Early Access ER8411 V1 1.3.0 Build 20250305 Pre-Release Firmware (Released on Mar 14th, 2025)

This Article Applies to
ER8411(UN) V1
Release Notes
Version Info:
Adapted Model: ER8411(UN) V1
Fully Adapted Controller Version: SDNC 5.15.20.X - Omada SDN Controller_V5.15.20.7 Pre-Release Firmware Windows
Minimum Firmware Version for Update: 1.2.3 Build 20241121 and above.
New Features:
1. Add support to SD-WAN.
2. Add support to Content Filter.
3. Add support to Virtual WAN.
4. Add support to Disable NAT.
5. Add support to Google LDAP.
6. Add support to LAN DNS.
7. Add support to FQDN/Wildcards WAN DHCP Option.
Enhancement:
1. OpenVPN/Wireguard VPN: add support connecting to remote server/peer via domain name.
2. Optimized CPU utilization.
3. Optimized the time to enable the backup link.
4. Optimized booting time.
5. Optimized the time to dial up the WAN link.
6. Optimized the time to upgrade firmware.
7. Optimized the time to generate an OpenVPN profile.
Bug Fixed:
1. Fixed the HTTPS redirection exception in standalone.
2. Fixed the static route for L2TP VPN doesn't take effect after re-enabling L2TP VPN.
3. Fixed the WOL exception when dropping some unknown unicast packets.
4. Fixed the issue that the manual ISP profile for USB modem cannot be saved
5. Fixed the issue that the PPTP VPN would disconnect occasionally.
Firmware Download
Before the Upgrade
(1) Please be sure you have read the Beta Test Agreement before upgrading the Beta firmware!
(2) You may follow the following guide to upgrade your Omada devices. How to Upgrade/Downgrade Omada Gateways
Firmware Download Link
ER8411(UN)_V1_1.3.0_Build20250305
Notes:
(1) The above firmware applies to the described models.
(2) Your device’s configuration won’t be lost after upgrading.
(3) If you have disabled the HTTPS port, please enable the HTTPS port before upgrading the firmware.
Additional Information
All feedback is welcome, including letting us know about successful device upgrades.
If somehow you encounter an issue during or after the router upgrade, it's suggested to contact us with the following info:
- Omada Controller version
- Device Firmware version with Build number (previous and current)
If your rollback encounters trouble, try to use the CLI mode to roll back.
If your router gets bricked during the firmware upgrade, you may follow the guide below to recover the firmware.
How to use the Emergency Mode to recover the firmware for Omada Gateways
Update Log
Mar 14th, 2025:
Release of this post.
Recommended Threads
Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates
Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates
Experience the Latest Omada EAP Firmware - Trial Available Here, Subscribe for Updates!
Current Available Solutions to Omada Router Related Issues [Actively Updated, Post for Subscription]
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @GRL
Thanks for posting in our business forum.
GRL wrote
I have been testing the disable NAT (and i think my test setup is somewhat similar to yours
Scenario
MODEM > ER7206 > ER8411 (wan 6)
(ignoring other vlans i have policy routed to other WANs on the ER8411 and concentrating on testing vlan 20 which is policy routed to WAN 6, fed from the 7206 v2 LAN 3)
Disabling NAT on vlan 20 IP range 192.168.100.0/24 on the ER8411 results in no internet to that vlan - correct
Enable Route on ER7206 192.168.100.0/24 hop 10.253.253.253 (WAN 6 IP on ER8411) - internet now working on vlan 20 - correct
With no disable NAT settings on either router, i of course have double nat on vlan 20 - correctER7206 is configured that 10.253.253.253 (er8411 wan 6) is One-to-One NAT to an unused one of my public IPs towards the router. x.x.x.93
Without disable NAT anywhere, vlan 20 has a public IP of x.x.x.93 as defined by my one-to-one nat - correct
WITH the disable nat - vlan 20 has public IP of the "native" WAN port of the er7206 x.x.x.92 - I am not sure if this is correct or not. Since the traffic from the 8411 is still coming from its WAN IP, shouldnt the one-to-one NAT still take effect to change its public IP ?
Im struggling to find a use case for disabling NAT, when one-to-one NAT already exists. perhaps for people who only have one public IP ? but in most situations, you cannot set a static route on an ISP modem/router so unless you have another TPLink ER or another brand like a microtik etc,in the chain i fail to see how it can work.
This is where disable NAT was requested and their use case:
https://community.tp-link.com/en/business/forum/topic/599954
They strongly requested like LAN DNS.
For any discussion over that, you can go there and discuss with them regarding the use case.
The guide for the controller is also released and how to verify its effectiveness.
- Copy Link
- Report Inappropriate Content
thats fine, i was mostly discussing if the one-to-one nat not taking effect on the WAN port IP of a downstream router, when that router has its NAT disabled, is a bug or not, and since that applies to the routers, i decided to post it here.
- Copy Link
- Report Inappropriate Content
Hi @GRL
Thanks for posting in our business forum.
GRL wrote
thats fine, i was mostly discussing if the one-to-one nat not taking effect on the WAN port IP of a downstream router, when that router has its NAT disabled, is a bug or not, and since that applies to the routers, i decided to post it here.
Expected when you disable NAT on ER8411 for VLAN 20 it's getting ER7206 public IP. As it is translated on the 7206.
WITH the disable nat - vlan 20 has public IP of the "native" WAN port of the er7206 x.x.x.92 - I am not sure if this is correct or not. Since the traffic from the 8411 is still coming from its WAN IP, shouldnt the one-to-one NAT still take effect to change its public IP ?
If you disable NAT, 8411 will not translate whatsoever you configure for the network(VLAN) you've selected in the settings. Rest of whatsoever you configured for the network(VLAN), anything about NAT, is not effective as you have disabled NAT.
- Copy Link
- Report Inappropriate Content
right - its like switch routing - at this point the WAN IP of the 8411 is just that - a forwarding IP, the actual packets still contain the original vlan 20 IP headers so the upstream 7206 doesnt see those packets as actually coming form the 8411 WAN IP at all, they just appear inside it with some random IP it doesnt know about and it just default routes it out.
Well, im happy to confirm this does actually work. And im never going to use it again.
- Copy Link
- Report Inappropriate Content
I have done more testing on the issue of gateway static routes on this firmware in a completely seperate enviroment with only the ER8411, a Switch (SH3428X) and some end devices to play with - all factory reset and freshly adopted into an entirely seperate omada site with only basic configurations - , and have some more feedback to give
Scenario
Management vlan (router interface) - 192.168.0.X /23
Internet transit vlan (router interface) - 192.168.2.X/24
Test vlan (switch only) - 192.168.10.X /23
Gateway .0.254 / .2.254
Switch interfaces .0.253 / .2.253 / .10.254
VPN Server - 192.168.0.245
VPN Connections of remote sites 172.16.0.0/12
Example 1 - Working in 1.2.3 and earlier firmware
If i want to route all my management vlan traffic, destined for VPN connections, where the router is asting as the gateway for the management vlan
Gateway Static route 172.16.0.0/12 > 192.168.0.245 - working
Example 2 - Working in 1.2.3 and earlier
Test vlan, its gateway IP is on the switch at .10.254
Switch static route 0.0.0.0/0 > 192.168.2.254 (internet transit interface)
Gateway Static route 192.168.10.0/24 > 192.168.2.253 -Working - internet traffic flows on test vlan
Example 3 - NOT working in 1.3.0 beta
If i want to route all my management vlan traffic, destined for VPN connections, where the router is asting as the gateway for the management vlan
Gateway Static route 172.16.0.0/12 > 192.168.0.245 - Not working - The router fails to route management traffic destined for the VPNs to the VPN server
Example 4 - Working in 1.3.0 beta
If i want to route all my management vlan traffic, destined for VPN connections, where the switch is asting as the gateway for the management vlan
Switch Static route 172.16.0.0/12 > 192.168.0.245 - Working - The switch correctly routes management traffic destined for the VPNs to the VPN server
Example 5 - NOT Working in 1.3.0 beta
Test vlan, its gateway IP is on the switch at .10.254
Switch static route 0.0.0.0/0 > 192.168.2.254 (internet transit interface)
Gateway Static route 192.168.10.0/24 > 192.168.2.253 - Not Working - No internet traffic flows on test vlan
Example 6 - Working in 1.3.0 beta
Test vlan, its gateway IP is on the switch at .10.254
Switch static route 0.0.0.0/0 > 192.168.0.254 (management router interface)
Gateway Static route 192.168.10.0/24 > 192.168.0.253 - Working - Internet traffic flows on test vlan, only when the management interface is set as next hops on switch and router routes
Conclusion:
Definitely something broken in 1.3.0 on how the gateway manages static routes and basic functionality is not working.
- Copy Link
- Report Inappropriate Content
GRL wrote
I have done more testing on the issue of gateway static routes on this firmware in a completely seperate enviroment with only the ER8411, a Switch (SH3428X) and some end devices to play with - all factory reset and freshly adopted into an entirely seperate omada site with only basic configurations - , and have some more feedback to give
Scenario
Management vlan (router interface) - 192.168.0.X /23
Internet transit vlan (router interface) - 192.168.2.X/24
Test vlan (switch only) - 192.168.10.X /23
Gateway .0.254 / .2.254
Switch interfaces .0.253 / .2.253 / .10.254
VPN Server - 192.168.0.245
VPN Connections of remote sites 172.16.0.0/12
Example 1 - Working in 1.2.3 and earlier firmware
If i want to route all my management vlan traffic, destined for VPN connections, where the router is asting as the gateway for the management vlan
Gateway Static route 172.16.0.0/12 > 192.168.0.245 - working
Example 2 - Working in 1.2.3 and earlier
Test vlan, its gateway IP is on the switch at .10.254
Switch static route 0.0.0.0/0 > 192.168.2.254 (internet transit interface)
Gateway Static route 192.168.10.0/24 > 192.168.2.253 -Working - internet traffic flows on test vlan
Example 3 - NOT working in 1.3.0 beta
If i want to route all my management vlan traffic, destined for VPN connections, where the router is asting as the gateway for the management vlan
Gateway Static route 172.16.0.0/12 > 192.168.0.245 - Not working - The router fails to route management traffic destined for the VPNs to the VPN server
Example 4 - Working in 1.3.0 beta
If i want to route all my management vlan traffic, destined for VPN connections, where the switch is asting as the gateway for the management vlan
Switch Static route 172.16.0.0/12 > 192.168.0.245 - Working - The switch correctly routes management traffic destined for the VPNs to the VPN server
Example 5 - NOT Working in 1.3.0 beta
Test vlan, its gateway IP is on the switch at .10.254
Switch static route 0.0.0.0/0 > 192.168.2.254 (internet transit interface)
Gateway Static route 192.168.10.0/24 > 192.168.2.253 - Not Working - No internet traffic flows on test vlan
Example 6 - Working in 1.3.0 beta
Test vlan, its gateway IP is on the switch at .10.254
Switch static route 0.0.0.0/0 > 192.168.0.254 (management router interface)
Gateway Static route 192.168.10.0/24 > 192.168.0.253 - Working - Internet traffic flows on test vlan, only when the management interface is set as next hops on switch and router routes
Conclusion:
Definitely something broken in 1.3.0 on how the gateway manages static routes and basic functionality is not working.
Regarding this, I replied to your email. And for others, so this is the reason why:
If there is a character from [ { } & | $ ( ) ; < > ` " \ ' ], you will lose the static routing. So, please downgrade and remove the character and then upgrade to the new firmware 1.3.0.
Or delete it and create it again without any special characters. And in any case, we encourage characters like - _ = , .
Emoji is not recommended as well.
- Copy Link
- Report Inappropriate Content
Still doesnt work. I never use any special characters - it did have regular spaces, so deleted and replaced with underscores, no effect
- Copy Link
- Report Inappropriate Content
Hi @GRL
Thanks for posting in our business forum.
GRL wrote
Still doesnt work. I never use any special characters - it did have regular spaces, so deleted and replaced with underscores, no effect
I asked for a diagram regarding this before. I remember that I created a ticket for you. I think I never received a diagram?
I need a diagram of this and with IP specified, and routing entries noted on the diagram.
- Copy Link
- Report Inappropriate Content
I dont think a ticket for this was created, i have a few ongoing tickets, i havent been asked for a comprehensive list of my network structure on this issue at all.
I can create one for you, but this will take me some time to fully document it all with the information you want. I have given you enough detailed information that, surely, you could get an 8411, and almost any of your L2+ switches, and test this in the different scenarios i listed above.....?
- Copy Link
- Report Inappropriate Content
I made an intereting discovery last night, which bypasses the problem with the gateway routes not working entirely (though it doesnt resolve the fact that the gateway routes dont work, eg, for my VPN)
So, i want all my switches to route internet traffic to and from the gateway over a dedicated "Transit" vlan, so traffic isnt hopped to the management network at all. This keeps traffic clean, and away form anything else. This is a very "normal" thing to do with complex networks, nothing unusual at all. As i have clearly stated, routes from the gateway to any switch SVI that isnt on the management vlan do not work on 1.3.0. Routes to any switch SVI that is on the management vlan do work.
However, what i found was that by changing the managemetn SVI setting on each switch, setting its gateway ip to the desired interface on the 8411, and having the matching switch route 0.0.0.0/0 to the gateway transit interface, and a matching gateway route....works! I dont see how this is even possible as the management interface on each switch is the only place you can actually specify a gateway, and surely it should only work on ones inside that vlan which the transit vlan is not! ......
So.....
Working
gateway route
switch management SVI
Switch route
So now i have all my internal routing correctly using the transit vlan, still doesnt resolve the issue where the gateway routes dont actually seem to work however. EG, i cannot access the 8411 IP over the VPN, despite it having a route for the VPN pools to the VPN server, which was working on 1.2.3 and earlier
Proof this (weird) change to the switch management SVI is now working.... all traffic flowing over the Routing interface according to the gateway
And the gateway is correctly internally identifying and routing traffic, and not seeing everything as belonging to the transit vlan - all my policy routes for different WANs are working according to the source network VLAN
Now, if i change the switch management SVI gateway back to what it should be for the management network, 192.168.0.254, keeping all the other routes unchanged,- absolutely no routing to and from the gateway for internet traffic for any vlan. This works properly in 1.2.3 and earlier, however.
- Copy Link
- Report Inappropriate Content

Information
Helpful: 0
Views: 3543
Replies: 60
Voters 0
No one has voted for it yet.