgure High Availability afer the
update
Disable "Force IPsec with L2TP" opton in VPN and Remote Access] > PPP General
Setup] to allow a standard L2TP tunnely otherwise the L2TP server will allow L2TP with
IPsec only
F/W 1.2.1 Changes the behaviour of the IP Filter. Afer upgrade some IP Filter rules may
need to be reconfgured. Please read the "Filter Rule Actons" segment of this guide for
4.
more informaton on the changes: htp://www.draytek.co.uk/support/guides/kb-3900ipflter-basics
FTP connectons do not work in "actve" modey "passive" mode works normally. This will
be fxed in the next frmware release.
Firmware Version
Release Date
Build Date
Revision
Applicable Models
Locale
1.2.0 (Formal Release)
29th December 2015
3rd December 2015
r5723
Vigor 3900
UK ONLY
New Features
1.
2.
3.
4.
5.
6.
7.
8.
CPUy Memoryy Trafc Tx/Rx usage added to Notfcaton Object]y confgured under
Advanced Seeng tab
Confguraton Backup] > Analysis] displays details of router confguraton on one page
Auto Firmware Upgrade and Auto Firmware Patch now available to simplify update
process
User Management] > Web Portal] new features:
a. Can use SMS as an authentcaton method (requires internet SMS provider
confgured)
b. Opton to block mobile devices if required
c. Customise login & background images in Portal Page Setup
MAC/Vendor Object now supported for use with IP Filter
SMB Server now available under USB Applicaton] menu for fle sharing of connected
USB storage
Now supports SHA2_256 for IPsec VPN tunnel authentcaton
SSL VPN port can now be confgured as a separate port from HTTPS Management under
System Maintenance] > Access Control]
Improvement
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Improvements to the design and functonality of Applicatons] > High Availability]
Corrected an issue with Port Redirecton which could occur afer upgrading to 1.1.x
frmware
Firewall] > Filter Counter] indicates how many sessions have matched each rule
General improvements to Firewall] menus and syslog output
Improvements to HTTPS fltering when using Web Content Filtering
Specify Remote IP / Host Name to limit Remote Dial-In VPN connectons to that WAN
IP / Hostname only
Bandwidth Limit can now apply to PPTP Remote Dial-In VPN clients
Diagnostcs] > ARP Cache Table] now has an opton to quickly create an IP Object for
listed IP address
Supports Sufx Type in IPv6 Object confguraton
Time Schedule in Filter Rules can now force sessions to clear when the schedule takes
efect
Spotfy can now be blocked with the Applicaton Filter
Can specify which WAN interfaces can be used for remote management
Improvements to Trafc Graph and Data Flow Monitor
QoS Class was not displayed in the Session Table
15.
16.
17.
18.
Support for "esendex" SMS Provider
Custom SMS Provider opton to defne API seengs manually for SMS providers not listed
Improved the SOA Serial Format for Inbound Load Balance DNS response
External Devices can now list up to 200 items
Known Issues
1.
2.
3.
Due to signifcant changes to High Availability functonalityy existng HA confguraton will
be cleared during the update process and it will be necessary to reconfgure High
Availability afer updatng to 1.2.0
Disable "Force IPsec with L2TP" opton in VPN and Remote Access] > PPP General
Setup] to allow a standard L2TP tunnely otherwise the L2TP server will allow L2TP with
IPsec only
F/W 1.2.0 Changes the behaviour of the IP Filter. Afer upgrade some IP Filter rules may
need to be reconfgured. Please read the "Filter Rule Actons" segment of this guide for
more informaton on the changes: htp://www.draytek.co.uk/support/guides/kb-3900ipflter-basics
Firmware Version
Release Date
Build Date
Revision
Applicable Models
Locale
1.1.0.1 (Formal Release)
9th September 2015
27th August 2015
r5461
Vigor 3900
UK ONLY
New Features
(None)
Improvement
1.
2.
3.
4.
5.
6.
7.
8.
Corrected an issue that could cause Port Redirecton to not work afer upgrading the
frmware from 1.0.9 or earlier
Syslog to USB was not writng to USB afer restartng the router
It was not possible to modify the max failed Telnet Login atempts before the router
bans the IP
Netbios names were not displaying in the ARP cache table correctly
Improvements to certfcate handling for the router's HTTPS interface
DNS Sufx (DHCP Opton 15) support added for remote dial-in VPN clients
Upgraded OpenSSL to 0.9.8zg for security updates
Resolves an WAN connectvity issue that could occur afer afer an extended duraton
Known Issues
1. You need to disable "Force IPsec with L2TP" optons for pure L2TP tunnel in VPN and
Remote Access] > PPP General Setup].
2. The upgrade may afect Port Redirecton entries if the router's confguraton has been
upgraded from 1.0.7.1 or previous frmware. To resolve this issuey please use 1.2.0 frmware.
If the router has been factory reset or was installed with 1.0.8 or later frmwarey port
redirecton will work normally.
Firmware Version
Release Date
Build Date
Revision
Applicable Models
Locale
1.1.0 (Formal Release)
6th August 2015
24th July 2015
r5322
Vigor 3900
UK ONLY
New Features
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
SSL VPN LAN to LAN tunnel (Supported from DrayTek Vigor 2960 / 3900 1.1.0 frmware
and Vigor 2860 / 2925 3.8.x frmware).
Internal RADIUS server under User Management] > RADIUS].
APP Enforcement supported app list added under Objects Seengs] > APP Support List].
Added auto/manual APP Signature Upgrade seeng page in System Maintenance] >
APP Signature Upgrade].
System Maintenance] > Access Control] Improvements:
a. Validaton Code in Access Control tab to improve web admin security;o
b. Fail to Ban seeng page to automatcally block IP addresses afer failed login
atempts;o
c. Access Barrier seeng page to protect router services (WUIy FTP etc) from brute
force atack.
Added Switch Rate Limit seeng page in Firewall] > Dos Defense].
Added NAT] > Connecton Timeout] to allow altering the session tmeout of diferent
trafc types i.e. TCPy UDP etc
Wake on LAN can now operate on a schedule by confguring profles in Applicatons] >
Wake on LAN] > Schedule Wake on LAN]
Diagnostcs] > MAC Address Table] added.
Diagnostcs] > User Status] addedy to show PPPoE / Web Portal / VPN / SSL Proxy users
in one locaton.
LAN] > LAN DNS] now supports wild-card strings and CNAME records for individual
LANs using the Specifed LAN opton.
Routng] > Policy Route] Improvements:
d. Priority optons (Normaly Highy Top) for more fexible routng.
e. Country Objects as destnaton addresses.
f. Failover optons for target IP ping failure.
Support for Multcast via VPN.
Router's web interface can now notfy of new frmware upgrades available.
Improvement
1.
2.
3.
4.
5.
Improved DDoS protecton.
SSL VPN seengs now available under VPN and Remote Access] > PPP General Setup].
PPTP Dial-In VPN Profle (LAN to LAN) now supports multple remote subnets.
LDAP/RADIUS support for the router's SSL Proxy facility.
User Management] > Web Portal] > Portal Page Setup] now supports uploading an
HTML fle as the bulletn message.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
Packet Inspecton seengs added under Firewall] > Filter Setup] > Default Policy]
User Management] > User Profle] > Apply All] improved to allow multple choice.
Port Statstcs now shown under Diagnostcs] > Trafc Statstcs].
Session Informaton added to Diagnostcs] > Trafc Graph].
Vendor Informaton added to Diagnostcs] > ARP Cache Table].
Daily / Period tmout seengs added to Web Portal under User Management] > Web
Portal] > General Setup].
Bind IP to MAC can now be applied to specifc subnets.
Supported added for VPN routng through GRE over IPSec tunnel (VPN Trunk).
Keep VPN Seeng opton added to Central VPN Management] > CPE Management].
Alert interval of temperature sensor now confgurable under USB Applicaton] >
Temperature Sensor] > General Setup].
The router could not use a DNS server located on the LAN for DNS queries under some
circumstances.
Trafc was unable to pass between LAN and PPPoE server clients.
Web Content Filter category selecton page improvements.
IP Filter now shows a counter display for matched packets.
Policy Route increased to 120 entriesy Statc Route increased to 200 entries.
Known Issues
1. You need to disable "Force IPsec with L2TP" optons for pure L2TP tunnel in VPN and
Remote Access] > PPP General Setup].
Firmware Version
Release Date
Build Date
Revision
Applicable Models
Locale
1.0.9.1 (Formal Release)
16th February 2015
2nd February 2015
r4765
Vigor 3900
UK ONLY
New Features
(None)
Improvement
1.
2.
3.
4.
5.
6.
The IGMP Proxy feature's compatbility with some ISPs that use PPPoE has been improved.
Support for the Bandluxe C330 USB 3G modem.
SSL VPN now changes tunnel MTU in relaton to the WAN MTU.
PPTP Dial-In User VPN connectons could not access the internet under some circumstances.
Policy Route was not working with return path trafc.
The IPsec opton "Auto Dial Out if WAN1 Down" was stll taking efect afer being disabled in
the WUI.
7. The router's memory usage was higher than normal when using the Data Flow Monitor.
8. The Access Control List was not working correctly under some circumstances.
9. Improvements to ensure immunity to Ghost/CVE-2015-0235
Known Issues
1. You need to disable "Force IPsec with L2TP" optons for pure L2TP tunnel in VPN and Remote
Access >> PPP General Setup.
2. VPN Trunk tunnel should not be used with a profle name over 15 characters.
Firmware Version
Release Date
Build Date
Revision
Applicable Models
Locale
1.0.9 (Formal Release)
24th December 2014
1st December 2014
r4542
Vigor 3900
UK ONLY
New Features
1.
2.
3.
4.
5.
Supports USB 4G/LTE. Check USB]- Modem support list] in the router's web interface
for details.
Supports USB disk /FTP server.
Supports saving Syslog to USB disk.
Supports Policy Route (replacing Load Balance Rule and Address Mapping menus).
IPSec VPN tunnel can now be confgured to pass or block NetBios packets.
Improvement
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
Disabled HTTPS SSL 3.0 for CVE-2014-3566y this can be confgured from the System
Maintenance] > Management] page.
Connecton request notfcatons from Vigor ACS were not authentcated
Could not establish IPv6 statc connecton.
Allow downloading/uploading private key (for Host to LAN VPN by X.509).
Shows the VPN Type/Form felds on VPN History web page.
Improved handling for Duplicated Routes (with Statc Route Metric). When the statc
route metric is <=10y the priority of that statc route will be greater than a VPN route.
Support QoS for VoIP trafc from LAN.
Support "Ping to Keep Alive" feature for detectng whether an IPsec tunnel is able to
pass trafc
Support WAN Port and IP Alias optons for PPTP Dial Out connectons.
Support for RFC 4638 (accommodatng an MTU/MRU larger than 1492 for PPPoE
protocol WAN connectons).
Added STUN server opton to TR-069 seengs.
Added Jumbo Frame seeng under LAN]- Switch]- Jumbo Frame] to edit Maximum
Frame size.
Added a "Clear" buton for the DDNS seengs page.
Bind IP to MAC can now export or import a list of IP / MAC addresses.
Sytem Maintenance] > Access Control] can now be confgured to accept pings from the
WAN on specifed WAN interfaces.
Added “OVH” as service provider for DDNS seeng.
Supports Range-to-many Port Redirecton.
Improve login page customizaton for Web Portal setup.
Changed mechanism of deletng objects.
Known Issues
1.
2.
You need to disable "Force IPsec with L2TP" optons for pure L2TP tunnel in VPN and
Remote Access >> PPP General Setup.
VPN Trunk tunnel should not be used with a profle name over 15 characters.
Firmware Version
Release Date
Build Date
Revision
Applicable Models
Locale
1.0.8.2 (Formal Release)
15th August 2014
13th June 2014
r3968
Vigor 3900
UK ONLY
New Features
(None)
Improvement
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
PPTP connecton stability improved
Web Portal stability improved
Improved: Remove management port seeng which may occupy port redirecton.
Improve the stability of High Availability functon.
Add telnet tmeout if login not completed in 60 seconds
CPU usage is too high when data fow monitor is enabled.
Improved interoperability with SSL VPN client
A problem of WCF license occurred when HA is enabled.
CVM can't perform confguraton backup.
NAT Loopback to LAN More Subnet doesn’t work.
DNS for PPTP Remote dial-in is not assigned according to the LAN Profle.
Reboot with Customized Confguratons bug.
When frewall default policy (block) is usedy HTTP is stll available for access.
Web portal stll supports URL redirect when login mode is disabled.
Packet count error when PPTP acceleraton is enabled.
mOTP User profle cannot be saved without Password.
WAN Priority Bits doesn’t work.
Time object error corrected
WAN]> Switch mode]> double tag] error corrected
Upgrade OpenSSL to 0.9.8za for security updates.
Update WCF (Web Content Filter) to account for Commtouch name change to Cyren.
High Availability improvements
DDNS failover 3G WAN improvements
Known Issues
1. VPN Trunk tunnel doesn't work well when the profle name is more than 15 characters.
2. You need to disable "Force IPsec with L2TP" optons for pure L2TP tunnel in VPN and
Remote Access]> PPP General Setup]
Firmware Version
Release Date
Applicable Models
Locale
1.0.8 (Formal Release)
11th March 2014
Vigor 3900
UK ONLY
New Features
1. Same WAN VLAN ID can be used in diferent WAN interfaces. (WAN >> General Setup Mode:
Advancey Switch Mode: Double Tag)
2. QoS for multple WANs.
3. SNMP v3.
4. Country block for Firewall.
5. WCF white list.
6. LAN DNS server.
7. BGP routng protocol.
8. SSL VPN in tunnel mode
9. Support Web Portal and Hotspot (Guest profle) in User Management.
10. Support PPTP acceleraton for PPTP WAN/Remote Dial-in/LAN to LAN
11. QoS retag opton added
12. VPN dial-out failover if WAN disconnected.
13. Support VPN LAN to LAN for overlap/duplicate subnets.
14. Display the last UP/DOWN log of VPN profle.
15. Add default policy for Firewall and default block policy can be applied.
16. Add IPv6 frewall seengs.
17. Add DNS object.
18. Add a remote capture telnet command (rc)y for trafc monitor and wireshark remote
capture.
19. Add front panel and VPN status on the dashboard.
Improvements
Web User Interface changes
1.
2.
3.
4.
Menu User Managemen]> General Setup] renamed User Management]> Web Portal]
Move IP Routng] from to Routng]> Status Route] and rename as LAN/WAN Proxy ARP]
Move Inter-LAN Route] to LAN]> General Setup] from LAN]> Statc Route]
Move status page to the frst tab of each functon menu.
Others
5.
6.
7.
8.
9.
10.
Support RADIUSy LDAPy Local authentcaton in User Management.
Support NAT opton for IPsec LAN to LAN.
Support LDAP profle in Firewall.
Support rato confguraton for VPN Load Balancing.
Port number seeng for Access Control in WAN IP alias can be passed to LAN by default.
Notfcaton object can be recorded on Syslog through the confguraton on
Applicatons]> SMS/Mail Alert Service]
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
Support Local/RADIUS/LDAP authentcaton for PPTP/L2TP/PPPoE
Inter-LAN route priority changed so that IP flter can control
Support connecton failover for TR-069.
Display router name in web page ttle.
IPsec VPN dial-in connecton with all WANs is supported in default.
Support RFC3021.
Combine IM/P2P/Protocol object to App Object for blocking more Apps.
Management Access Control List increased up to 16 entries
Support peer identty for IPsec RSA authentcaton.
Support password encode opton for confguraton backup.
Support more special characters in username for user profle.
Number of SSL web proxy/VNC/RDP profles increased to 30
Support customized DDNS.
Support acceleraton of fragmented UDP packets (maximum 1628 bytes).
Support DHCP opton 95 (LDAP server)y 161(FTP server)y and 162 (File path)
Support more subnet DHCP servers in Bind IP to MAC.
Support DHCP relay over LAN/Non-Direct-Connected LAN.
Support DHCP relay seengs for PPTP/L2TP/PPPoE.
Support open port to the host in remote VPN network.
Default route cannot work well when two WAN IPs are in the same IP network.
Firmware Version
Release Date
Build Date
Revision
Applicable Models
Locale
1.0.7.1 (Formal Release)
13th November 2013
12th November 2013
r3067
Vigor 3900
UK ONLY
New Features
(None)
Improvement
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
Support USB-WAN for WAN Profle under the Seeng tab in Applicaton>> Dynamic DNS.
Support WCF (web content flter) in High Availability (HA) applicaton.
Modify the mechanism for IP fltery "if no further match" acton.
Add a subnet mask seengy 255.255.255.254y for WAN IP confguraton.
Added opton disable negotaton for Fiber WAN under the Interface tab in WAN>>Switch.
‘space’ special character can be used in the username for LDAP
QoS IP rule can apply the packets passing through both Local IP and Remote IP.
Improved PPTP service mechanism for multple simultaneous LAN to LAN dial-ins
Corrected: Can not block / unblock some IPs on Diagnostcs>>Data Flow Monitor.
Corrected issue with ICMP packets larger than 8138 bytes over IPSec LAN to LAN tunnel.
Corrected: The user can not access Internet when QoS queue weight is set as “0”.
Corrected: Lower the priority of Inter-LAN routng functon.
Corrected: LAN DHCP packets do not respond while LAN DHCP Server is OFF.
Corrected: Can’t accept L2TP VPN from (None) default route WAN.
Corrected: RADIUS client (Vigor router) sends wrong NAS IP address (127.0.0.1).
Corrected trafc status of DHCP over IPsec in VPN Connecton Management.
ARP detecton may fail when WAN TX trafc is full.
Corrected: SMS can't be sent out when L2TP over IPsec is up and down.
Known Issues
1. VPN Trunk tunnel doesn't work well when the profle name is more than 15 characters.
2. You need to disable "Force IPsec with L2TP" optons for pure L2TP tunnel in VPN and
Remote Access]> PPP General Setup]
Firmware Version
Revision
Release Date
Build Date
Applicable Models
Locale
1.0.7 (Formal Release)
2733
2nd Sept 2013
27th Aug 2013
Vigor 3900
UK ONLY
New Features
1.
2.
3.
4.
5.
6.
Support Central VPN Management (CVM). Up to 16 devices can be managed.
Support 3G backup/load balance.
Support inbound load balance.
Support VPN Trunk failover mode.
Support PPPoE quota seeng and MAC address flter.
Support USB temperature sensor. htp://www.draytek.co.uk/products/usbthermometer.html
7. Support SMSy Email Alert and Notfcaton object profles for WAN/VPN connecton and USB
temperature sensor.
Improvement
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
Improved: Support SmartMonitor users up to 500.
Improved: VPN Trunk throughput and stability.
Improved: By default disable insecure SSL Encrypton Key Algorithms
Improved: Support DHCP relay on VPN.
Improved: Add Actve Standby mode for High Availability (HA).
Improved: QoS redesigned
Improved: Username reported to Syslog
Improved: Add opton 60(Vendor ID)y 61(Client ID) for WAN DHCP mode.
Improved: Add default maximum session number for Session limit.
Improved: Add fow control seengs for Switch.
Improved: Add user defned optons for DHCP server.
Improved: Improve DMZ functon.
Improved: Add log and force update functon for DDNS.
Improved: Add Force L2TP with IPsec policy opton enabled in default.
Improved: Corrected causes for high CPU usage being displayed in Web UI
Improved: Stability in TR-069.
Improved: Firmware upgrade speed.
Fixed: Time object cannot work correctly when daylight saving is enabled.
Known Issues
1. VPN Trunk tunnel doesn't work well when the profle name is more than 15 characters.
2. You need to disable "Force IPsec with L2TP" optons for pure L2TP tunnel in VPN and
Remote Access]> PPP General Setup]
Firmware Version
Release Date
Build Date
Applicable Models
Locale
1.0.6.1 (Formal Release)
10th April 2013
25th March 2013
Vigor 3900
UK ONLY
New Features
(None)
Improvement
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
NAT Port Redirecton Rule for FTP server didn't work with two WAN connecton
Customized web content message would disappear afer rebootng the router
Improvements to VPN Trunk tunnel where profle name are long
PPTP connecton display error in VPN Graph for syslog utlity
PPTP WAN could not dial-up if the server was set with a domain name
Fixed issue with ping to VPN remote network working afer clicking WAN DHCP Renew
Buton via web user interface
Fixed Session limit rule notapplying the correct limit due to subnet mask caculaton error
Fixed that WAN status displays “up” when the WAN cable is unplugged and WAN detect
mode is set with “(None)”
Corrected an issue with SNMP set/get Community seeng
Resolved that VPN trafc wouldn't fow while one of the VPN GRE tunnels is disconnected
Corrected issue preventng some vLAN users from accessing Internet via Browser
Improved DHCP renewal interoperability
Fixed LAN VLAN confguraton issues afer restoring the web confguraton
Corrected WAN1 MAC address used
Improved SIP ALG feature
Fixed that IPSec tunnel uptme would not reset afer VPN reconnecton
Corrected PPTP sessions problem that would prevent new network connectons being setup
Corrected that a PC from remote subnet could't access Internet via PPTP LAN to LAN tunnel
Improvments to IPv6 trafc handling via AICCU
Improved load balance where multple PPPoE connectons have the same gateway
Corrected issue where multple WAN disconnectons could prevent VPN Trunk from
reconnectng
Added informaton for remote network connected with GRE over IPsec to Routng Table
Corrected issue where enabling Perfect Forward Secrecy in VPN client could prevent
connecton
Display issue with transmited/received (TX/ RX) packets in Connecton Management fxed
for VPN clients behind NAT
Improved parameters stability for TR-069
Improved throughput between diferent VLANs
Added sending ARP for WAN Alias IP to WAN Gateway when connected
Added support for VPN on Alias WAN IP and IP Routng IP
Add mail alert when VPN is up
30. High availability improvements
Known Issues
1. VPN Trunk tunnel profle names should be kept to less than 15 characters.
Firmware Version
Release Date
Build Date
Applicable Models
Locale
1.0.6 (Formal Release)
2nd Jan 2013
6th Nov 2012
Vigor 3900
UK ONLY
New Features
1.
2.
3.
4.
5.
6.
VPN(IPSEC) Routng Acceleraton
Supports PPPoE server for LAN PC connecton
Support VPN Alarm via E-mail & Syslog
Support VPN Graph for syslog utlity
Support PPP mode for IPv6
Support domain name for IPSec/PPTP dial-out
Improvements
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
1.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
URL flter can block HTTPS connecton by host keyword
WCF support htps block by web category
Add QQ account flter for Firewall
WAN4 is regarded as physical DMZ port
Add tme schedule for session limit and bandwidth limit
Web content flter (WCF) stability improvements
Data fow monitor resource allocaton improvements
DHCP server cannot work when Mult-LANs is confgured
Hosts under routng LAN can not access into the router
Confguraton backup may fail
UPnP improved
Changing web port could prevent User management from working
WebUI server security improvements
IPsec RX/TX packets count may have error afer entering phase2 rekey
L2TP connecton status error afer disconnecton.
16 Cannot create IPsec VPN in aggressive mode when selectng AES as IKE phase 1
encrypton.
PPTP dial-in may fail while using statc IP mode.
VPN load balance may not work afer connecton reconnects
SSL Applicaton doesn't work when HTTPS port is not set with 443.
Support PPTP dial on demand and idle tmeout.
Support URL flter rules move up/down.
Support VLAN priority in LAN/WAN interface.
Support QoS packet by DifServ (DSCP/TOS) for outgoing packet.
Let the user profle password support more special characters in standard ASCII table.
Show the IP binding with MAC in DHCP table.
Mail Alert Send test e-mail buton added
Add 36 regions tme zone optons for NTP.
Improve user management login process.
28. Add Common Name Identfer feld in LDAP confguraton.
29. Add an opton for DDNS to select Internet IP or WAN IP.
Known Issues
1. VPN Trunk tunnel profle names must be less than 15 characters.
Firmware Version
Release Date
Applicable Models
Locale
1.0.5 (Formal Release)
4th Sept 2012
Vigor 3900
UK ONLY
First Firmware Release
Known Issues
- Devices on non-NAT subnets are unable to access the routers management interface
[END OF FILE]