Gluon 2025.1
Major updates and notices
This release is based on the latest OpenWrt 24.10 release branch. It ships with Linux kernel 6.6.y, wireless-backports 6.12.y and batman-adv 2024.3.
Updates are only supported from v2022.1 and later.
The following devices can’t be updated automatically due to breaking changes in OpenWrt, requiring manual steps to adjust the flash layout:
Ubiquiti EdgeRouter-X (upgrade instructions)
Xiaomi AX3200 (upgrade instructions)
Added hardware support
ath79-generic
ipq40xx-generic
Extreme Networks
WS-AP3915i
Linksys
MR8300
VLP01
WHW01
WHW03 v1, v2
NETGEAR
RBR50 v1
RBS50 v1
SRS60
SRR60
ipq806x-generic
Ubiquiti
UniFi AC HD
lantiq-xrx200
AVM
FRITZ!Box 7430
lantiq-xrx200_legacy
This is a new target.
The following device previously found in the lantiq-xrx200 target is now built as part of lantiq-xrx200_legacy:
TP-Link
TD-W8970 v1
mediatek-filogic
ASUS
RT-AX52
TUF-AX6000
Cudy
AP3000 Outdoor v1
TR3000 v1
WR3000e v1
D-Link
AQUILA PRO AI M30 A1
AQUILA PRO AI M60 A1
GL.iNet
GL-MT2500
OpenWrt
OpenWrt One
Wavlink
WL-WN573HX3
Xiaomi
AX3000T (Stock, ubootmod)
mediatek-mt7622
NETGEAR
WAX206
mvebu-cortexa53
This is a new target.
GL.iNet
GL-MV1000
qualcommax-ipq807x
This is a new target.
Xiaomi
Mi AIoT Router AX3600
ramips-mt7621
D-Link
DIR-878 A1
DIR-882 A1
NETGEAR
EAX11 v2
EAX12
EAX15 v2
Ubiquiti
UniFi nanoHD
ramips-mt76x8
Cudy
TR1200 v1
TP-Link
Archer C50 v6
TL-WR902AC v4
Xiaomi
Mi Router 4A 100M International Edition v2 (R4ACv2)
rockchip-armv8
FriendlyElec
NanoPi R3S
Removed hardware support
realtek-rtl838x
The realtek-rtl838x target has been removed with its only device, the D-Link DGS-1210-10P. The device had never been working properly and is not an appropriate platform for batman-adv-based mesh routing.
New Features
Autoupdater HTTPS support (#3463)
Autoupdater mirror URLs can use HTTPS now if the tls feature is enabled in the image customization. There are two options for specifying HTTPS URLs:
With
https://scheme: HTTPS is mandatoryThe build will fail if the tls feature is not enabled.
Without scheme (
//): Use HTTP or HTTPS depending on the availability of the tls featureThis allows using the same URL when enabling tls only for some targets, while leaving it disabled for devices with insufficient flash.
When tls is enabled, HTTPS will always be used for such URLs. No fallback to HTTP happens at runtime if the HTTPS connection fails.
mirrors = {
-- Always uses HTTP
'http://autoupdate.alpha-centauri.freifunk.net/firmware/stable/sysupgrade/',
-- Always uses HTTPS (requires the tls feature in image-customization.lua)
'https://autoupdate2.alpha-centauri.freifunk.net/firmware/stable/sysupgrade/',
-- Uses HTTP or HTTPS depending on the tls feature in image-customization.lua
'//autoupdate3.alpha-centauri.freifunk.net/firmware/stable/sysupgrade/',
}
Include support in image-customization.lua (#3148)
Image customization now supports the include() function to include another Lua file, allowing
for easier code reuse. See the
image customization documentation for details.
brmldproxy – Bridge MLD Proxy (#2995)
The new gluon-mesh-batman-adv-brmldproxy package can be used to reduce overhead in multicast routing between different domains and sites. Note that by itself, this does not enable multicast routing.
Optimized multicast forwarding
The gluon-ebtables-filter-multicast package filters many kinds of multicast packets when they would be flooded through the whole mesh, but it allows packets that are only forwarded to a limited number of nodes. In earlier version of Gluon, this allowed multicasts with up to 16 destination nodes, as these were sent as separate unicasts instead of broadcasting them.
batman-adv 2024.3 has introduced a new multicast packet type, which adds support for more directed forwarding of multicast packets without duplicating them for each destination, allowing packets with a higher number of destinations not to be filtered by the ebtables filter.
Other new features
Dropbear now supports ED22519 (host and user) SSH keys on all targets (#3488)
With the new feature harden-dropbear enabled in the image customization, the dropbear server will be disabled completely outside of config mode when no password and no authorized keys have been configured (#3541)
The status page now displays the VPN public key unless disabled via the
pubkey_privacysite setting (#3554)respondd now reports a device’s target, subtarget and autoupdater image name (#3496)
gluon-info now shows the autoupdater enable status and branch name (#3484)
Airtime limits are applied to multicast/broadcast packets as well now (#3208)
Added configuration of the authentication method to the web-cellular interface (#3307)
Added gluon-radvd prefix lifetime configuration in site.conf (#3570)
Added per-interface hop penalty configuration via UCI (#3454)
Removed Features
Tunneldigger Mesh VPN support has been dropped (#3109)
Tunneldigger support was deprecated in Gluon v2023.2 and has been subsequently moved to community-packages.
Babel protocol support has been dropped (#3105)
The experimental and unmaintained support for the Babel mesh routing protocol has been removed from Gluon.
Bugfixes
Fixed using WAN/uplink DNS servers with global IPv6 addresses (#3617)
Wireguard: fixed setting MTU configured in site.conf (#3258)
Disable default handling of WPS button conflicting with config mode activation (#3557)
Various improvements have been made to stability of the MT76 WLAN driver (#3261, #3436, #3621)
Other
Old opkg public keys are deleted on upgrades now (#3465)
Avoid more and more old key files accumulating with every upgrade.
The
gluon-wancommand has been renamed togluon-wan-dns(#3547)The command only affects DNS requests, other packets are still routed through the mesh.
gluon-scheduled-domain-switch: removed connection check address configuration (#3536)
Instead of trying to ping explicitly configured addresses, a node is now considered offline when no NTP sync is possible.
Binaries are stripped using regular strip instead of sstrip by default now (#3295)
Allow objdump and gdb to work as expected, at the cost of slightly increasing image sizes.
GLUON_DEBUGcan be set to 0 (use sstrip), 1 (default, use strip) or 2 (don’t strip, keep debug info) in site.mk or on the make command line.Build metainformation like kernel and rootfs sizes are emitted to the
output/metadirectory (#3097)On AVM FRITZ!Box 7520/7530, the LAN1 port is used as WAN now by default (#3312)
Internal changes
gluon-wan-dnsmasq: run in a ujail sandbox for privilege reduction (#3464)
Targets with the small_flash flag (lantiq-xrx200_legacy and ramips-mt76x8) do not include ujail by default and run dnsmasq without sandbox.
Added migration for x86 Ethernet driver load order change (#3612)
Between OpenWrt 23.05 and 24.10, the load order of some kernel modules was changed, potentially resulting in Ethernet interfaces changing names if multiple different drivers are in use. In particular, this affects the Intel igc and Realtek r8169 drivers.
When upgrading from older Gluon versions to v2025.1 or newer and such a combination of drivers is detected, the roles of the “LAN” and “WAN” interfaces are switched, and the interface names for custom VLAN role configurations are adjusted. In most common cases this should avoid breaking connectivity, but it does not cover setups with more than two Ethernet interfaces when the abovementioned drivers are involved.
Wireless configuration has been moved to
/etc/config/gluon(#3563)All
wifi-ifacesections in/etc/config/wirelessare regenerated on upgrades and config changes now. Thegluon_preserveoption can be used for custom interface sections, similar to custom sections in thenetworkandsystemUCI configs.Configuration of wireless interfaces is done per-band rather than addressing individual radios, and uses a role system similar to that of wired interfaces. In certain setups with more than one radio per band, radios which don’t support the site’s mesh channel because of hardware limitations will become client-only, while the rest of the radios are configured as mesh-only (when client and mesh roles are both enabled for the band).
This change also enables support for devices with more than 2 radios in total.
Known issues
The phy path migration happening on some devices (like WR3000) can happen at the wrong time, leading to a broken wifi configuration (#3704)
Devices hang randomly at sysupgrade until power cycled due to a bug in BATMAN_V (#3699)
Devices using additional USB network drivers of the community config switch the interface order (#3576)
The integration of the BATMAN_V routing algorithm is incomplete.
Mesh neighbors don’t appear on the status page (#1726)
Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput metric.
Throughput values are not correctly acquired for different interface types (#1728)
This affects virtual interface types like bridges and VXLAN.
Default TX power on many Ubiquiti devices is too high, correct offsets are unknown (#94)
Reducing the TX power in the Advanced Settings is recommended.
In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled (#496)
This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed).