Early Access ER8411 V1 1.2.2_Build_20240809 Pre-Release Firmware (Updated on Aug 12th, 2024)
This Article Applies to
ER8411(UN) V1 1.2.2 20240718(Pre-Release)
ER8411(UN) V1 1.2.2 20240809(Pre-Release)
Release Notes
Modifications:
1. Update OpenSSL version.
2. Support OpenVPN GCM algorithm.
Bug Fixed:
1. Fixed the issue that URL filter does not take effect when the browser enabled TLS 1.3 hybridized Kyber support.
2. Fixed some known security vulnerabilities.
3. Fixed some bugs and issues. (Build 20240809)
Firmware Download
Before the Upgrade
(1) Please be sure you have read the Beta Test Agreement before upgrading the Beta/Pre-released firmware!
(2) You may follow the following guide to upgrade your Omada devices. How to Upgrade/Downgrade Omada Gateways
Firmware Download Link
ER8411(UN) V1_1.2.2_Build_20240718 (Pre-Release)
ER8411(UN) V1_1.2.2_Build_20240809 (Pre-Release)
Notes:
(1) The above firmware is applied to ER8411(UN) V1.
(2) Your device’s configuration won’t be lost after upgrading.
Additional Information
All feedback is welcome, including letting us know about successful device upgrades.
To get better assistance, you may check Tips For Efficiently Reporting an Issue In The Community.
If somehow you encounter an issue during or after the router upgrade, it's suggested to contact us with the following info:
- Omada Controller version
- Device Firmware version with Build number (previous and current)
If your router gets bricked during the firmware upgrade, you may follow the guide below to recover the firmware.
How to use the Emergency Mode to recover the firmware for Omada Gateways
Update Log
Aug 12th, 2024:
Update the firmware.
July 19th, 2024:
Release of this post.
Recommended Threads
Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates
Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates
Experience the Latest Omada EAP Firmware - Trial Available Here, Subscribe for Updates!
Current Available Solutions to Omada Router Related Issues [Actively Updated, Post for Subscription]
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
yes that worries me with the ER8411 it is so crazy far off spec. The ER706W is much closer. OpenVPN client on ER706W is in the range 100-150 Mbps ER8411 against the same OpenVPN server is ridiculously bad in comparison.
but there will be an update on OpenVPN soon, I hope ER8411 will be better then..
- Copy Link
- Report Inappropriate Content
Their specs make no sense, Wireguard 1411 Mbps, OpenVPN 4424.1 Mbps....To me it seems like for Wireguard they are giving you best case scenario PER tunnel. For OpenVPN it looks like they are giving you the TOTAL. From the logs i can see both protocols run on a single core. So for OpenVPN 4424.1/4 = 1106 Mbps per user. I was seeing much less, like 1/3 of that.
For Wireguard I was seeing closer to the advertised speed, but still about 40% short, which could be a difference in testing, their numbers might be on LAN using IPerf3 with a higher MTU....Actually using it to connect through the internet remotely is different because in the best case scenario your MTU is locked to 1460. In my case i am locked to 1474 by ISP, then subtract another 40 for vpn overhead = 1434 mtu on vpn connection.
I'm seriously considering turning the ER8411 into a smart switch and for the omada controller and buying a Minisforum MS-01 and putting it infront of it. Have the MS-01 do the PPPoe, DHCP routing, VPN.
Edit:
See https://github.com/cyyself/wg-bench - no way we can hit those speeds, the ER8411 is closer to a Raspberry Pi4 overclocked to 2ghz, so around 1020 Mbps maybe 10% more because we are at 2.2ghz, so 1122 Mbps which minus my MTU loss is about 1072 Mbps, which is pretty close to what i was seeing. Now... Wireguard is 3.2x faster than OpenVPN, so 335Mbps, which is pretty much right where I saw my highest result.
- Copy Link
- Report Inappropriate Content
Hi @Radmeister @MR.S
Thanks for posting in our business forum.
Radmeister wrote
Their specs make no sense, Wireguard 1411 Mbps, OpenVPN 4424.1 Mbps....To me it seems like for Wireguard they are giving you best case scenario PER tunnel. For OpenVPN it looks like they are giving you the TOTAL. From the logs i can see both protocols run on a single core. So for OpenVPN 4424.1/4 = 1106 Mbps per user. I was seeing much less, like 1/3 of that.
For Wireguard I was seeing closer to the advertised speed, but still about 40% short, which could be a difference in testing, their numbers might be on LAN using IPerf3 with a higher MTU....Actually using it to connect through the internet remotely is different because in the best case scenario your MTU is locked to 1460. In my case i am locked to 1474 by ISP, then subtract another 40 for vpn overhead = 1434 mtu on vpn connection.
I'm seriously considering turning the ER8411 into a smart switch and for the omada controller and buying a Minisforum MS-01 and putting it infront of it. Have the MS-01 do the PPPoe, DHCP routing, VPN.
Edit:
See https://github.com/cyyself/wg-bench - no way we can hit those speeds, the ER8411 is closer to a Raspberry Pi4 overclocked to 2ghz, so around 1020 Mbps maybe 10% more because we are at 2.2ghz, so 1122 Mbps which minus my MTU loss is about 1072 Mbps, which is pretty close to what i was seeing. Now... Wireguard is 3.2x faster than OpenVPN, so 335Mbps, which is pretty much right where I saw my highest result.
Just point out that even though you have a super powerful CPU does not mean that your device can de- and encryption well enough to go beyond the limit. There is no chipset on the computer to de- and encrypt like the router. You might have a module, but you have to refer to your CPU vendor specs and check if the environment is ready for acceleration.
As you know, both of you are very sophisticated network and computer geeks, the hyped concept now is AI CPU, with an extra chipset for AI generation. So does the VPN which requires the extra chip for the de- and encryption.
I did a test with the 8-core CPU, just a generic latest gen of AMD. On that PC, I don't get more than 600Mbps as an OVPN client to the ER8411 where another PC is the iperf server.
I asked the team about this and basically, all the computers we have to test have the same limit of 500-600Mbps speed.
Proper test methodology for you two to clear misconceptions up:
Use two ER8411, one client, and one server, and use two machines to iperf that. With a gigabit port, you should get a decent speed over the result you see now.
If you pair up ER8411 and the rest of other products of Omada, which do not have any better performance than hundreds of Mb, you definitely would not get some good results.
- Copy Link
- Report Inappropriate Content
Are you doing your testing between two ER8411 on lan or over internet? If you are on LAN you can cheat and set all the MTUs higher and get more performance.
Thats kind of an irrelevant test because why would anyone run a VPN tunnel on LAN. Whole point is to securely access a remote site.
My setup is 3000Mbps/3000Mbps fibre (line speed is actually 3400/3200Mbps going into the ER8411 10gb sfp using an authentic tp-link sfp to rj-45 transceiver. In the ER8411 I have the OC-300 controller, a bunch of printers and other appliances that don't need more than 1gb. Then I have the tp-link sfp to sfp 10gb cable going into the TP-link Omada 2.5gb POE switch. All the computers on the 2.5gb switch hit 2.5gb on all speed tests. I also have a Omada EAP690e HD plugged into the switch and on wifi I hit about 1.6gbps. So I don't think anything is wrong with my setup.
I am quite confident that my 13950HX CPU with 64gb of ram and pcie gen 4 nvme should get more than 300Mbps on OpenVPN and more than 1Gbps on Wireguard when there are celeron based routers hitting multi gig speeds. There is either something is wrong in your software or your numbers are incorrect. Theoretically it should not be possible for your OpenVPN speeds to be 3x higher than Wireguard, should be the other way around, also unless you have a hardware accelerator that is not listed in the specs, there is no way that a A72 4 core at 2.2ghz would hit the advertised OpenVPN speeds. Had I done more research I would have purchased the Minisforum MS-01 from the start.
I would seriously love to see an Iperf3 test, site to site over internet showing anywhere close to 4000Mbps single user OpenVPN performance. My bet is you won't hit anything above 350Mbps, I wasn't even consistently getting that and my site to site latency is 4ms. The fact you didn't get above 600Mbps in your testing at the very least proves the specs are wrong - like wayyyy wrong, 7x wrong.
- Copy Link
- Report Inappropriate Content
Hi @Radmeister
Thanks for posting in our business forum.
Radmeister wrote
Are you doing your testing between two ER8411 on lan or over internet? If you are on LAN you can cheat and set all the MTUs higher and get more performance.
Thats kind of an irrelevant test because why would anyone run a VPN tunnel on LAN. Whole point is to securely access a remote site.
My setup is 3000Mbps/3000Mbps fibre (line speed is actually 3400/3200Mbps going into the ER8411 10gb sfp using an authentic tp-link sfp to rj-45 transceiver. In the ER8411 I have the OC-300 controller, a bunch of printers and other appliances that don't need more than 1gb. Then I have the tp-link sfp to sfp 10gb cable going into the TP-link Omada 2.5gb POE switch. All the computers on the 2.5gb switch hit 2.5gb on all speed tests. I also have a Omada EAP690e HD plugged into the switch and on wifi I hit about 1.6gbps. So I don't think anything is wrong with my setup.
I am quite confident that my 13950HX CPU with 64gb of ram and pcie gen 4 nvme should get more than 300Mbps on OpenVPN and more than 1Gbps on Wireguard when there are celeron based routers hitting multi gig speeds. There is either something is wrong in your software or your numbers are incorrect. Theoretically it should not be possible for your OpenVPN speeds to be 3x higher than Wireguard, should be the other way around, also unless you have a hardware accelerator that is not listed in the specs, there is no way that a A72 4 core at 2.2ghz would hit the advertised OpenVPN speeds. Had I done more research I would have purchased the Minisforum MS-01 from the start.
I would seriously love to see an Iperf3 test, site to site over internet showing anywhere close to 4000Mbps single user OpenVPN performance. My bet is you won't hit anything above 350Mbps, I wasn't even consistently getting that and my site to site latency is 4ms. The fact you didn't get above 600Mbps in your testing at the very least proves the specs are wrong - like wayyyy wrong, 7x wrong.
1. The test should be the maximum performance. It does not really matter if it is WAN or LAN. The datasheet should reflect the max speed of the capability of a product.
Why it is irrelevant?
2. Intel and AMD both support CPU acceleration for AES but unless you find it and enable it. I did not try it on my PCs but you should do that.
3. Powerful CPU does not mean anything. I got an AMD 5600G and 5800x, 8-core AMD mobile 8840HS and 14900HX mobile, and Pi5(8G), which means nothing to the acceleration as there is no option to accelerate. GPU acce is not an option as well. I got things from 4090 to 4060. I am thinking about a NUC like Minisforum but nowadays pre-built computers do not have extra chips for acceleration. I am running an Openwrt with several cores on 5600G.
CPU does not even use all the cores to de/encrypt.
As my office test bench is not 10G port, the computer belongs to the company property, so I cannot use 10G NIC on it. Gigabit and will use my own laptop to test that 1Gbps speed.
I requested another 8411 and am waiting to check the inventory. I'll try out the test when I have an environment.
- Copy Link
- Report Inappropriate Content
Hello dear 8411 developers! I found some time for composing Total bug-report.
Most of the bugs I found migrated from 6120 router that I utilised for 5 years.
I will mark bugs OLD as from 6120 and NEW as found in 8411 only,
I will range bugs from most serious to cosmetical.
1. NEW. CPU extra loads when any of interfaces changing/enabling/disabling. All the traffic will hangs at this time at all other WANs. The same situation is when enabling/disabling Policy Routes, but this is caused only for Traffic to exact route that enabling/disabling.
2. NEW. OpenVPN and WGuard clients have no Interface for Static or Policy routing. Older L2TP/PPTP could be used in the routing.
3. OLD. Policy Routing is going to works wrong after few hours of operating. Some of LAN users got Policy Routing gateway as a Default gateway, this bug is very specific and I'm not shure that you can simulate it without traffic from 100+ users and 30+ Policy Routings.. All other users have a problems with random site browsing. Trace Route is works correctly at this moment. I leave only 4 Policy Routings and re-setupped 30+ Static Routing => works fine. The problem could be temporary solved by pressing disable/enable button for the exact Policy Route.
4. OLD. DHCP Problem. If to resetup MAC for some of my 100+ user it will caused problem in ~50% of the cases. User will not get IP binded for his new MAC at his old IP. Problem is solved by 8411 (6120) rebooting but it so looong rebooting..
5. OLD. Online Detection. Dynamic IP WAN will not going back online after been ofline more than ~15 mins if WAN interface was UP (LAN signal is on). WAN port must be UP all this 15 mins. No problem if WAN port gone down (LAN signal is off) and up after 15 mins. Also sometimes WAN provider is loosing 40-50-60% of the packets and still could be detected as ONLINE. Please add some Persantage of LOSS to accept WAN as Online. For example if Loss > Y% then WAN is Offline. Y% is variable by me.
6. NEW. OpenVPN server clients traffic Ignoreing static/policy routing. All the traffic from OpenVPN users gone to Default gateway only, never by static/policy route.
7. (Cosmetic) DPI statistics calculating wrong and could not be resetting.
8. (Cosmetic) SFP+ WAN1 is not used but dispayed in Statistics.
Thanks for reading this. If someone have the similar bugs please add your cases.
Best Regards.
- Copy Link
- Report Inappropriate Content
In addition a picture that describes why I've stop useing Policy Routing and changed it to Static Routing after 18:00. This ping made to one of the routes and was ~300ms by Policy and ~4ms by Static. Traffic pass throug is also better x4-5 times if to use Static.
- Copy Link
- Report Inappropriate Content
Hi @avpopov1977
Thanks for posting in our business forum.
avpopov1977 wrote
Hello dear 8411 developers! I found some time for composing Total bug-report.
Most of the bugs I found migrated from 6120 router that I utilised for 5 years.
I will mark bugs OLD as from 6120 and NEW as found in 8411 only,
I will range bugs from most serious to cosmetical.
1. NEW. CPU extra loads when any of interfaces changing/enabling/disabling. All the traffic will hangs at this time at all other WANs. The same situation is when enabling/disabling Policy Routes, but this is caused only for Traffic to exact route that enabling/disabling.
2. NEW. OpenVPN and WGuard clients have no Interface for Static or Policy routing. Older L2TP/PPTP could be used in the routing.
3. OLD. Policy Routing is going to works wrong after few hours of operating. Some of LAN users got Policy Routing gateway as a Default gateway, this bug is very specific and I'm not shure that you can simulate it without traffic from 100+ users and 30+ Policy Routings.. All other users have a problems with random site browsing. Trace Route is works correctly at this moment. I leave only 4 Policy Routings and re-setupped 30+ Static Routing => works fine. The problem could be temporary solved by pressing disable/enable button for the exact Policy Route.
4. OLD. DHCP Problem. If to resetup MAC for some of my 100+ user it will caused problem in ~50% of the cases. User will not get IP binded for his new MAC at his old IP. Problem is solved by 8411 (6120) rebooting but it so looong rebooting..
5. OLD. Online Detection. Dynamic IP WAN will not going back online after been ofline more than ~15 mins if WAN interface was UP (LAN signal is on). WAN port must be UP all this 15 mins. No problem if WAN port gone down (LAN signal is off) and up after 15 mins. Also sometimes WAN provider is loosing 40-50-60% of the packets and still could be detected as ONLINE. Please add some Persantage of LOSS to accept WAN as Online. For example if Loss > Y% then WAN is Offline. Y% is variable by me.
6. NEW. OpenVPN server clients traffic Ignoreing static/policy routing. All the traffic from OpenVPN users gone to Default gateway only, never by static/policy route.
7. (Cosmetic) DPI statistics calculating wrong and could not be resetting.
8. (Cosmetic) SFP+ WAN1 is not used but dispayed in Statistics.
Thanks for reading this. If someone have the similar bugs please add your cases.
Best Regards.
Some are not bugs but normal features or expected behavior of the device.
1. Normal.
2. They don't support PBR and Static Routing yet. PBR is expected to be on V5.15.
If you are new to the forum, please kindly visit the request page for existing requests.
3. You can start a new thread with the details posted. There is no feedback ranges from the basic model to the 8411. I think there must be some misunderstanding in your test.
As you mentioned if the traceroute is working properly then this means the feature is working normal. Unless you are providing something else in your new thread if you think you'd follow this up.
4. Start a new thread to illustrate this. Just FYI, if your imported IP-MAC binding or reserve anything, you should reconnect the clients so they refresh the IP addresses. Not sure if you didn't refresh it.
Long rebooting is normal when the configs increase. The more config you have to load, the longer bootup time that is.
5. Start a new thread. I require an illustration and your verification steps and results. I require this information for the points above and below.
You can read this before you start a new thread: Common Questions About the Load Balancing, Link Backup(Failover) & Online Detection
6. It does not support. Repeated in point 2. And note that the OVPN is determined by the server tunnel mode. If you have any questions on this, please check out the OVPN docs.
7. How do you judge and conclude this result?
I mean the DPI calculates the packets and you have more accurate stats by digging the packets? Which concludes and consists of your comment?
8. As long as a port is defined as WAN, it will display in the WAN stats. What do you mean?
- Copy Link
- Report Inappropriate Content
Hello! can you connect p2p to me please?
I've tried to wright personal message but it was rejected by forum.
- Copy Link
- Report Inappropriate Content
Hi @avpopov1977
Thanks for posting in our business forum.
avpopov1977 wrote
Hello! can you connect p2p to me please?
I've tried to wright personal message but it was rejected by forum.
What do you mean? My message is not open to others.
If you have steps to illustrate, please place them publicly. I do not offer private support.
If you need to put this off the record, forum, you can contact the support team.
Please mosaic your sensitive information. Here is a list of information considered sensitive:
1. Public IP address on your WAN if your WAN is.
2. Real MAC address of your device.
3. Your personal information including address, domain name, and credentials.
For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 4932
Replies: 61
Voters 0
No one has voted for it yet.