Series 3: What are some of the notable feature changes between firmware version 3.63 through firmware version 5.0.0?

Beverly McRae

If you are not sure what Series CradlePoint router you have, please click here.Description:This article describes the notable feature changes, bug fixes, and feature additions for all Series 3 CradlePoint routers from firmware version 3.6.3 through firmware version 5.0.0.  The modem compatibility lists and new modem support lists for each release are not included here. This information is gathered from the PDF release note documents for each firmware release.  The .PDF release notes and the firmware files themselves may be downloaded from Firmware version 3.6.3 (06/27/2012) Feature changes/fixes:

  • Fix for Sprint Datalink network issues
  • Fix for LG AD600 authentication
  • Fix for network scheduling

 No major features added since 3.6.1Firmware version 4.0.3 (09/24/2012) 4.0.X is a significant re-architecture of CradlePoint firmware.  Many new features and capabilities are available.  Modem, VPN IPSec, and LAN-to-WAN performance have all been improved.

Networking features (MBR1400, IBR600/650):

  • VPN Certificate support tested with Cisco, Juniper, and CheckPoint routers
  • IP Passthrough: Ethernet WAN to LAN with failover to modem is available
  • Networking improvements: Better IP Filtering, more powerful routing (per-interface routing_, rule-based policy routing
  • QoS: Improved bandwidth & priority traffic shaping (CBQ to HTB as a queueing discipline, Fair Queuing added). QoS can handle FTP/PPTP now.
  • Hotspot: Improved client rate limiting
  • WAN Affinity improvements: No longer have FTP/PPTP limitations, possible VPN tunnel failover
  • SSH to Serial console and SSH to Telnet console.  A user can open up Remote Administration -> Allow Remote SSH Access and from the router’s CLI either use a USB-to-Serial cable or an Ethernet Telnet session to an attached device.
  • ALG Support (SIP, FTP, PPTP, TFTP, IRC) is available on the Firewall page
  • Load Balance schedule selection. The user may now select either Round-Robin, Rate, Spillover or Data Usage as a Load Balance algorithm
  • Improved UPnP support, including “Type 2” NAT support on PS3

Modem changes:

  • Most high-speed modems (HSPA+ and LTE) should see higher upload and download performance in 4.0 than in 3.0
  • Sprint Network-Initiated PRL and modem firmware updates can be accepted and scheduled for non-peak times under the Internet -> Connection Manager -> <Modem> -> Edit -> Modem Settings.  If you do not see these UI items, your modem does not support this feature

New features added in this release (all products):

  • Many improvements have been made to overall system stability and performance
  • The CBR450/CBR400 in particular work better under stress (high network loads or VPN tunnels) than they used to

Additional UI/Usability changes:

  • WAN Affinity Settings for GRE.  The ability to tie GRE to a specific WAN interface has been removed from the UI.  Standard WAN Affinity rules work with GRE now.  As VPN has special considerations, it continues to have specific WAN Affinity settings
  • Note: Many firewall configuration settings have changed as they were specific to the previous firewall implementation. Please check your firewall settings.
  • OpenDNS Filtering. Network Settings -> Content Filter -> OpenDNS Content Filtering. The ability to pick generic GOOD/BETTER/BEST pre-defined filtering has been removed as it is no longer supported by OpenDNS. Subscribers to OpenDNS can use the updated integration to apply their web filtering settings. To find out more and purchase an OpenDNS Enterprise subscription go to
  • Status -> System Statistics page now shows byte totals as well as graphs.
  • The Historical Data graph on the Data Usage page was removed
  • Some additional fields have been added to the Dashboard, such as the router’s MAC Address
  • APN (Access Point Name) selection has been added to the First Time Setup Wizard
  • System Settings -> Managed Services -> SNMP Configuration now has the ability to set system Contact, Name, and Location
  • Service Mode (LTE, EVDO, etc.) for any attached modem has been added to the login screen

Defects fixed since 3.6.3:

  • WPA2 Enterprise/RADIUS settings can be set with any WiFi interface, not just the primary
  • Improved WiFi-as-WAN reconnection ability
  • A number of Data Usage Management defects have been fixed
  • The System Statistics page shows disconnects/reconnects better than it used to

Firmware version 4.1.1 (12/03/2012)(Support added for MBR95) Networking features (IBR600/650):

  • OSPF (Open Shortest Path First) routing has been added
  • BGP (Border Gateway Protocol) routing has been added
  • RIPv1 and RIPv2 (Routing Information Protocol) routing has been added
  • STP (Spanning Tree Protocol, IEEE 802.1D-1998) bridged Ethernet LAN support
  • Multicast Proxy support has been added
  • VRRP (Virtual Router Redundancy Protocol) support has been added

Limitations of these Networking features:

  • No SNMP support for these features has been added yet
  • No OSPF (Open Shortest Path First) multi-hardware support has been added yet
  • Routing Protocols will not propagate a default route at this time

Major features added since 4.0.3 (MBR1400, IBR600/IBR650, CBR400/CBR450):

  • DSCP/DiffServe (Differentiated Services Code Point) QoS support has been added

Major features added since 4.0.3 (all products unless otherwise stated):

  • MAC filtering on Ethernet as well as WiFi. The Network Settings -> MAC Filter/MAC Logging page will allow yu to whitelist or blacklist MAC Addresses
  • Multiple Content Filtering Instances have been added. Instead of having single set of content filters for the entire router, you can have different filters per network. This enables you to have different filters on your Primary vs. your Guest network, for example.
  • Failback timer (Connection Manager -> Edit WAN Device -> Advanced Failback Configuration has been changed from a maximum of 300 seconds to 14400 seconds (4 hours)
  • (MBR1200B only) Disable Attention LED. For people who don’t like their MBR1200B showing a Red Attention LED when no WAN connection is available, System Settings -> Administration -> Local Management -> Disable Attention LED
  • The WiFi client count is now a link to the Status -> Client List page
  • (IBR600/IBR650 only) Ability to configure the number of stored GPS NMEA messages for Store-and-Forward has been added. System Settings -> Administration -> Number of Stored NMEA messages
  • If you change the router’s administration password, the session cookie that allows you to remain in the router’s UI using the previous password will be invalidated and you will be logged out of the router’s admin UI. You will be required to login using the new password.

Modem Changes:

  • Specific connection modes in LTE/HSPA+ combination modems can now be selected

Defects fixed since 4.0.3:

  • IP Passthrough bypass was not working consistently
  • AT Passthrough/QXDM only worked on 3G devices
  • AT&T Momentum did not work in IP Passthrough mode
  • Broken SSL connections would lock up the UI server

Firmware Version 4.2.0 (02/25/2013)

Networking features (MBR1400 HW v2.0, IBR600/650):
  • NHRP (Next Hop Resolution Protocol) routing has been added. NHRP can be used to implement a dynamic tunneling form of VPN using a combination of keyed GRE tunnels, VPN and dynamic routing protocols. This can be thought of as a meshed layout over a VPN allowing connected devices to communicate between each other. Two phases are currently supported, with phase 1 using NHRP to inform a hub (VPN concentrator) about dynamically appearing spokes (routers attached to the hub) and phase 2 allowing for communication between spokes using a routing protocol (OSPF, BGP or RIP).

New Features added in this release (MBR1400 HW v2.0, MBR1400, IBR600/650, CBA750B):

  • DHCP Relay. Network -> WiFi/Local Networks -> “Edit” a Local IP Network -> DHCP Tab. DHCP Relay allows relaying of DHCP requests from subnets without DHCP servers to one (or more) DHCP servers on other subnets.
  • Per-client Web filtering. Network Settings -> Content Filter -> MAC Address WebFilter Rules. WebFilter rules and default filtering actions can be assigned to MAC Addresses.
  • Per-client Data Usage. Internet -> Client Data Usage. Client Data Usage tracks the WAN data used by each client connected to the router.
  • The Administration username and password can be configured to use RADIUS or TACACS+. Under System Settings -> Administration -> Router Security if the Advanced Security Mode is checked, the Authentication Mode can be selected as either Local Users or RADIUS or TACACS+. If WAN connectivity is lost when using RADIUS or TACACS+. the Local User Password can be used.
  • (IBR600/IBR650 only) GPS Additions. The GPS can be configured to provide NMEA GGA, VTG, and/or RMC sentences. Every internal modem type does not support all three sentences.

Modem Changes:

  • Added connection mode switching options with Sierra Wireless 313U modem.

Additional UI/Usability Changes:

  • NOTE: Many 4.x Firewall Configuration settings have changed as they were specific to the previous 3.x firewall implementation. Please check your firewall settings.

Defects fixed since 4.1.0:

  • Data Usage UI page was not updating correctly on MBR95
  • Data Usage data did not update correctly on MBR95 unless the user went into the UI
  • Hotspot usage statistics: The stats from one session to the next appeared to be the same even though the sessions were completely different
  • Fixed WiFi-as-WAN issue connecting MBR95 to MiFi 4620L
  • Status/Internet Connections -> Statistics -> Connection Uptime was changed from seconds to days:hours:minutes

Firmware Version 4.3.2 (07/15/13)

New features added in this release: 
  • Enterprise Cloud Manager (ECM) (all products except for MBR95): Enterprise Cloud Manager is the replacement for WiPipe Central.
    • Created client service and UI for connecting to CradlePoint Enterprise Cloud Manager (ECM) ( Requires a valid ECM username and password.
    • Added ‘ecm’ command line tool for controlling and monitoring the ECM client. This includes the ability to register the router with the ECM service provided you have already subscribed and have valid credentials.
    • Added ECM web based management user interface (System Settings -> Enterprise Cloud Manager).
    • Moved WiPipe Central user interface to the “Enterprise Cloud Manager” page.
    • Support for WiPipe Central or ECM management where ECM takes precedence.
  • (MBR1400s, CBA750b, IBR6x0 only), Modem Firmware update is available for select CradlePoint internal modems (IBR6x0LE, LP, LP2-EU) and MC200 modem caps. Internet->Connection Manager->Control->Firmware. Modem firmware update has been added to the Connection Manager. The modem firmware can be updated by one of two methods, Automatic and Manual.
    • Automatic update allows the supported modem’s firmware to be updated with a newer version of firmware located on CradlePoint’s firmware server. By default, the router will automatically check for modem firmware updates when a supported modem is plugged in and an Internet connection is available. The admin can uncheck the “Automatically check for new firmware” checkbox under Internet->Connection Manager->Edit->Modem Settings to stop the router from automatically checking for new modem firmware. The admin can manually check for an update by pressing the “Check Again” button. Once an update has been detected, the admin can start the modem update by selecting the “Automatic (Internet)” button.
    • Manual update allows the admin to load new firmware directly to the modem by selecting the file with the “Choose File” button and selecting the “Begin Firmware Upgrade” button to start the update process.
Additional UI/Usability changes: 
  • None
Defects fixed since 4.3.0: 
  • Fix for MBR95 showing SNMP in the UI
  • Improvement for MBR1400 when rapidly changing WiFi configuration the router may require a power cycle.
  • Fix for Daylight Savings time causing Scheduled Reboot to happen repeatedly within the hour.
Firmware Version 4.4.0 (08/13/13)

New features added in this release (MBR1400, IBR6x0, MBR1200B, CBA750B only): 
  • IPv6 support has been added. IPv6 is supported on all WAN sources and has been tested with all of the CradlePoint internal modems and modem caps. Other modems are not  supported but may work.
    • Routing features include dynamic and static IPv6 to IPv6 routing. IPv4 Tunneling support includes 6to4, 6in4, and 6RD.
    • Failover, Failback, and Load Balancing are supported if Network Prefix Translation is enabled.
    • Features that are not supported on IPv6:
      • RADIUS/TACACS+ accounting for wireless clients and admin/CLI login
      • IP Passthrough (not needed with IPv6)
      • NAT (not needed with IPv6)
      • Bounce pages
      • UPnP
      • Network Mobility
      • DHCP Relay
      • VRRP, GRE, GRE over IPSec, OSPF, NHRP
      • Syslog
      • SNMP over the WAN (LAN works)
    • The ability to pass router-generated traffic (NTP, Enterprise Cloud Management, and Firmware Update Check) to the LAN has been added. This is useful if another router that has multiple WANs is attached as a LAN client to a CradlePoint router (generally using the CradlePoint router for failover if its primary WAN fails).
    • Hotspot. A new second-stage login option for redirection has been added
    • VPN Alert. An alert can be generated if a VPN tunnel goes down.
    • Allow disabling the default ‘admin’ account for the router. This can lessen the chance of a brute-force attack getting through the default account.
    • The ability to pass multicast (IGMPv2) traffic upstream on the WAN to alternate subnets connected to a host downsteam on the LAN.
    • IBR6x0 only. Via SMS to the embedded modem, allow remote access to obtain modem and router status when a modem is unable to establish a cellular data connection. See the User Guide for SMS description, supported products, access instructions and commands.
Additional UI/Usability changes: 
  • Change position of data in the Status -> Statistics page to make it more readable.
  • Enhanced APN and Profile management in Wan Configuration -> SIM/APN/Auth Settings. APN and Profile configuration has been extended to provide enhanced APN and Profile configuration and selection.
  • Added option to select a preferred carrier operator network in Wan Configuration->Modem Settings-> Network Selection Mode. If a specific carrier is selected (as indicated by the PLMN), automatic roaming to other networks is disallowed.
New features added in this release: 
  • A defect was found in 4.2.0 and fixed in 4.2.1 that affects future upgrades. Using the Manual Firmware Upload for future firmware uploads will appear to work but default configuration settings for new features will not be set correctly. This issue does not exist with Automatic (Internet) updates or updates using Wipipe Central. Please upgrade to 4.2.1 before upgrading to a later version if you wish to use Manual Firmware Upload.
  • Workarounds are:
    • Use the Automatic update (preferred method)
    • Update to 4.2.1 before updating to 4.3 or beyond
    • On the System Settings/System Software page in the UI, use Backup Current Settings to save your current configuration. Then use Firmware Upgrade and System Config Restore to update firmware and set the configuration at the same time. Using the Restore Settings popup, always select and restore your configuration settings before selecting your firmware file and starting the firmware upgrade.
  • Feature Licensing has been added (MBR1400v2/IBR600/IBR650). System Settings -> Feature Licenses has been added to enable features that require a specific license from CradlePoint.
  • NEMO (Network Mobility) support has been added (MBR1400v2/IBR600/IBR650). Network Mobility (RFC-5177) support has been added to register up to eight mobile networks directly with a Home Agent, and automatically configure the requisite GRE tunnel. The NEMO configuration can be found under the Internet Category. NEMO support is enabled using a feature key and can be enabled under System Settings -> Feature Licenses.
  • 802.1x Ethernet port security has been added (MBR1400v2/IBR600/IBR650). Network Settings -> (WiFi) Local Networks -> Local Network Editor -> Wired 802.1x. This allows configuring an authentication server that will accept authentication requests from devices attached to wired Ethernet ports. If the wired clients cannot provide authentication, they are not allowed to connect to the Router’s networks. This has been tested with Linux, Windows OS, and Mac OS clients.
  • VPN Tunnel to allow secondary remote gateway in a single tunnel. We now allow the user to chain the VPN policies to failover from one to another as needed. If one tunnel fails, usually because its WAN interface goes down, the system can automatically fail over to another VPN tunnel. Internet / VPN Tunnels -> Add Tunnel -> Failover tunnel.
  • (IBR600 only) Increase the number of allowed WiFi clients from 32 to 64.
Additional UI/Usability changes: 
  • Internet Explorer 10 Compatibility View support.
  • An option was added to the IP Passthrough Setup Wizard for subnet selection. The options are to create a subnet automatically or to force /24 Subnet for compatibility with some other common network equipment.

Firmware Version 4.4.2 (10/08/13)

New features added in this release (MBR1400, IBR6x0, MBR1200B, CBA750B only): 
  • Added support for new modems check Supported modem list.
Additional UI/Usability changes: 
  • None
Defects fixed: 
  • Internet Explorer 8 only. Modem Edit button fixed.
  • DNS server list with HTTP modems. If a connection with an HTTP modem results in no DNS server list, the router will now allow the connection to continue.
  • Sub-1280 MTU on Ethernet causes WAN Disconnect.
  • Remote Admin Access Control (ACL) did not affect remote SSH. If remote SSH is enabled in 4.4.0, the ACL did not prevent connection attempts from unauthorized IP addresses.
  • Connection Manger – can’t expand Failback Configuration Settings.
Firmware Version 5.0.0 (11/18/13)

New features added in this release (MBR1400, IBR6x0, MBR1200B, CBA750B only. Not all features are in all products – see their respective Data Sheets):
  • Added support for new modems (see Modem list above).
  • VPN Improvements – Internet / OpenVPN. OpenVPN has been added to provide SSL VPN support.
  • L2TP support for a WAN interface is provided under Internet / L2TP Tunnels.
  • GRE: Failover/Failback and WAN Binding support have been added.
  • VPN Failback. This feature allows two or more VPN tunnels to be created that will failover if one connection goes down and will fail back if the higher priority connection is available. It is configured in the VPN Tunnels wizard / Dead Peer Detection page.
  • Filter packets going through the modem that do not match the network. This feature is enabled by default and can be disabled using Internet / Connection Manager / Common Defaults / Modem Settings.
  • Internet / CP Connect (Beta feature in 5.0). CP Connect tunnels can be used to create a connection to a private network.
  • Internet / WiFi as WAN. (MBR1400v2 only). WPA2 Enterprise Authentication added to Wi-Fi as WAN option.
  • Zscaler cloud-based filtering/security added under Network Settings / Content Filter / Cloud Based Filtering/Security.
  • SMS access. Now enabled for all products on this platform.
Extended Enterprise License (MBR1400v2, IBR6x0 only):
  • System Settings / Feature Licenses. An Extended Enterprise License will enable a number of features on those routers. For more information visit the Feature and Application License page on the CradlePoint web site.
  • Routers upgrading from earlier firmware versions will automatically be granted a license to the existing features that will fall under the EEL (STP, VRRP, etc.).
Additional UI/Usability changes:
  • First Time Setup Wizard / Configuring Failure Check. Enabling Failure Check here will default Ethernet and WiFi as WAN checks to use a ping and modems to Passive DNS.
  • Added IP WAN Subnet Filter checkbox to Modem Settings.
  • Added Enable AUX Antenna checkbox to Modem Settings. When disabled, the embedded modem’s AUX antenna is turned off.
Defects fixed:
  • PMTU issue with IPSEC/VPN
  • System Stats SINR graph moved backwards
  • GPS change. GPS was being reported in degrees and decimal degrees. Now it is reported as degrees, minutes, and seconds.
  • USB Serial hardware flow control issue
  • AT&T Beam (Netgear AC340U) now works with i2gold SIMs

Firmware Version 5.1.0 (3/3/2014)

New features added in this release (2100, MBR1400, IBR6x0, MBR1200B, CBA750B only. Not all features are in all products – see their respective Data Sheets):

  • System Settings -> Certificate Management. Certificate Management is a centralized system utility to import, export, create, and remove digital certificates. Local services can access stored certificates for authentication, verification, or for other security functions. Certificates can either be imported or exported via the PEM format or bundled with a CA certificate for import or export via the PKCS12 format. Current services utilizing Certificate Management are CP Secure Connect, IPSec VPN, and WPA Enterprise Wifi as WAN.
    • Certificates from Release 5.0 or earlier will not migrate automatically to the new Certificate Manager, and Certificates created and managed in Release 5.1 or beyond will not work if the router is downgraded to an earlier Release. A factory reset is required if Certificates are used in 5.1 or later, and the router is downgraded to 5.0 or before.
  • Add ability for negation on source and destination addresses in WAN Affinity was added.
  • Internet / CP Secure Connect. CradlePoint’s cloud VPN solution has been renamed to ‘CP Secure Connect’ and has been removed from Beta status. CP Secure Connect also supports full tunnel VPN. Full tunnel support can be created by selecting the local LAN (Ex. with a remote network configured as
    • CP Secure Connect will only create a single tunnel unlike IPSec that can create multiple tunnels.
    • CP Secure Connect has been removed from the Extended Enterprise License (EEL). It now has its own license.
  • Added additional Modem diagnostics to SNMP. These include CINR, SINR, RSRP, RSRQ, and a number of other values. The latest WIPIPE MIB version is 1.8 to reflect these changes.
  • Added client site visit reporting to the log that reports which clients accessed an external IP address. Network Settings -> Firewall Configuration -> Firewall Options -> Log Web Access.
  • Active and passive DNS Failure Check added to Ethernet WAN sources to make their Failure Check options match what is provided for modems.
  • (2100 only) Band-steering has been added. If a client is attached to the 2.4GHz radio on the 2100 and it is capable of using the 5.0GHz radio, it will be steered to the more open and higher-performing band. Band-steering is enabled whenever the SSID of the 2.4GHz and 5GHz radios are the same. Note that band steering may negatively impact connectivity in some situations, especially at long range. If you see performance or connectivity issues, it is recommended that you disable band-steering by setting the 2.4GHz SSID and 5 GHz SSID to different values.
  • RADIUS timeout and retry settings have been added for Hotspot support.
  • Added the ability to prioritize VOIP packets from the LAN to the WAN when using a VPN tunnel. Any QoS DSCP codes will be copied from the inner packet to the VPN packet after VPN encryption.

Additional UI/Usability changes:

  • Modem Settings, On Demand Start Connection checkbox. When checked, the modem will connect to begin On Demand mode after plug or reset. When unchecked, the modem will not connect to begin On Demand mode after plug or reset, but will wait for LAN to WAN traffic before initiating a connection.
  • SMS interface extension. Added Help command.
  • The wireless band has been added to the Wi-Fi clients list.
  • An Asset Tag field has been added to the router under the Local Administration tab.
  • Added ability for negation on source and destination addresses in WAN affinity.

Defects fixed:

  • IE9 and IE10 UI issues when setting up VPN tunnel
  • CP Secure Connect tunnel did not re-establish after reboot
  • GRE failover was not working correctly in some conditions
  • Clients dropped off of the Clients List and returned
  • OpenDNS might have issues reconnecting after reboot, depending on the speed of the WAN reconnection
  • SSH to Serial port was scrambling data
Share Article: