IBSng ReleaseNotes B1.34
Introduction
Almost a year from B1.33 release, here we are with B1.34 ready. B1.34 is geared toward stability and performance. Statistics shows 60% better performance, as well as using multiple CPUs to help with scalability.
There are dozens of new features, lots of enhancements and bug fixes, some hasn't been mentioned here. Python 2.6, Postgresql 8.4, PHP 5.2 are now the recommended versions for IBSng.
Now we start working hard for B1.35 that will have URL Filtering, Better LDAP support, Better VoIP Routing, Better firewall subsystem and many other new features.
There has been also many work in PLUX, the parspooyesh linux distribution to ease the installation and maintenance. We will soon have the great distro on USB flash that totally wipes out the need to install the OS.
New Features
New Web Analyzer Subsystem
Web Analyzer is the subsystem that detects and capture the websites users are visiting. New Web Analyzer subsystem , recognizes user visited URLs by sniffing network. It makes web analyzer independent from proxy servers. The new subsystem is faster and more reliable. It also separates web analyzer data from IBSng database, that eases IBSng backup and restore procedure. It also directly connects to the database, instead of using web service API, to remove the CPU load from web service.
Firewall Subsystem
The firewall subsystem allows defining filtering rules for internet users. Rules can be defined using various criteria such as destination IP, protocol(tcp/udp/icmp), source and destination ports(tcp&udp). The firewall profile will be applied in charges, so it's possible to define different rules based on hour of day, day of week, user state or connected ras. This subsystem requires passing traffic through an special linux gateway, very similar to bandwidth management system. It's possible to have bandwidth manager and firewall on same linux box.
Search Expired Users
The New search page allows searching of users based on their expiration date. It supports all kind of IBSng expiration date including
- Absolute Expiration Date
- Relative Expiration Date
- Expiration From Creation Date
- Expiration From Renew
- Expiration From Real First Login
- Monthly Expiration Date
Multiple widgets has been also added in Admins Summary Page that shows top and 7 days expired users.
Weekly Periodic Accounting
Weekly Time and Weekly Traffic Periodic Accounting is a new type of periodic accounting that set the period to reset on start of week. It's useful for organizations that wants a weekly quota on time and/or traffic.
Melli and Mellat Online Payment Gateway Support
Melli Bank and Mellat Bank are two new Gateways that are supported by online payment subsystem.
Expiration From Renew
The New Expiration date, is a relative date, that set from either user creation time or last renew time. When a user is created in a group with Expiration Date From Renew, the expiration date is immediately set by adding the group value to user creation date. For example if user is created on 2009-1-5 and group value is "1 Month Gregorian" the expiration date will be set to 2009-2-5. The Expiration Date also updates whenever user renews. If same user renews on date 2009-1-15, the expiration date will be updated to 2009-2-15.
Monthly Expiration Date
Monthly expiration date is a new form of expiration date, that always will happen on specific day of month. It is useful if for example you want users to expire on first day of month. The month can be in both gregorian and jalali types. (Ex. users expire on 10th of each jalali month). As expected monthly expiration date resets by renew.
Added IP Address to Bandwidth Manager Leaf Service
The New feature in Bandwidth Managers allows differentiate the bandwidth for specific destination IP Addresses. This is useful if you have servers that you want different policies of shaping. It's available in Bandwidth leaves so you can set the bandwidth for specific users to specific ip addresses. For example if you have a user with allocated bandwidth of 128kbit(Send & Receive), but you want him access the internal web servers with ips 192.168.1.0/29 with a higher 2Mbit speed.
Asterisk Integration New Features
DID Support
The DID Support in Asterisk allows defining direct inward dial numbers in VoIP tab of IBSng. You can define one or more DID and an international number for each user. When DID number is dialed, it's either will be routed to VoIP Carriers according to VoIP Routing Profile you defined for user, or by the peer address defined directly in DID settings. Charging is done for DID calls per IBSng rules.
It's also possible to have multiple DID's per IBSng user. Also ranges can be used to define multiple numbers.
Online Check
Asterisk ras now supports online check, the mechanism that synchronizes IBSng online users with asterisk active calls. This will increase the reliability of system.
Call Back Support
Asterisk Pre-paid-calling-card system now supports callback. A new attribute in VoIP tab of user information page, controls the callback. User is charged separately for callback call, as well as the actual call.
Invoicing New Features
Invoice subsystem has gone through lots of enhancements to improve stability and usability of system. There were also few new features
Renew with Next Group
Renew with next group action, allows defining invoice rules that changes the user group. By combining this with automatic generation of Proforma invoices and online payment, this can be used to allow users change their services.
User side online payment and vouchers
Users can use their user panel to pay their proforma invoices or debt via vouchers or online payment.
Load Balancing Radius Dispatcher
The load balancing radius dispatcher, is an addition to the previously developed failover radius dispatcher, that allows balancing the IBSng load through multiple servers. Load balancing dispatcher automatically determines which users are on which servers, and sends the request to that server. In addition to this, it caches failed access request packets for few minutes. Statistics shows in some broadband service providers, more than 90% of access requests are rejected. Caching these requests removes the burden on IBSng servers, as well as providing a mean to defend against brute force password attacks.
MPI Support
Message Passing Interface in an API to allows many computers to communicate with one another. By integrating MPI into IBSng, now it's possible to run IBSng engine across multiple CPUs on a single machine, or across multiple machines. With this improvement, it's now possible to have IBSng across 4 different logical parts that can be distributed across up to 4 machines. The logical parts are 1- Web Interface, 2- Radius Server, 3- Database and 4- Billing Engine.
Password Strength Meter
The password strenth meter, gauges the strength of password, admin or user has been entered and display it in a graphical bar form. It's recommended to have passwords with strength of at least Good.
Brute Force Password Attack Blocker
Due to IBSng popularity, recently tools has been developed by hackers to easily perform brute force password attacks on IBSng web login pages. The brute force attack blocker subsystem, blocks brute force password attacks on web login pages. If multiple login failures occurs withing small time range, subsequent requests will be blocked and immediately rejected. This method will nullify the impact of brute force password attack tools.
Generic Not Found/Password Incorret Message on web login
In previous versions of IBSng, explicit messages were shown to users when username or password was incorrect, stating which one is incorrect. To improve security, now a generic "Username or Password is incorrect" message will be shown.
Load Balancing IP Pool
Load Balancing IP-Pool, can be used to balance bandwidth across multiple links. The other possible usages would be load balancing NAT servers, Web caches and such. The subsystem works by defining multiple ordinary ip-pools and assign a percentage to each ippool. System automatically assign IP's to users in such order that accomplish designated percentage. There are two strategies for balancing
- Distributive
- This strategy assign IP's in such way that load will be distributed within IPpools during system work. The goal is used percentage of IP-pools be as close as possible to designated percentage
- Fill First
- First fill the ippool with highest percentage, and then fill the next ip pools. This can be used in scenario which an specific link should be used only if first link has enough traffic.
Enhancements
Radius Server Optimization
Radius Server has been greatly optimized to be able to handle radius packets more efficiently. Benchmarks shows 30% cpu usage decrease by using optimized radius server.
Automatic creation of ISPs in User Import
User import now automatically creates ISPs that encounters in input file and does not exists in system. This feature eases migration from other accounting systems that has Virtual ISPs.
Load Permissions From Another Admin
New feature allows copying the whole permisions from another administrator. It's a simpler version of permission templates which creating the template is not needed. This is useful in service providers with lots of admins.
Online Status Enhancements in User Information
The new link in user information page allows accessing to online instances of user right in user information page. It also allows kicking online instances of user.
Log Console
Round Robin List
The new log console subsystem uses a round robin list to consume less memory and also fixes the problem that when the report was filtered for non-root ISPs, only a few lines were showed.
Unknown Users
In previous version of IBSng, unknown users were broad casted and shown to all ISPs. To improve security this has been changed to show unknown users only to Main ISP admins.
Failed Login and MSCHAPv2
Failed login is not compatible with MSCHAPv2. For more information on Failed login see [Failed Login Username]
Online User Bandwidth graph on user panel
Now if user is online, a realtime bandwidth graph is showed in first page of user panel.
Assign Route and Assign IP
Assign IP is now optional when Assigning an ip range to an user.
Packets And Bytes Statistics in BW Nodes
Now by clicking on bandwidth manager nodes, you can see statistics of current rate of traffic passing through the node, and number of bytes/packets that has been passed through this node
LDAP Domain Lower Case username and Change User Existings Group Flags
This two new flags for ldap domain allows altering the behavior of ldap and IBSng user synchronization. Lower Case Username make all username lowercase in IBSng regardless of their case in ldap. Change User Existing Group makes sure user is in same group as ldap. By default after a user is imported from ldap, IBSng won't change the group even if ldap group has been changed. This flag changes the behavior so the group is always the same as ldap.
Online Payment Enhancements
Paid amount and to pay amount formula
The two formula can convert the amount IBSng suggests to pay or paid by online payment. This can be used to convert between different money units (ex. IBSng uses toman, bank uses rial) or adding bonuses to online payment. Paid amount formula converts the amount that user paid via online payment, to the amount that will be added to user in IBSng To pay amount formula converts the suggested amount (such as group credit or recharge credit) that will be shown to user
Kick Failed User
A common scenario within IBSng is, allow expired or finished credit users to log in via failed login system and pay for next period of their service via online payment. The way failed login system works is by assigning an special IP to user, that can only connect to bank website. After payment user needs to disconnect and connect to be able to use the newly recharged service. Now IBSng automatically disconnects such users after a successful payment.
Cisco VoIP Kill by RSH and POD
Until this version, it wasn't possible to force disconnect VoIP users. Now by using RSH or POD it's possible to force disconnect users.
Notification Enhancements
Rule Template Variables
New variables has been introduced in templates
- $paid_amount
- $paid_amount is only available in Online Payment rules and represents the paid amount of user
- $exp_date
- Gregorian form of user expiration date
- $jalali_exp_date
- Jalali form of user expiration date
- $did_num
- DID number of user
- $did_dest
- DID destination of user
Online Payment and Birth Day Notification Rule Type
Notification Rule Types are used to determine on which occasion, user should be notified. Until now only Expiration date and Credit notification types were available. In this version, two new notification types has been added. Online Payment notification rule type, will notify users whenever a successful online payment has been performed. Birthday notification rule also can be used to send birth day messages before user birth day.
Extra Charge Enhancements
Extra charges that should have been applied in 30th or 31th of a month, in months that has fewer days count were not performed in previous versions. This has been fixed in this version.
More Fast Dials
Number of user fast-dials has been increased to 20 from 10.
User count in Group List
It's now possible to see count of users in each group via group list page. Due to heavy database queries to fetch these numbers, a lazy loading mechanism has been used. User should click on fetch icon, to see the count.
Search Deleted users by username
Now it's possible to search credit change log for deleted users in case you want to know the user id or who deleted the account.
Connection Log Enhancements
Before/After credit
It's now possible to see credit of user, before and after of a connection. It's useful to see how user credit has been deducted throughout time.
Group Tab
A new tab has been added, that allows operators to see connection logs of a specific group of users. It can be used to find total credit usage, duration usage or voip provider usage of users in a specific group.
IN Service Enhancements
Multiple usernames in in_service_identify_by_username
in_service_identify_by_username ras attribute is used to recognize connections with specific username as Intelligent Service. Multiple usernames can be entered in in_service_identify_by_username of ras attributes by putting "," between them.
IN Caller ID Prefix Detection
Now it's possible to identify an IN session, by prefix of caller id. Some cities are known to pass caller id with a special prefix instead of passing DNIS.
Quintum Tenor 2G Ras enhancements
Rerouting
In previous versions of IBSng, Quintum Tenor 2G with more than one route, would result in incorrect billing due to non-standard function of quintum. A workaround has been implemented in IBSng to fix this problem.
Fast Dial/VoIP Provider Support
It's not possible to use Fast Dial and VoIP Provider with Quintum 2g devices.
Management Summary Enhancements
VoIP Provider Credit used Report Target
VoIP Provider Credit Used Report target can be used to find how much credit has been used in voip providers for different included objects. For example it can be used to know how much each voip provider credit has been used , or how much each group of IBSng has been used in voip providers for each day of previous month.
VoIP Provider Included Object
VoIP Provider Included object allows managers to find how much user credit/duration/carrier credit has been spent for each VoIP Provider(carrier)
Exclude ISP Mapped users filter
Due nature of ISP mapped users, a separate connection log will be written for mapped users. When reporting are performed on all users, including mapped users would result in incorrect numbers. A filter has been added to exclude the mapped users to fix the issue.
Permissions
Charge, Group, VoIP Tariff and prefix group permissions had a problem in previous versions, that changing one's name would remove the value from permission. This has been fixed by storing one's id instead of name in permission value.
Bandwidth Manager Stability
Stability of bandwidth manager has been improved by deploying recovery mechanisms in case of failures.
Automatic Determination of High Load
It's one of IBSng features that disallows heavy queries when system load is too high. It prevents the system to become unresponsive due to very high load. IBSng now determines the high load by finding number of CPUs the server has.
Upgrade From B1.33
Database Changes
If you are doing a manual update, it's importing the sql file same as usual
psql -U ibs IBSng < /usr/local/IBSng/db/from_B1.34_upgrade.sql