vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-25 09:11:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:vyos/vyos-documentation

Browse Source
This commit is contained in:
rebortg 2024-01-13 23:12:29 +01:00
commit 14c94be155
61 changed files with 3775 additions and 2098 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -7,6 +7,7 @@ venv/
ENV/
.venv
Pipfile.lock
Pipfile
# put various editor ignores here
.vscode/

2
docs/_include/vyos-1x

@ -1 +1 @@
Subproject commit 11d531ece3e06dc68349d8ea1fd3bf39d5d857f3
Subproject commit 9753fafbfed02a3b6ebe7b6ddf51783c5dcbcf62

4
docs/_locale/de/configuration.pot
View File

@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
#: ../../configuration/loadbalancing/reverse-proxy.rst:108
msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
#: ../../configuration/vpn/ipsec.rst:125
msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"

2
docs/_locale/es/configuration.pot
View File

@ -19468,7 +19468,7 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
msgstr "``latency``: un perfil de servidor centrado en reducir la latencia de la red. Este perfil favorece el rendimiento sobre el ahorro de energía configurando ``intel_pstate`` y ``min_perf_pct=100``."
#: ../../configuration/loadbalancing/reverse-proxy.rst:108
msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
msgstr "``least-connection`` Distribuye las solicitudes al servidor con la menor cantidad de conexiones activas"
#: ../../configuration/vpn/ipsec.rst:125

4
docs/_locale/ja/configuration.pot
View File

@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
#: ../../configuration/loadbalancing/reverse-proxy.rst:108
msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
#: ../../configuration/vpn/ipsec.rst:125
msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"

4
docs/_locale/pt/configuration.pot
View File

@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
#: ../../configuration/loadbalancing/reverse-proxy.rst:108
msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
#: ../../configuration/vpn/ipsec.rst:125
msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"

4
docs/_locale/uk/configuration.pot
View File

@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
#: ../../configuration/loadbalancing/reverse-proxy.rst:108
msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
#: ../../configuration/vpn/ipsec.rst:125
msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"

BIN
docs/_static/images/firewall-bridge-packet-flow.png vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
docs/_static/images/firewall-gral-packet-flow.png vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 41 KiB

BIN
docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 341 KiB

2
docs/automation/index.rst
View File

@ -17,3 +17,5 @@ VyOS Automation
vyos-salt
command-scripting
cloud-init
vyos-pyvyos

148
docs/automation/vyos-pyvyos.rst Normal file
View File

@ -0,0 +1,148 @@
:lastproofread: 2023-12-15
.. _vyos-pyvyos:
PyVyOS
======
PyVyOS is a Python library for interacting with VyOS devices via their API.
This documentation guides you on using PyVyOS to manage your VyOS devices programmatically.
The complete PyVyOS documentation is available on [Read the Docs](https://pyvyos.readthedocs.io/en/latest/),
and the library can be found on [GitHub](https://github.com/robertoberto/pyvyos)
and [PyPI](https://pypi.org/project/pyvyos/).
Installation
------------
You can install PyVyOS using pip:
.. code-block:: bash
pip install pyvyos
Getting Started
---------------
Importing and Disabling Warnings for verify=False
-------------------------------------------------
.. code-block:: none
import urllib3
urllib3.disable_warnings()
Using API Response Class
------------------------
.. code-block:: none
@dataclass
class ApiResponse:
status: int
request: dict
result: dict
error: str
Initializing a VyDevice Object
------------------------------
.. code-block:: none
from dotenv import load_dotenv
load_dotenv()
hostname = os.getenv('VYDEVICE_HOSTNAME')
apikey = os.getenv('VYDEVICE_APIKEY')
port = os.getenv('VYDEVICE_PORT')
protocol = os.getenv('VYDEVICE_PROTOCOL')
verify_ssl = os.getenv('VYDEVICE_VERIFY_SSL')
verify = verify_ssl.lower() == "true" if verify_ssl else True
device = VyDevice(hostname=hostname, apikey=apikey, port=port, protocol=protocol, verify=verify)
Using PyVyOS
------------
Configure, then Set
^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: none
response = device.configure_set(path=["interfaces", "ethernet", "eth0", "address", "192.168.1.1/24"])
if not response.error:
print(response.result)
Configure, then Show a Single Object Value
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: none
response = device.retrieve_return_values(path=["interfaces", "dummy", "dum1", "address"])
print(response.result)
Configure, then Show Object
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: none
response = device.retrieve_show_config(path=[])
if not response.error:
print(response.result)
Configure, then Delete Object
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: none
response = device.configure_delete(path=["interfaces", "dummy", "dum1"])
Configure, then Save
^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: none
response = device.config_file_save()
Configure, then Save File
-------------------------
.. code-block:: none
response = device.config_file_save(file="/config/test300.config")
Show Object
^^^^^^^^^^^^^^
.. code-block:: none
response = device.show(path=["system", "image"])
print(response.result)
Generate Object
^^^^^^^^^^^^^^^^
.. code-block:: none
randstring = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(20))
keyrand = f'/tmp/key_{randstring}'
response = device.generate(path=["ssh", "client-key", keyrand])
Reset Object
^^^^^^^^^^^^^^
.. code-block:: none
response = device.reset(path=["conntrack-sync", "internal-cache"])
if not response.error:
print(response.result)
Configure, then Load File
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: none
response = device.config_file_load(file="/config/test300.config")
.. _pyvyos: https://github.com/robertoberto/pyvyos

65
docs/changelog/1.3.rst
View File

@ -8,6 +8,71 @@
_ext/releasenotes.py
2023-12-29
==========
* :vytask:`T5852` ``(bug): Reboots fail with eapol WAN interface``
2023-12-22
==========
* :vytask:`T4760` ``(bug): VyOS does not support running multiple instances of DHCPv6 clients``
2023-12-21
==========
* :vytask:`T5714` ``(bug): IPSec VPN: op-mode: "show log vpn" does not show results``
* :vytask:`T3039` ``(feature): Resize a root partition and filesystem automatically during deployment in virtual environments``
* :vytask:`T2404` ``(bug): Cannot change MTU``
* :vytask:`T2353` ``(bug): Interface [conf_mode] errors parent task``
* :vytask:`T5796` ``(bug): Openconnect - HTTPS security headers are missing``
2023-12-19
==========
* :vytask:`T2116` ``(feature): Processing configuration via Cloud-init User-Data``
2023-12-18
==========
* :vytask:`T2191` ``(feature): Using tallow to block sshd probes``
2023-12-15
==========
* :vytask:`T5824` ``(bug): busybox cannot connect some websites from initramfs``
2023-12-12
==========
* :vytask:`T5817` ``(bug): Show openvpn server fails in some cases``
* :vytask:`T5413` ``(default): Deny the opportunity to use one public/private key pair on both wireguard peers.``
2023-11-30
==========
* :vytask:`T4601` ``(bug): dhcp : relay agent IP address issue.``
2023-11-28
==========
* :vytask:`T5777` ``(bug): frr: backport and upstream recent bgpd daemon crashes``
2023-11-27
==========
* :vytask:`T5763` ``(bug): Fix imprecise check for remote file name in vyos-load-config.py``
2023-11-25
==========

229
docs/changelog/1.4.rst
View File

@ -8,6 +8,235 @@
_ext/releasenotes.py
2024-01-07
==========
* :vytask:`T5891` ``(bug): OpenVPN IPv6 config issue with 1.4-rc1``
* :vytask:`T5887` ``(feature): Upgrade Linux Kernel to 6.6.y (2023 LTS edition)``
2024-01-06
==========
* :vytask:`T3670` ``(feature): Option to disable HTTP port 80 redirect``
2024-01-05
==========
* :vytask:`T3642` ``(feature): PKI configuration``
* :vytask:`T5894` ``(feature): Extend get_config_dict() with additional parameter with_pki that defaults to False``
2024-01-04
==========
* :vytask:`T4072` ``(feature): Feature Request: Firewall on bridge interfaces``
* :vytask:`T3459` ``(default): Inform the user when unable to install outdated image``
2024-01-03
==========
* :vytask:`T5880` ``(bug): verify_source_interface should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces``
* :vytask:`T5879` ``(bug): tunnel: sourceing from dynamic pppoe0 interface will fail on reboots``
* :vytask:`T4500` ``(bug): Missing firewall logs``
2024-01-02
==========
* :vytask:`T5885` ``(default): image-tools: relax restriction on image-name length from 32 to 64``
2024-01-01
==========
* :vytask:`T5883` ``(bug): Preserve file ownership in /config subdirs on add system image``
* :vytask:`T5474` ``(feature): Establish common file name pattern for XML conf mode commands``
2023-12-30
==========
* :vytask:`T5875` ``(bug): login: removing and re-adding a user keeps the home directory but UID will change, thus SSH keys no longer work``
* :vytask:`T5653` ``(feature): Command to display fingerprint``
2023-12-29
==========
* :vytask:`T5829` ``(bug): Can't Add IPv6 Address to Containers``
* :vytask:`T5852` ``(bug): Reboots fail with eapol WAN interface``
* :vytask:`T5869` ``(bug): vyos.template.first_host_address() does not honor RFC4291 section 2.6.1``
2023-12-28
==========
* :vytask:`T4163` ``(feature): [BMP-BGP] Routing monitoring feature``
* :vytask:`T5867` ``(feature): Upgrade podman to Debian Trixie version 4.7.x``
* :vytask:`T5866` ``(feature): Add op-mode command to restart IPv6 RA daemon``
* :vytask:`T5861` ``(bug): Flavor build system fails with third-party packages``
* :vytask:`T5854` ``(feature): Extend override-default script to allow embedded defaultValue settings``
* :vytask:`T5566` ``(feature): Be able to disable 802.3az/EEE (energy efficient ethernet) for a particular interface``
* :vytask:`T5792` ``(default): Upgrade ddclient 3.11.2 release``
2023-12-25
==========
* :vytask:`T5855` ``(feature): Migrate "set service lldp snmp enable" -> `set service lldp snmp"``
* :vytask:`T5837` ``(bug): vyos.configdict.node_changed does not return keys per adding``
* :vytask:`T5856` ``(bug): SNMP service removal fails``
2023-12-24
==========
* :vytask:`T5853` ``(default): Typo interfaces-virtual-ethernet.xml.in``
2023-12-22
==========
* :vytask:`T5811` ``(bug): static dhcp-interface routes not installed``
* :vytask:`T5804` ``(bug): SNAT "any" interface error``
* :vytask:`T4760` ``(bug): VyOS does not support running multiple instances of DHCPv6 clients``
2023-12-21
==========
* :vytask:`T5778` ``(bug): The show dhcp server leases operation mode command does not work as expected``
* :vytask:`T5775` ``(default): Migrated Firewall Global State Policy ineffective on latest firewall zone config``
* :vytask:`T5637` ``(bug): Firewall default-action log``
* :vytask:`T5796` ``(bug): Openconnect - HTTPS security headers are missing``
* :vytask:`T3580` ``(feature): Refactoring firewall ipv6 rule icmpv6``
* :vytask:`T2898` ``(feature): Support NDP proxy``
* :vytask:`T2229` ``(feature): PPPOE Default Queue type selection``
2023-12-20
==========
* :vytask:`T5823` ``(feature): Protocol BGP add default values for config dictionary``
* :vytask:`T5798` ``(enhancment): reverse-proxy load-balancing service should support multiple certificates for frontend``
2023-12-19
==========
* :vytask:`T5828` ``(default): Fix GRUB installation on arm64``
2023-12-18
==========
* :vytask:`T5751` ``(feature): Adjust new image tools for non-interactive use``
* :vytask:`T5831` ``(feature): show system image should reverse order by addition date``
* :vytask:`T5825` ``(bug): image-tools: restore authentication on 'add system image'``
* :vytask:`T5821` ``(bug): image-tools: restore vrf-aware 'add system image'``
* :vytask:`T5819` ``(bug): Don't echo password on install image``
* :vytask:`T5806` ``(bug): Clear old raid data on new install image``
* :vytask:`T5789` ``(bug): image-tools should copy ssh host keys on image update``
* :vytask:`T5758` ``(default): Restore scanning configs when live installing``
2023-12-15
==========
* :vytask:`T5824` ``(bug): busybox cannot connect some websites from initramfs``
* :vytask:`T5803` ``(default): git/github: Adjust configuration for safe and baseline defaults``
2023-12-14
==========
* :vytask:`T5773` ``(bug): Unable to load config via HTTP``
* :vytask:`T5816` ``(bug): BGP Large Community List Validation Broken``
* :vytask:`T5812` ``(bug): rollback check max revision number does not work``
* :vytask:`T5749` ``(feature): Show MAC address VRF and MTU by default for "show interfaces"``
* :vytask:`T5774` ``(bug): commit-archive to FTP server broken after update (VyOS 1.5-rolling)``
* :vytask:`T5826` ``(default): Add dmicode as an explicit dependency``
* :vytask:`T5793` ``(default): mdns-repeater: Cleanup avahi-daemon configuration in /etc``
2023-12-13
==========
* :vytask:`T591` ``(feature): Support SRv6``
2023-12-12
==========
* :vytask:`T4704` ``(feature): Allow to set metric (MED) to rtt with rtt,+rtt or -rtt``
* :vytask:`T5815` ``(enhancment): Add load_config module``
* :vytask:`T5413` ``(default): Deny the opportunity to use one public/private key pair on both wireguard peers.``
2023-12-11
==========
* :vytask:`T5741` ``(bug): WAN Load Balancing failover route tables aren't created``
2023-12-10
==========
* :vytask:`T5658` ``(default): Add VRF support for mtr``
2023-12-09
==========
* :vytask:`T5808` ``(bug): op-mode: ipv6 ospfv3 graceful-restart description contains incorrect info``
* :vytask:`T5802` ``(bug): ping (ip or hostname) interface <tab> produces error``
* :vytask:`T5747` ``(feature): op-mode add MAC VRF and MTU for show interfaces summary``
* :vytask:`T3983` ``(bug): show pki certificate Doesnt show x509 certificates``
2023-12-08
==========
* :vytask:`T5782` ``(enhancment): Use a single config mode script for https and http-api``
* :vytask:`T5768` ``(enhancment): Remove auxiliary http-api.conf for simplification of http-api config mode script``
* :vytask:`T5809` ``(default): Enable GRUB support for gzip compressed kernels``
2023-12-04
==========
* :vytask:`T5769` ``(bug): VTI tunnels lose their v6 Link Local addresses when set down/up``
2023-12-03
==========
* :vytask:`T5753` ``(feature): Add VXLAN vnifilter support``
* :vytask:`T5759` ``(feature): Change VXLAN default MTU to 1500 bytes``
2023-11-30
==========
* :vytask:`T4601` ``(bug): dhcp : relay agent IP address issue.``
2023-11-28
==========
* :vytask:`T4276` ``(bug): IPsec peers dh-group negotiation issue with pfs enabled and multiple proposals configured with IKEv1``
2023-11-27
==========
* :vytask:`T5763` ``(bug): Fix imprecise check for remote file name in vyos-load-config.py``
* :vytask:`T5783` ``(feature): frr: smoketests must notice any daemon crash``
2023-11-26
==========

204
docs/changelog/1.5.rst
View File

@ -8,6 +8,210 @@
_ext/releasenotes.py
2024-01-07
==========
* :vytask:`T5899` ``(feature): VyOS vm images use bookworm repo``
* :vytask:`T5887` ``(feature): Upgrade Linux Kernel to 6.6.y (2023 LTS edition)``
2024-01-06
==========
* :vytask:`T3214` ``(bug): OpenVPN IPv6 fixes``
2024-01-05
==========
* :vytask:`T5894` ``(feature): Extend get_config_dict() with additional parameter with_pki that defaults to False``
2024-01-03
==========
* :vytask:`T5880` ``(bug): verify_source_interface should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces``
* :vytask:`T5879` ``(bug): tunnel: sourceing from dynamic pppoe0 interface will fail on reboots``
2024-01-02
==========
* :vytask:`T5885` ``(default): image-tools: relax restriction on image-name length from 32 to 64``
2024-01-01
==========
* :vytask:`T5883` ``(bug): Preserve file ownership in /config subdirs on add system image``
* :vytask:`T5474` ``(feature): Establish common file name pattern for XML conf mode commands``
2023-12-30
==========
* :vytask:`T5875` ``(bug): login: removing and re-adding a user keeps the home directory but UID will change, thus SSH keys no longer work``
* :vytask:`T5653` ``(feature): Command to display fingerprint``
2023-12-29
==========
* :vytask:`T5829` ``(bug): Can't Add IPv6 Address to Containers``
* :vytask:`T5852` ``(bug): Reboots fail with eapol WAN interface``
* :vytask:`T5869` ``(bug): vyos.template.first_host_address() does not honor RFC4291 section 2.6.1``
2023-12-28
==========
* :vytask:`T5827` ``(bug): image-tools: 'show system image' Command Not in Order``
* :vytask:`T4163` ``(feature): [BMP-BGP] Routing monitoring feature``
* :vytask:`T5867` ``(feature): Upgrade podman to Debian Trixie version 4.7.x``
* :vytask:`T5866` ``(feature): Add op-mode command to restart IPv6 RA daemon``
* :vytask:`T5861` ``(bug): Flavor build system fails with third-party packages``
* :vytask:`T5854` ``(feature): Extend override-default script to allow embedded defaultValue settings``
* :vytask:`T5566` ``(feature): Be able to disable 802.3az/EEE (energy efficient ethernet) for a particular interface``
* :vytask:`T5792` ``(default): Upgrade ddclient 3.11.2 release``
2023-12-25
==========
* :vytask:`T5855` ``(feature): Migrate "set service lldp snmp enable" -> `set service lldp snmp"``
* :vytask:`T5837` ``(bug): vyos.configdict.node_changed does not return keys per adding``
* :vytask:`T5856` ``(bug): SNMP service removal fails``
2023-12-23
==========
* :vytask:`T5678` ``(feature): Improvements in PPPoE configuration``
2023-12-22
==========
* :vytask:`T5804` ``(bug): SNAT "any" interface error``
2023-12-21
==========
* :vytask:`T5807` ``(bug): NAT66 op-mode bugs``
* :vytask:`T5778` ``(bug): The show dhcp server leases operation mode command does not work as expected``
* :vytask:`T5775` ``(default): Migrated Firewall Global State Policy ineffective on latest firewall zone config``
* :vytask:`T5676` ``(bug): NAT66 source rule with negation source/destination prefix causes TypeError``
* :vytask:`T5637` ``(bug): Firewall default-action log``
* :vytask:`T5796` ``(bug): Openconnect - HTTPS security headers are missing``
2023-12-20
==========
* :vytask:`T5823` ``(feature): Protocol BGP add default values for config dictionary``
* :vytask:`T5798` ``(enhancment): reverse-proxy load-balancing service should support multiple certificates for frontend``
2023-12-19
==========
* :vytask:`T5828` ``(default): Fix GRUB installation on arm64``
2023-12-18
==========
* :vytask:`T5751` ``(feature): Adjust new image tools for non-interactive use``
* :vytask:`T5831` ``(feature): show system image should reverse order by addition date``
* :vytask:`T5825` ``(bug): image-tools: restore authentication on 'add system image'``
* :vytask:`T5821` ``(bug): image-tools: restore vrf-aware 'add system image'``
* :vytask:`T5819` ``(bug): Don't echo password on install image``
* :vytask:`T5806` ``(bug): Clear old raid data on new install image``
* :vytask:`T5789` ``(bug): image-tools should copy ssh host keys on image update``
* :vytask:`T5758` ``(default): Restore scanning configs when live installing``
2023-12-15
==========
* :vytask:`T5824` ``(bug): busybox cannot connect some websites from initramfs``
* :vytask:`T5770` ``(bug): MACsec not encrypting``
* :vytask:`T5803` ``(default): git/github: Adjust configuration for safe and baseline defaults``
2023-12-14
==========
* :vytask:`T5773` ``(bug): Unable to load config via HTTP``
* :vytask:`T5816` ``(bug): BGP Large Community List Validation Broken``
* :vytask:`T5812` ``(bug): rollback check max revision number does not work``
* :vytask:`T5749` ``(feature): Show MAC address VRF and MTU by default for "show interfaces"``
* :vytask:`T5774` ``(bug): commit-archive to FTP server broken after update (VyOS 1.5-rolling)``
* :vytask:`T5826` ``(default): Add dmicode as an explicit dependency``
* :vytask:`T5793` ``(default): mdns-repeater: Cleanup avahi-daemon configuration in /etc``
2023-12-13
==========
* :vytask:`T591` ``(feature): Support SRv6``
2023-12-12
==========
* :vytask:`T5815` ``(enhancment): Add load_config module``
2023-12-11
==========
* :vytask:`T5741` ``(bug): WAN Load Balancing failover route tables aren't created``
2023-12-10
==========
* :vytask:`T5658` ``(default): Add VRF support for mtr``
2023-12-09
==========
* :vytask:`T5808` ``(bug): op-mode: ipv6 ospfv3 graceful-restart description contains incorrect info``
* :vytask:`T5802` ``(bug): ping (ip or hostname) interface <tab> produces error``
* :vytask:`T5747` ``(feature): op-mode add MAC VRF and MTU for show interfaces summary``
* :vytask:`T3983` ``(bug): show pki certificate Doesnt show x509 certificates``
2023-12-08
==========
* :vytask:`T5782` ``(enhancment): Use a single config mode script for https and http-api``
* :vytask:`T5768` ``(enhancment): Remove auxiliary http-api.conf for simplification of http-api config mode script``
2023-12-04
==========
* :vytask:`T5769` ``(bug): VTI tunnels lose their v6 Link Local addresses when set down/up``
2023-12-03
==========
* :vytask:`T5753` ``(feature): Add VXLAN vnifilter support``
* :vytask:`T5759` ``(feature): Change VXLAN default MTU to 1500 bytes``
2023-11-27
==========
* :vytask:`T5763` ``(bug): Fix imprecise check for remote file name in vyos-load-config.py``
* :vytask:`T5783` ``(feature): frr: smoketests must notice any daemon crash``
2023-11-26
==========

5
docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf
View File

@ -8,6 +8,7 @@ set protocols static route 10.0.10.0/24 next-hop 10.0.20.254
set protocols static route 192.168.0.0/24 next-hop 127.16.0.2
set service dhcp-server listen-address '172.16.0.1'
set service dhcp-server shared-network-name DHCPTun100 authoritative
set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 default-router '192.168.0.254'
set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 option default-router '192.168.0.254'
set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 start '192.168.0.30'
set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30'
set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30'
set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 subnet-id '1'

1499
docs/configexamples/autotest/Wireguard/Wireguard.log
View File

File diff suppressed because it is too large Load Diff

22
docs/configexamples/autotest/Wireguard/Wireguard.rst
View File

@ -3,8 +3,8 @@ Wireguard
#########
| Testdate: 2023-08-31
| Version: 1.4-rolling-202308240020
| Testdate: 2024-01-13
| Version: 1.5-rolling-202401121239
This simple structure show how to connect two offices. One remote branch and the
@ -44,9 +44,9 @@ After this, the public key can be displayed, to save for later.
.. code-block:: none
vyos@central:~$ generate pki wireguard key-pair
Private key: cMNGHtb5dW92ORG3HS8JJlvQF8pmVGt2Ydny8hTBLnY=
Public key: WyfLCTXi31gL+YbYOwoAHCl2RgS+y56cYHEK6pQsTQ8=
vyos@central:~$ generate pki wireguard
Private key: wHQS+ib3eMIp2DxRiAeXfFVaSCMMP1YHBaKfSR1xfV8=
Public key: RCMy6BAER0uEcPvspUb3K38MHyHJpK5kiV5IOX943HI=
After you have each public key. The wireguard interfaces can be setup.
@ -102,11 +102,11 @@ And ping the Branch PC from your central router to check the response.
vyos@central:~$ ping 10.0.2.100 count 4
PING 10.0.2.100 (10.0.2.100) 56(84) bytes of data.
64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.641 ms
64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=0.836 ms
64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=0.792 ms
64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=1.09 ms
64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.894 ms
64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=0.869 ms
64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=0.966 ms
64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=0.998 ms
--- 10.0.2.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3013ms
rtt min/avg/max/mdev = 0.641/0.838/1.086/0.160 ms
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.869/0.931/0.998/0.052 ms

4
docs/configexamples/autotest/Wireguard/_include/branch.conf
View File

@ -1,14 +1,14 @@
set interface ethernet eth2 address 10.0.2.254/24
set interface ethernet eth1 address 198.51.100.2/24
set interfaces wireguard wg01 private-key 'oDZ2S/4S6UEuhOyk0MvNSQTebugihX5RKCrI3exmHV8='
set interfaces wireguard wg01 private-key 'QM3ZtmaxstxIDoz00AVLE/F/UVjmdcrOvfKYW/TVw18='
set interfaces wireguard wg01 address 192.168.0.2/24
set interfaces wireguard wg01 description 'VPN-to-central'
set interfaces wireguard wg01 peer central allowed-ips 10.0.1.0/24
set interfaces wireguard wg01 peer central allowed-ips 192.168.0.0/24
set interfaces wireguard wg01 peer central address 198.51.100.1
set interfaces wireguard wg01 peer central port 51820
set interfaces wireguard wg01 peer central public-key 'WyfLCTXi31gL+YbYOwoAHCl2RgS+y56cYHEK6pQsTQ8='
set interfaces wireguard wg01 peer central public-key 'RCMy6BAER0uEcPvspUb3K38MHyHJpK5kiV5IOX943HI='
set interfaces wireguard wg01 port 51820
set protocols static route 10.0.1.0/24 interface wg01

4
docs/configexamples/autotest/Wireguard/_include/central.conf
View File

@ -1,14 +1,14 @@
set interface ethernet eth2 address 10.0.1.254/24
set interface ethernet eth1 address 198.51.100.1/24
set interfaces wireguard wg01 private-key 'cMNGHtb5dW92ORG3HS8JJlvQF8pmVGt2Ydny8hTBLnY='
set interfaces wireguard wg01 private-key 'wHQS+ib3eMIp2DxRiAeXfFVaSCMMP1YHBaKfSR1xfV8='
set interfaces wireguard wg01 address 192.168.0.1/24
set interfaces wireguard wg01 description 'VPN-to-Branch'
set interfaces wireguard wg01 peer branch allowed-ips 10.0.2.0/24
set interfaces wireguard wg01 peer branch allowed-ips 192.168.0.0/24
set interfaces wireguard wg01 peer branch address 198.51.100.2
set interfaces wireguard wg01 peer branch port 51820
set interfaces wireguard wg01 peer branch public-key '9ySVcjER2cY1tG/L7598zHg8g1xyggjxALqzeCxLgw4='
set interfaces wireguard wg01 peer branch public-key 'nWhMTjGQbQiJwaNqHpZ/p8+iAH29HaJDNsdfsRdW9As='
set interfaces wireguard wg01 port 51820
set protocols static route 10.0.2.0/24 interface wg01

1458
docs/configexamples/autotest/tunnelbroker/tunnelbroker.log
View File

File diff suppressed because it is too large Load Diff

36
docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
View File

@ -4,8 +4,8 @@
Tunnelbroker.net (IPv6)
#######################
| Testdate: 2023-08-31
| Version: 1.4-rolling-202308240020
| Testdate: 2024-01-13
| Version: 1.5-rolling-202401121239
This guide walks through the setup of https://www.tunnelbroker.net/ for an
IPv6 Tunnel.
@ -61,14 +61,14 @@ Now you should be able to ping a public IPv6 Address
vyos@vyos-wan:~$ ping 2001:470:20::2 count 4
PING 2001:470:20::2(2001:470:20::2) 56 data bytes
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=39.4 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=29.9 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.0 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=29.9 ms
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=33.8 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=43.9 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=43.4 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=42.5 ms
--- 2001:470:20::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 29.885/32.293/39.371/4.086 ms
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 33.802/40.920/43.924/4.139 ms
Assuming the pings are successful, you need to add some DNS servers.
@ -85,14 +85,14 @@ You should now be able to ping something by IPv6 DNS name:
vyos@vyos-wan:~$ ping tunnelbroker.net count 4
PING tunnelbroker.net(tunnelbroker.net (2001:470:0:63::2)) 56 data bytes
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=46 time=200 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=46 time=176 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=46 time=244 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=46 time=176 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=48 time=285 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=48 time=186 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=48 time=178 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=48 time=177 ms
--- tunnelbroker.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 175.737/198.653/243.621/27.714 ms
rtt min/avg/max/mdev = 176.707/206.638/285.128/45.457 ms
*****************
@ -148,14 +148,14 @@ Now the Client is able to ping a public IPv6 address
vyos@client:~$ ping 2001:470:20::2 count 4
PING 2001:470:20::2(2001:470:20::2) 56 data bytes
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=30.5 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=29.6 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=29.9 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=29.8 ms
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=32.1 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=41.8 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=41.7 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=47.1 ms
--- 2001:470:20::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 29.578/29.959/30.490/0.333 ms
rtt min/avg/max/mdev = 32.128/40.688/47.107/5.403 ms
Multiple LAN/DMZ Setup

40
docs/configexamples/pppoe-ipv6-basic.rst
View File

@ -89,24 +89,28 @@ To have basic protection while keeping IPv6 network functional, we need to:
.. code-block:: none
set firewall ipv6-name WAN_IN default-action 'drop'
set firewall ipv6-name WAN_IN rule 10 action 'accept'
set firewall ipv6-name WAN_IN rule 10 state established 'enable'
set firewall ipv6-name WAN_IN rule 10 state related 'enable'
set firewall ipv6-name WAN_IN rule 20 action 'accept'
set firewall ipv6-name WAN_IN rule 20 protocol 'icmpv6'
set firewall ipv6-name WAN_LOCAL default-action 'drop'
set firewall ipv6-name WAN_LOCAL rule 10 action 'accept'
set firewall ipv6-name WAN_LOCAL rule 10 state established 'enable'
set firewall ipv6-name WAN_LOCAL rule 10 state related 'enable'
set firewall ipv6-name WAN_LOCAL rule 20 action 'accept'
set firewall ipv6-name WAN_LOCAL rule 20 protocol 'icmpv6'
set firewall ipv6-name WAN_LOCAL rule 30 action 'accept'
set firewall ipv6-name WAN_LOCAL rule 30 destination port '546'
set firewall ipv6-name WAN_LOCAL rule 30 protocol 'udp'
set firewall ipv6-name WAN_LOCAL rule 30 source port '547'
set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN'
set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL'
set firewall ipv6 name WAN_IN default-action 'drop'
set firewall ipv6 name WAN_IN rule 10 action 'accept'
set firewall ipv6 name WAN_IN rule 10 state established 'enable'
set firewall ipv6 name WAN_IN rule 10 state related 'enable'
set firewall ipv6 name WAN_IN rule 20 action 'accept'
set firewall ipv6 name WAN_IN rule 20 protocol 'icmpv6'
set firewall ipv6 name WAN_LOCAL default-action 'drop'
set firewall ipv6 name WAN_LOCAL rule 10 action 'accept'
set firewall ipv6 name WAN_LOCAL rule 10 state established 'enable'
set firewall ipv6 name WAN_LOCAL rule 10 state related 'enable'
set firewall ipv6 name WAN_LOCAL rule 20 action 'accept'
set firewall ipv6 name WAN_LOCAL rule 20 protocol 'icmpv6'
set firewall ipv6 name WAN_LOCAL rule 30 action 'accept'
set firewall ipv6 name WAN_LOCAL rule 30 destination port '546'
set firewall ipv6 name WAN_LOCAL rule 30 protocol 'udp'
set firewall ipv6 name WAN_LOCAL rule 30 source port '547'
set firewall ipv6 forward filter rule 10 action jump
set firewall ipv6 forward filter rule 10 jump-target 'WAN_IN'
set firewall ipv6 forward filter rule 10 inbound-interface name 'pppoe0'
set firewall ipv6 input filter rule 10 action jump
set firewall ipv6 input filter rule 10 jump-target 'WAN_LOCAL'
set firewall ipv6 input filter rule 10 inbound-interface name 'pppoe0'
Note to allow the router to receive DHCPv6 response from ISP. We need to allow
packets with source port 547 (server) and destination port 546 (client).

12
docs/configuration/container/index.rst
View File

@ -182,11 +182,11 @@ Example Configuration
.. code-block:: none
set container network zabbix-net prefix 172.20.0.0/16
set container network zabbix-net description 'Network for Zabbix component containers'
set container network zabbix prefix 172.20.0.0/16
set container network zabbix description 'Network for Zabbix component containers'
set container name mysql-server image mysql:8.0
set container name mysql-server network zabbix-net
set container name mysql-server network zabbix
set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
@ -194,10 +194,10 @@ Example Configuration
set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest
set container name zabbix-java-gateway network zabbix-net
set container name zabbix-java-gateway network zabbix
set container name zabbix-server-mysql image zabbix/zabbix-server-mysql:alpine-5.2-latest
set container name zabbix-server-mysql network zabbix-net
set container name zabbix-server-mysql network zabbix
set container name zabbix-server-mysql environment 'DB_SERVER_HOST' value 'mysql-server'
set container name zabbix-server-mysql environment 'MYSQL_DATABASE' value 'zabbix'
@ -210,7 +210,7 @@ Example Configuration
set container name zabbix-server-mysql port zabbix destination 10051
set container name zabbix-web-nginx-mysql image zabbix/zabbix-web-nginx-mysql:alpine-5.2-latest
set container name zabbix-web-nginx-mysql network zabbix-net
set container name zabbix-web-nginx-mysql network zabbix
set container name zabbix-web-nginx-mysql environment 'MYSQL_DATABASE' value 'zabbix'
set container name zabbix-web-nginx-mysql environment 'ZBX_SERVER_HOST' value 'zabbix-server-mysql'

361
docs/configuration/firewall/bridge.rst
View File

@ -39,4 +39,363 @@ for this layer is shown next:
For traffic that needs to be forwared internally by the bridge, base chain is
is **forward**, and it's base command for filtering is ``set firewall bridge
forward filter ...``
forward filter ...``, which happens in stage 4, highlightened with red color.
Custom bridge firewall chains can be create with command ``set firewall bridge
name <name> ...``. In order to use such custom chain, a rule with action jump,
and the appropiate target should be defined in a base chain.
.. note:: **Layer 3 bridge**:
When an IP address is assigned to the bridge interface, and if traffic
is sent to the router to this IP (for example using such IP as
default gateway), then rules defined for **bridge firewall** won't
match, and firewall analysis continues at **IP layer**.
************
Bridge Rules
************
For firewall filtering, firewall rules needs to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
to specify multiple criteria matchers. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.
Actions
=======
If a rule is defined, then an action must be defined for it. This tells the
firewall what to do if all criteria matchers defined for such rule do match.
In firewall bridge rules, the action can be:
* ``accept``: accept the packet.
* ``continue``: continue parsing next rule.
* ``drop``: drop the packet.
* ``jump``: jump to another custom chain.
* ``return``: Return from the current chain and continue at the next rule
of the last chain.
* ``queue``: Enqueue packet to userspace.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999> action
[accept | continue | drop | jump | queue | return]
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> action
[accept | continue | drop | jump | queue | return]
This required setting defines the action of the current rule. If action is
set to jump, then jump-target is also needed.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
jump-target <text>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
jump-target <text>
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
queue-options bypass
To be used only when action is set to ``queue``. Use this command to let
packet go through firewall when no userspace software is connected to the
queue.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
queue-options fanout
To be used only when action is set to ``queue``. Use this command to
distribute packets between several queues.
Also, **default-action** is an action that takes place whenever a packet does
not match any rule in it's chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
.. cfgcmd:: set firewall bridge forward filter default-action
[accept | drop]
.. cfgcmd:: set firewall bridge name <name> default-action
[accept | continue | drop | jump | queue | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
action can only be set to ``accept`` or ``drop``, while on custom chain,
more actions are available.
.. cfgcmd:: set firewall bridge name <name> default-jump-target <text>
To be used only when ``defult-action`` is set to ``jump``. Use this
command to specify jump target for default rule.
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**.
Firewall Logs
=============
Logging can be enable for every single firewall rule. If enabled, other
log options can be defined.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999> log
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> log
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
.. cfgcmd:: set firewall bridge forward filter enable-default-log
.. cfgcmd:: set firewall bridge name <name> enable-default-log
Use this command to enable the logging of the default action on
the specified chain.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
Define log-level. Only applicable if rule log is enable.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options group <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options group <0-65535>
Define log group to send message to. Only applicable if rule log is enable.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options snapshot-length <0-9000>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options snapshot-length <0-9000>
Define length of packet payload to include in netlink message. Only
applicable if rule log is enable and log group is defined.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options queue-threshold <0-65535>
Define number of packets to queue inside the kernel before sending them to
userspace. Only applicable if rule log is enable and log group is defined.
Firewall Description
====================
For reference, a description can be defined for every defined custom chain.
.. cfgcmd:: set firewall bridge name <name> description <text>
Provide a rule-set description to a custom firewall chain.
Rule Status
===========
When defining a rule, it is enable by default. In some cases, it is useful to
just disable the rule, rather than removing it.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> disable
Command for disabling a rule but keep it in the configuration.
Matching criteria
=================
There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
destination mac-address <mac-address>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
destination mac-address <mac-address>
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
source mac-address <mac-address>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
source mac-address <mac-address>
Match criteria based on source and/or destination mac-address.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
inbound-interface name <iface>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
inbound-interface name <iface>
Match based on inbound interface. Wilcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supportd. For example ``!eth2``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
inbound-interface group <iface_group>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
inbound-interface group <iface_group>
Match based on inbound interface group. Prepending character ``!`` for
inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
outbound-interface name <iface>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
outbound-interface name <iface>
Match based on outbound interface. Wilcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supportd. For example ``!eth2``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
outbound-interface group <iface_group>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
outbound-interface group <iface_group>
Match based on outbound interface group. Prepending character ``!`` for
inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
vlan id <0-4096>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
vlan id <0-4096>
Match based on vlan ID. Range is also supported.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
vlan priority <0-7>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
vlan priority <0-7>
Match based on vlan priority(pcp). Range is also supported.
***********************
Operation-mode Firewall
***********************
Rule-set overview
=================
In this section you can find all useful firewall op-mode commands.
General commands for firewall configuration, counter and statiscits:
.. opcmd:: show firewall
.. opcmd:: show firewall summary
.. opcmd:: show firewall statistics
And, to print only bridge firewall information:
.. opcmd:: show firewall bridge
.. opcmd:: show firewall bridge forward filter
.. opcmd:: show firewall bridge forward filter rule <rule>
.. opcmd:: show firewall bridge name <name>
.. opcmd:: show firewall bridge name <name> rule <rule>
Show Firewall log
=================
.. opcmd:: show log firewall
.. opcmd:: show log firewall bridge
.. opcmd:: show log firewall bridge forward
.. opcmd:: show log firewall bridge forward filter
.. opcmd:: show log firewall bridge name <name>
.. opcmd:: show log firewall bridge forward filter rule <rule>
.. opcmd:: show log firewall bridge name <name> rule <rule>
Show the logs of all firewall; show all bridge firewall logs; show all logs
for forward hook; show all logs for forward hook and priority filter; show
all logs for particular custom chain; show logs for specific Rule-Set.
Example
=======
Configuration example:
.. code-block:: none
set firewall bridge forward filter default-action 'drop'
set firewall bridge forward filter enable-default-log
set firewall bridge forward filter rule 10 action 'continue'
set firewall bridge forward filter rule 10 inbound-interface name 'eth2'
set firewall bridge forward filter rule 10 vlan id '22'
set firewall bridge forward filter rule 20 action 'drop'
set firewall bridge forward filter rule 20 inbound-interface group 'TRUNK-RIGHT'
set firewall bridge forward filter rule 20 vlan id '60'
set firewall bridge forward filter rule 30 action 'jump'
set firewall bridge forward filter rule 30 jump-target 'TEST'
set firewall bridge forward filter rule 30 outbound-interface name '!eth1'
set firewall bridge forward filter rule 35 action 'accept'
set firewall bridge forward filter rule 35 vlan id '11'
set firewall bridge forward filter rule 40 action 'continue'
set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11'
set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66'
set firewall bridge name TEST default-action 'accept'
set firewall bridge name TEST enable-default-log
set firewall bridge name TEST rule 10 action 'continue'
set firewall bridge name TEST rule 10 log
set firewall bridge name TEST rule 10 vlan priority '0'
And op-mode commands:
.. code-block:: none
vyos@BRI:~$ show firewall bridge
Rulesets bridge Information
---------------------------------
bridge Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ---------------------------------------------------------------------
10 continue all 0 0 iifname "eth2" vlan id 22 continue
20 drop all 0 0 iifname @I_TRUNK-RIGHT vlan id 60
30 jump all 2130 170688 oifname != "eth1" jump NAME_TEST
35 accept all 2080 168616 vlan id 11 accept
40 continue all 0 0 ether daddr 66:55:44:33:22:11 ether saddr 11:22:33:44:55:66 continue
default drop all 0 0
---------------------------------
bridge Firewall "name TEST"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- --------------------------------------------------
10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue
default accept all 2130 170688
vyos@BRI:~$
vyos@BRI:~$ show firewall bridge name TEST
Ruleset Information
---------------------------------
bridge Firewall "name TEST"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- --------------------------------------------------
10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue
default accept all 2130 170688
vyos@BRI:~$
Inspect logs:
.. code-block:: none
vyos@BRI:~$ show log firewall bridge
Dec 05 14:37:47 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
Dec 05 14:37:48 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
Dec 05 14:37:49 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
...
vyos@BRI:~$ show log firewall bridge forward filter
Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0

140
docs/configuration/firewall/flowtables.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2023-11-08
:lastproofread: 2023-12-26
.. _firewall-flowtables-configuration:
@ -13,7 +13,7 @@ Overview
********
In this section there's useful information of all firewall configuration that
can be done regarding flowtables
can be done regarding flowtables.
.. cfgcmd:: set firewall flowtables ...
@ -50,3 +50,139 @@ flowtable (flowtable miss), the packet follows the classic IP forwarding path.
.. note:: **Flowtable Reference:**
https://docs.kernel.org/networking/nf_flowtable.html
***********************
Flowtable Configuration
***********************
In order to use flowtables, the minimal configuration needed includes:
* Create flowtable: create flowtable, which includes the interfaces
that are going to be used by the flowtable.
* Create firewall rule: create a firewall rule, setting action to
``offload`` and using desired flowtable for ``offload-target``.
Creating a flow table:
.. cfgcmd:: set firewall flowtable <flow_table_name> interface <iface>
Define interfaces to be used in the flowtable.
.. cfgcmd:: set firewall flowtable <flow_table_name> description <text>
Provide a description to the flow table.
.. cfgcmd:: set firewall flowtable <flow_table_name> offload
<hardware | software>
Define type of offload to be used by the flowtable: ``hardware`` or
``software``. By default, ``software`` offload is used.
.. note:: **Hardware offload:** should be supported by the NICs used.
Creating rules for using flow tables:
.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999>
action offload
Create firewall rule in forward chain, and set action to ``offload``.
.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999>
offload-target <flowtable>
Create firewall rule in forward chain, and define which flowtbale
should be used. Only applicable if action is ``offload``.
*********************
Configuration Example
*********************
Things to be considred in this setup:
* Two interfaces are going to be used in the flowtables: eth0 and eth1
* Minumum firewall ruleset is provided, which includes some filtering rules,
and appropiate rules for using flowtable offload capabilities.
As described, first packet will be evaluated by all the firewall path, so
desired connection should be explicitely accepted. Same thing should be taken
into account for traffic in reverse order. In most cases state policies are
used in order to accept connection in reverse patch.
We will only accept traffic comming from interface eth0, protocol tcp and
destination port 1122. All other traffic traspassing the router should be
blocked.
Commands
--------
.. code-block:: none
set firewall flowtable FT01 interface 'eth0'
set firewall flowtable FT01 interface 'eth1'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'FT01'
set firewall ipv4 forward filter rule 10 state 'established'
set firewall ipv4 forward filter rule 10 state 'related'
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 state 'established'
set firewall ipv4 forward filter rule 20 state 'related'
set firewall ipv4 forward filter rule 110 action 'accept'
set firewall ipv4 forward filter rule 110 destination address '192.0.2.100'
set firewall ipv4 forward filter rule 110 destination port '1122'
set firewall ipv4 forward filter rule 110 inbound-interface name 'eth0'
set firewall ipv4 forward filter rule 110 protocol 'tcp'
Explanation
-----------
Analysis on what happens for desired connection:
1. First packet is received on eht0, with destination address 192.0.2.100,
protocol tcp and destination port 1122. Assume such destination address is
reachable through interface eth1.
2. Since this is the first packet, connection status of this connection,
so far is **new**. So neither rule 10 nor 20 are valid.
3. Rule 110 is hit, so connection is accepted.
4. Once answer from server 192.0.2.100 is seen in opposite direction,
connection state will be triggered to **established**, so this reply is
accepted in rule 10.
5. Second packet for this connection is received by the router. Since
connection state is **established**, then rule 10 is hit, and a new entry
in the flowtable FT01 is added for this connection.
6. All subsecuent packets will skip traditional path, and will be offloaded
and will use the **Fast Path**.
Checks
------
It's time to check conntrack table, to see if any connection was accepted,
and if was properly offloaded
.. code-block:: none
vyos@FlowTables:~$ show firewall ipv4 forward filter
Ruleset Information
---------------------------------
ipv4 Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ----------------------------------------------------------------
10 offload all 8 468 ct state { established, related } flow add @VYOS_FLOWTABLE_FT01
20 accept all 8 468 ct state { established, related } accept
110 accept tcp 2 120 ip daddr 192.0.2.100 tcp dport 1122 iifname "eth0" accept
default drop all 7 420
vyos@FlowTables:~$ sudo conntrack -L | grep tcp
conntrack v1.4.6 (conntrack-tools): 5 flow entries have been shown.
tcp 6 src=198.51.100.100 dst=192.0.2.100 sport=41676 dport=1122 src=192.0.2.100 dst=198.51.100.100 sport=1122 dport=41676 [OFFLOAD] mark=0 use=2
vyos@FlowTables:~$

34
docs/configuration/firewall/global-options.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2023-11-07
:lastproofread: 2023-12-26
.. _firewall-global-options-configuration:
@ -114,4 +114,34 @@ Configuration
Enable or Disable VyOS to be :rfc:`1337` conform.
The following system parameter will be altered:
* ``net.ipv4.tcp_rfc1337``
* ``net.ipv4.tcp_rfc1337``
.. cfgcmd:: set firewall global-options state-policy established action
[accept | drop | reject]
.. cfgcmd:: set firewall global-options state-policy established log
.. cfgcmd:: set firewall global-options state-policy established log-level
[emerg | alert | crit | err | warn | notice | info | debug]
Set the global setting for an established connection.
.. cfgcmd:: set firewall global-options state-policy invalid action
[accept | drop | reject]
.. cfgcmd:: set firewall global-options state-policy invalid log
.. cfgcmd:: set firewall global-options state-policy invalid log-level
[emerg | alert | crit | err | warn | notice | info | debug]
Set the global setting for invalid packets.
.. cfgcmd:: set firewall global-options state-policy related action
[accept | drop | reject]
.. cfgcmd:: set firewall global-options state-policy related log
.. cfgcmd:: set firewall global-options state-policy related log-level
[emerg | alert | crit | err | warn | notice | info | debug]
Set the global setting for related connections.

59
docs/configuration/firewall/index.rst
View File

@ -4,31 +4,32 @@
Firewall
########
With VyOS being based on top of Linux and its kernel, the Netfilter project
created the iptables and now the successor nftables for the Linux kernel to
work directly on the data flows. This now extends the concept of zone-based
security to allow for manipulating the data at multiple stages once accepted
by the network interface and the driver before being handed off to the
destination (e.g. a web server OR another device).
As VyOS is based on Linux it leverages its firewall. The Netfilter project
created iptables and its successor nftables for the Linux kernel to
work directly on packet data flows. This now extends the concept of
zone-based security to allow for manipulating the data at multiple stages once
accepted by the network interface and the driver before being handed off to
the destination (e.g., a web server OR another device).
A simplified traffic flow, based on Netfilter packet flow, is shown next, in
order to have a full view and understanding of how packets are processed, and
what possible paths can take.
A simplified traffic flow diagram, based on Netfilter packet flow, is shown
next, in order to have a full view and understanding of how packets are
processed, and what possible paths traffic can take.
.. figure:: /_static/images/firewall-gral-packet-flow.png
Main notes regarding this packet flow and terminology used in VyOS firewall:
The main points regarding this packet flow and terminology used in VyOS
firewall are covered below:
* **Bridge Port?**: choose appropiate path based on if interface were the
packet was received is part of a bridge, or not.
* **Bridge Port?**: choose appropriate path based on whether interface
where the packet was received is part of a bridge, or not.
If interface were the packet was received isn't part of a bridge, then packet
is processed at the **IP Layer**:
If the interface where the packet was received isn't part of a bridge, then
packetis processed at the **IP Layer**:
* **Prerouting**: several actions can be done in this stage, and currently
these actions are defined in different parts in vyos configuration. Order
these actions are defined in different parts in VyOS configuration. Order
is important, and all these actions are performed before any actions
define under ``firewall`` section. Relevant configuration that acts in
defined under ``firewall`` section. Relevant configuration that acts in
this stage are:
* **Conntrack Ignore**: rules defined under ``set system conntrack ignore
@ -40,12 +41,12 @@ is processed at the **IP Layer**:
* **Destination NAT**: rules defined under ``set [nat | nat66]
destination...``.
* **Destination is the router?**: choose appropiate path based on
destination IP address. Transit forward continunes to **forward**,
* **Destination is the router?**: choose appropriate path based on
destination IP address. Transit forward continues to **forward**,
while traffic that destination IP address is configured on the router
continues to **input**.
* **Input**: stage where traffic destinated to the router itself can be
* **Input**: stage where traffic destined for the router itself can be
filtered and controlled. This is where all rules for securing the router
should take place. This includes ipv4 and ipv6 filtering rules, defined
in:
@ -61,10 +62,10 @@ is processed at the **IP Layer**:
* ``set firewall ipv6 forward filter ...``.
* **Output**: stage where traffic that is originated by the router itself
can be filtered and controlled. Bare in mind that this traffic can be a
new connection originted by a internal process running on VyOS router,
such as NTP, or can be a response to traffic received externaly through
* **Output**: stage where traffic that originates from the router itself
can be filtered and controlled. Bear in mind that this traffic can be a
new connection originated by a internal process running on VyOS router,
such as NTP, or a response to traffic received externaly through
**inputt** (for example response to an ssh login attempt to the router).
This includes ipv4 and ipv6 filtering rules, defined in:
@ -79,16 +80,16 @@ is processed at the **IP Layer**:
* **Source NAT**: rules defined under ``set [nat | nat66]
destination...``.
If interface were the packet was received is part of a bridge, then packet
is processed at the **Bridge Layer**, which contains a ver basic setup where
for bridge filtering:
If the interface where the packet was received is part of a bridge, then
packetis processed at the **Bridge Layer**, which contains a basic setup for
bridge filtering:
* **Forward (Bridge)**: stage where traffic that is trasspasing through the
* **Forward (Bridge)**: stage where traffic that is trespasing through the
bridge is filtered and controlled:
* ``set firewall bridge forward filter ...``.
Main structure VyOS firewall cli is shown next:
The main structure VyOS firewall cli is shown next:
.. code-block:: none
@ -134,7 +135,7 @@ Main structure VyOS firewall cli is shown next:
- custom_zone_name
+ ...
Please, refer to appropiate section for more information about firewall
Please, refer to appropriate section for more information about firewall
configuration:
.. toctree::

52
docs/configuration/firewall/ipv4.rst
View File

@ -123,9 +123,46 @@ The action can be :
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
jump-target <text>
To be used only when action is set to jump. Use this command to specify
To be used only when action is set to ``jump``. Use this command to specify
jump target.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue-options bypass
To be used only when action is set to ``queue``. Use this command to let
packet go through firewall when no userspace software is connected to the
queue.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue-options fanout
To be used only when action is set to ``queue``. Use this command to
distribute packets between several queues.
Also, **default-action** is an action that takes place whenever a packet does
not match any rule in it's chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
@ -140,7 +177,7 @@ not match any rule in it's chain. For base chains, possible options for
[accept | drop | jump | queue | reject | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If defacult-action is set to ``jump``, then
criteria. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
action can only be set to ``accept`` or ``drop``, while on custom chain,
more actions are available.
@ -153,7 +190,7 @@ not match any rule in it's chain. For base chains, possible options for
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**
action is not defined, then the default-action is set to **drop**.
Firewall Logs
=============
@ -162,15 +199,12 @@ Logging can be enable for every single firewall rule. If enabled, other
log options can be defined.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
[disable | enable]
Enable or disable logging for the matched packet.
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
.. cfgcmd:: set firewall ipv4 forward filter enable-default-log
.. cfgcmd:: set firewall ipv4 input filter enable-default-log
@ -266,7 +300,7 @@ just disable the rule, rather than removing it.
Matching criteria
=================
There are a lot of matching criteria against which the package can be tested.
There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
connection-status nat [destination | source]

130
docs/configuration/firewall/ipv6.rst
View File

@ -123,9 +123,46 @@ The action can be :
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
jump-target <text>
To be used only when action is set to jump. Use this command to specify
To be used only when action is set to ``jump``. Use this command to specify
jump target.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
queue-options bypass
To be used only when action is set to ``queue``. Use this command to let
packet go through firewall when no userspace software is connected to the
queue.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
queue-options fanout
To be used only when action is set to ``queue``. Use this command to
distribute packets between several queues.
Also, **default-action** is an action that takes place whenever a packet does
not match any rule in it's chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
@ -140,7 +177,7 @@ not match any rule in it's chain. For base chains, possible options for
[accept | drop | jump | queue | reject | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If defacult-action is set to ``jump``, then
criteria. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
action can only be set to ``accept`` or ``drop``, while on custom chain,
more actions are available.
@ -153,7 +190,7 @@ not match any rule in it's chain. For base chains, possible options for
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**
action is not defined, then the default-action is set to **drop**.
Firewall Logs
=============
@ -162,15 +199,12 @@ Logging can be enable for every single firewall rule. If enabled, other
log options can be defined.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log
[disable | enable]
Enable or disable logging for the matched packet.
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
.. cfgcmd:: set firewall ipv6 forward filter enable-default-log
.. cfgcmd:: set firewall ipv6 input filter enable-default-log
@ -266,7 +300,7 @@ just disable the rule, rather than removing it.
Matching criteria
=================
There are a lot of matching criteria against which the package can be tested.
There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
connection-status nat [destination | source]
@ -936,7 +970,7 @@ Rule-set overview
.. code-block:: none
vyos@vyos:~$ show firewall
vyos@vyos:~$ show firewall
Rulesets Information
---------------------------------
@ -999,7 +1033,7 @@ Rule-set overview
.. code-block:: none
vyos@vyos:~$ show firewall summary
vyos@vyos:~$ show firewall summary
Ruleset Summary
IPv6 Ruleset:
@ -1049,29 +1083,30 @@ Rule-set overview
.. opcmd:: show firewall ipv6 [forward | input | output] filter
.. opcmd:: show firewall ipv4 name <name>
.. opcmd:: show firewall ipv6 ipv6-name <name>
This command will give an overview of a single rule-set.
.. code-block:: none
vyos@vyos:~$ show firewall ipv4 input filter
vyos@vyos:~$ show firewall ipv6 input filter
Ruleset Information
---------------------------------
IPv4 Firewall "input filter"
ipv6 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -----------------------------------------
5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT
default accept all
------- -------- ---------- --------- ------- ------------------------------------------------------------------------------
10 jump all 13 1456 iifname "eth1" jump NAME6_INP-ETH1
20 accept ipv6-icmp 10 1112 meta l4proto ipv6-icmp iifname "eth0" prefix "[ipv6-INP-filter-20-A]" accept
default accept all 14 1584
vyos@vyos:~$
.. opcmd:: show firewall ipv6 [forward | input | output]
filter rule <1-999999>
.. opcmd:: show firewall ipv4 name <name> rule <1-999999>
.. opcmd:: show firewall ipv6 name <name> rule <1-999999>
.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999>
@ -1084,7 +1119,7 @@ Rule-set overview
.. code-block:: none
vyos@vyos:~$ show firewall group LAN
vyos@vyos:~$ show firewall group LAN
Firewall Groups
Name Type References Members
@ -1119,45 +1154,38 @@ Example Partial Config
.. code-block:: none
firewall {
group {
network-group BAD-NETWORKS {
network 198.51.100.0/24
network 203.0.113.0/24
}
network-group GOOD-NETWORKS {
network 192.0.2.0/24
}
port-group BAD-PORTS {
port 65535
}
}
ipv4 {
forward {
filter {
default-action accept
rule 5 {
action accept
source {
group {
network-group GOOD-NETWORKS
firewall {
ipv6 {
input {
filter {
rule 10 {
action jump
inbound-interface {
name eth1
}
jump-target INP-ETH1
}
rule 20 {
action accept
inbound-interface {
name eth0
}
log
protocol ipv6-icmp
}
}
}
name INP-ETH1 {
default-action drop
enable-default-log
rule 10 {
action drop
description "Bad Networks"
protocol all
source {
group {
network-group BAD-NETWORKS
}
}
action accept
protocol tcp_udp
}
}
}
}
}
Update geoip database
=====================

38
docs/configuration/firewall/zone.rst
View File

@ -123,3 +123,41 @@ written from the perspective of: *Source Zone*-to->*Destination Zone*
set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4
**************
Operation-mode
**************
.. opcmd:: show firewall zone-policy
This will show you a basic summary of zones configuration.
.. code-block:: none
vyos@vyos:~$ show firewall zone-policy
Zone Interfaces From Zone Firewall IPv4 Firewall IPv6
------ ------------ ----------- --------------- ---------------
LAN eth1 WAN WAN_to_LAN
eth2
LOCAL LOCAL LAN LAN_to_LOCAL
WAN WAN_to_LOCAL WAN_to_LOCAL_v6
WAN eth3 LAN LAN_to_WAN
eth0 LOCAL LOCAL_to_WAN
vyos@vyos:~$
.. opcmd:: show firewall zone-policy zone <zone>
This will show you a basic summary of a particular zone.
.. code-block:: none
vyos@vyos:~$ show firewall zone-policy zone WAN
Zone Interfaces From Zone Firewall IPv4 Firewall IPv6
------ ------------ ----------- --------------- ---------------
WAN eth3 LAN LAN_to_WAN
eth0 LOCAL LOCAL_to_WAN
vyos@vyos:~$ show firewall zone-policy zone LOCAL
Zone Interfaces From Zone Firewall IPv4 Firewall IPv6
------ ------------ ----------- --------------- ---------------
LOCAL LOCAL LAN LAN_to_LOCAL
WAN WAN_to_LOCAL WAN_to_LOCAL_v6
vyos@vyos:~$

2
docs/configuration/loadbalancing/reverse-proxy.rst
View File

@ -105,7 +105,7 @@ Backend
of the client
* ``round-robin`` Distributes requests in a circular manner,
sequentially sending each request to the next server in line
* ``least-connection`` Distributes requests tp tje server wotj the fewest
* ``least-connection`` Distributes requests to the server with the fewest
active connections
.. cfgcmd:: set load-balancing reverse-proxy backend <name> mode

1
docs/configuration/nat/index.rst
View File

@ -9,4 +9,5 @@ NAT
:includehidden:
nat44
nat64
nat66

81
docs/configuration/nat/nat64.rst Normal file
View File

@ -0,0 +1,81 @@
.. _nat64:
#####
NAT64
#####
:abbr:`NAT64 (IPv6-to-IPv4 Prefix Translation)` is a critical component in
modern networking, facilitating communication between IPv6 and IPv4 networks.
This documentation outlines the setup, configuration, and usage of the NAT64
feature in your project. Whether you are transitioning to IPv6 or need to
seamlessly connect IPv4 and IPv6 devices.
NAT64 is a stateful translation mechanism that translates IPv6 addresses to
IPv4 addresses and IPv4 addresses to IPv6 addresses. NAT64 is used to enable
IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP.
Overview
========
Different NAT Types
-------------------
.. _source-nat64:
SNAT64
^^^^^^
:abbr:`SNAT64 (IPv6-to-IPv4 Source Address Translation)` is a stateful
translation mechanism that translates IPv6 addresses to IPv4 addresses.
``64:ff9b::/96`` is the well-known prefix for IPv4-embedded IPv6 addresses.
The prefix is used to represent IPv4 addresses in an IPv6 address format.
The IPv4 address is encoded in the low-order 32 bits of the IPv6 address.
The high-order 32 bits are set to the well-known prefix 64:ff9b::/96.
Configuration Examples
======================
The following examples show how to configure NAT64 on a VyOS router.
The 192.0.2.10 address is used as the IPv4 address for the translation pool.
NAT64 server configuration:
.. code-block:: none
set interfaces ethernet eth0 address '192.0.2.1/24'
set interfaces ethernet eth0 address '192.0.2.10/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '2001:db8::1/64'
set interfaces ethernet eth1 description 'LAN'
set service dns forwarding allow-from '2001:db8::/64'
set service dns forwarding dns64-prefix '64:ff9b::/96'
set service dns forwarding listen-address '2001:db8::1'
set nat64 source rule 100 source prefix '64:ff9b::/96'
set nat64 source rule 100 translation pool 10 address '192.0.2.10'
set nat64 source rule 100 translation pool 10 port '1-65535'
NAT64 client configuration:
.. code-block:: none
set interfaces ethernet eth1 address '2001:db8::2/64'
set protocols static route6 64:ff9b::/96 next-hop 2001:db8::1
set system name-server '2001:db8::1'
Test from the IPv6 only client:
.. code-block:: none
vyos@r1:~$ ping 64:ff9b::192.0.2.1 count 2
PING 64:ff9b::192.0.2.1(64:ff9b::c000:201) 56 data bytes
64 bytes from 64:ff9b::c000:201: icmp_seq=1 ttl=63 time=0.351 ms
64 bytes from 64:ff9b::c000:201: icmp_seq=2 ttl=63 time=0.373 ms
--- 64:ff9b::192.0.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1023ms
rtt min/avg/max/mdev = 0.351/0.362/0.373/0.011 ms

97
docs/configuration/nat/nat66.rst
View File

@ -137,3 +137,100 @@ R2:
set interfaces bridge br1 member interface eth1
set protocols static route6 ::/0 next-hop fc01::1
set service router-advert interface br1 prefix ::/0
Use the following topology to translate internal user local addresses (``fc::/7``)
to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair.
.. figure:: /_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png
:alt: VyOS NAT66 DHCPv6 using a dummy interface
Configure both routers (a and b) for DHCPv6-PD via dummy interface:
.. code-block:: none
set interfaces dummy dum1 description 'DHCPv6-PD NPT dummy'
set interfaces bonding bond0 vif 20 dhcpv6-options pd 0 interface dum1 address '0'
set interfaces bonding bond0 vif 20 dhcpv6-options pd 1 interface dum1 address '0'
set interfaces bonding bond0 vif 20 dhcpv6-options pd 2 interface dum1 address '0'
set interfaces bonding bond0 vif 20 dhcpv6-options pd 3 interface dum1 address '0'
set interfaces bonding bond0 vif 20 dhcpv6-options rapid-commit
commit
Get the DHCPv6-PD prefixes from both routers:
.. code-block:: none
trae@cr01a-vyos# run show interfaces dummy dum1 br
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
dum1 2001:db8:123:b008::/64 u/u DHCPv6-PD NPT dummy
2001:db8:123:b00a::/64
2001:db8:123:b00b::/64
2001:db8:123:b009::/64
trae@cr01b-vyos# run show int dummy dum1 brief
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
dum1 2001:db8:123:b00d::/64 u/u DHCPv6-PD NPT dummy
2001:db8:123:b00c::/64
2001:db8:123:b00e::/64
2001:db8:123:b00f::/64
Configure the A-side router for NPTv6 using the prefixes above:
.. code-block:: none
set nat66 source rule 10 description 'NPT to VLAN 10'
set nat66 source rule 10 outbound-interface name 'bond0.20'
set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64'
set nat66 source rule 10 translation address '2001:db8:123:b008::/64'
set nat66 source rule 20 description 'NPT to VLAN 70'
set nat66 source rule 20 outbound-interface name 'bond0.20'
set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64'
set nat66 source rule 20 translation address '2001:db8:123:b009::/64'
set nat66 source rule 30 description 'NPT to VLAN 200'
set nat66 source rule 30 outbound-interface name 'bond0.20'
set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64'
set nat66 source rule 30 translation address '2001:db8:123:b00a::/64'
set nat66 source rule 40 description 'NPT to VLAN 240'
set nat66 source rule 40 outbound-interface name 'bond0.20'
set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64'
set nat66 source rule 40 translation address '2001:db8:123:b00b::/64'
commit
Configure the B-side router for NPTv6 using the prefixes above:
.. code-block:: none
set nat66 source rule 10 description 'NPT to VLAN 10'
set nat66 source rule 10 outbound-interface name 'bond0.20'
set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64'
set nat66 source rule 10 translation address '2001:db8:123:b00c::/64'
set nat66 source rule 20 description 'NPT to VLAN 70'
set nat66 source rule 20 outbound-interface name 'bond0.20'
set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64'
set nat66 source rule 20 translation address '2001:db8:123:b00d::/64'
set nat66 source rule 30 description 'NPT to VLAN 200'
set nat66 source rule 30 outbound-interface name 'bond0.20'
set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64'
set nat66 source rule 30 translation address '2001:db8:123:b00e::/64'
set nat66 source rule 40 description 'NPT to VLAN 240'
set nat66 source rule 40 outbound-interface name 'bond0.20'
set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64'
set nat66 source rule 40 translation address '2001:db8:123:b00f::/64'
commit
Verify that connections are hitting the rule on both sides:
.. code-block:: none
trae@cr01a-vyos# run show nat66 source statistics
Rule Packets Bytes Interface
------ --------- ------- -----------
10 1 104 bond0.20
20 1 104 bond0.20
30 8093 669445 bond0.20
40 2446 216912 bond0.20

44
docs/configuration/pki/index.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2021-09-01
:lastproofread: 2024-01-05
.. include:: /_include/need_improvement.txt
@ -248,6 +248,44 @@ certificates used by services on this router.
If CA is present, this certificate will be included in generated CRLs
ACME
^^^^
The VyOS PKI subsystem can also be used to automatically retrieve Certificates
using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol.
.. cfgcmd:: set pki certificate <name> acme domain-name <name>
Domain names to apply, multiple domain-names can be specified.
This is a mandatory option
.. cfgcmd:: set pki certificate <name> acme email <address>
Email used for registration and recovery contact.
This is a mandatory option
.. cfgcmd:: set pki certificate <name> acme listen-address <address>
The address the server listens to during http-01 challenge
.. cfgcmd:: set pki certificate <name> acme rsa-key-size <2048 | 3072 | 4096>
Size of the RSA key.
This options defaults to 2048
.. cfgcmd:: set pki certificate <name> acme url <url>
ACME Directory Resource URI.
This defaults to https://acme-v02.api.letsencrypt.org/directory
.. note:: During initial deployment we recommend using the staging API
of LetsEncrypt to prevent and blacklisting of your system. The API
endpoint is https://acme-staging-v02.api.letsencrypt.org/directory
Operation
=========
@ -292,3 +330,7 @@ also to display them.
.. opcmd:: show pki crl
Show a list of installed :abbr:`CRLs (Certificate Revocation List)`.
.. opcmd:: renew certbot
Manually trigger certificate renewal. This will be done twice a day.

8
docs/configuration/policy/route-map.rst
View File

@ -318,10 +318,12 @@ Route Map
Set BGP local preference attribute.
.. cfgcmd:: set policy route-map <text> rule <1-65535> set metric
<+/-metric|0-4294967295>
<+/-metric|0-4294967295|rtt|+rtt|-rtt>
Set destination routing protocol metric. Add or subtract metric, or set
metric value.
Set the route metric. When used with BGP, set the BGP attribute MED
to a specific value. Use ``+/-`` to add or subtract the specified value
to/from the existing/MED. Use ``rtt`` to set the MED to the round trip
time or ``+rtt/-rtt`` to add/subtract the round trip time to/from the MED.
.. cfgcmd:: set policy route-map <text> rule <1-65535> set metric-type
<type-1|type-2>

27
docs/configuration/protocols/bgp.rst
View File

@ -952,7 +952,7 @@ Operational Mode Commands
Show
====
.. opcmd:: show <ip|ipv6> bgp
.. opcmd:: show bgp <ipv4|ipv6>
This command displays all entries in BGP routing table.
@ -964,6 +964,7 @@ Show
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 198.51.100.0/24 10.0.34.4 0 0 65004 i
@ -971,7 +972,7 @@ Show
Displayed 2 routes and 2 total paths
.. opcmd:: show <ip|ipv6> bgp <address|prefix>
.. opcmd:: show bgp <ipv4|ipv6> <address|prefix>
This command displays information about the particular entry in the BGP
routing table.
@ -991,55 +992,55 @@ Show
This command displays routes with classless interdomain routing (CIDR).
.. opcmd:: show <ip|ipv6> bgp community <value>
.. opcmd:: show bgp <ipv4|ipv6> community <value>
This command displays routes that belong to specified BGP communities.
Valid value is a community number in the range from 1 to 4294967200,
or AA:NN (autonomous system-community number/2-byte number), no-export,
local-as, or no-advertise.
.. opcmd:: show <ip|ipv6> bgp community-list <name>
.. opcmd:: show bgp <ipv4|ipv6> community-list <name>
This command displays routes that are permitted by the BGP
community list.
.. opcmd:: show ip bgp dampened-paths
.. opcmd:: show bgp <ipv4|ipv6> dampening dampened-paths
This command displays BGP dampened routes.
.. opcmd:: show ip bgp flap-statistics
.. opcmd:: show bgp <ipv4|ipv6> dampening flap-statistics
This command displays information about flapping BGP routes.
.. opcmd:: show ip bgp filter-list <name>
.. opcmd:: show bgp <ipv4|ipv6> filter-list <name>
This command displays BGP routes allowed by the specified AS Path
access list.
.. opcmd:: show <ip|ipv6> bgp neighbors <address> advertised-routes
.. opcmd:: show bgp <ipv4|ipv6> neighbors <address> advertised-routes
This command displays BGP routes advertised to a neighbor.
.. opcmd:: show <ip|ipv6> bgp neighbors <address> received-routes
.. opcmd:: show bgp <ipv4|ipv6> neighbors <address> received-routes
This command displays BGP routes originating from the specified BGP
neighbor before inbound policy is applied. To use this command inbound
soft reconfiguration must be enabled.
.. opcmd:: show <ip|ipv6> bgp neighbors <address> routes
.. opcmd:: show bgp <ipv4|ipv6> neighbors <address> routes
This command displays BGP received-routes that are accepted after filtering.
.. opcmd:: show <ip|ipv6> bgp neighbors <address> dampened-routes
.. opcmd:: show bgp <ipv4|ipv6> neighbors <address> dampened-routes
This command displays dampened routes received from BGP neighbor.
.. opcmd:: show <ip|ipv6> bgp regexp <text>
.. opcmd:: show bgp <ipv4|ipv6> regexp <text>
This command displays information about BGP routes whose AS path
matches the specified regular expression.
.. opcmd:: show <ip|ipv6> bgp summary
.. opcmd:: show bgp <ipv4|ipv6> summary
This command displays the status of all BGP connections.

28
docs/configuration/protocols/isis.rst
View File

@ -302,6 +302,34 @@ Timers
control the timing of the execution of SPF calculations in response
to IGP events. The process described in :rfc:`8405`.
Loop Free Alternate (LFA)
-------------------------
.. cfgcmd:: set protocols isis fast-reroute lfa remote prefix-list <name>
<level-1|level-2>
This command enables IP fast re-routing that is part of :rfc:`5286`.
Specifically this is a prefix list which references a prefix in which
will select eligible PQ nodes for remote LFA backups.
.. cfgcmd:: set protocols isis fast-reroute lfa local load-sharing disable
<level-1|level-2>
This command disables the load sharing across multiple LFA backups.
.. cfgcmd:: set protocols isis fast-reroute lfa local tiebreaker
<downstream|lowest-backup-metric|node-protecting> index <number>
<level-1|level-2>
This command will configure a tie-breaker for multiple local LFA backups.
The lower index numbers will be processed first.
.. cfgcmd:: set protocols isis fast-reroute lfa local priority-limit
<medium|high|critical> <level-1|level-2>
This command will limit LFA backup computation up to the specified
prefix priority.
********
Examples

182
docs/configuration/service/dhcp-server.rst
View File

@ -4,7 +4,7 @@
DHCP Server
###########
VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment.
VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment.
***********
IPv4 server
@ -26,12 +26,7 @@ Configuration
Create DNS record per client lease, by adding clients to /etc/hosts file.
Entry will have format: `<shared-network-name>_<hostname>.<domain-name>`
.. cfgcmd:: set service dhcp-server host-decl-name
Will drop `<shared-network-name>_` from client DNS record, using only the
host declaration name and domain: `<hostname>.<domain-name>`
.. cfgcmd:: set service dhcp-server shared-network-name <name> domain-name <domain-name>
.. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-name <domain-name>
The domain-name parameter should be the domain name that will be appended to
the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP
@ -40,7 +35,7 @@ Configuration
This is the configuration parameter for the entire shared network definition.
All subnets will inherit this configuration item if not specified locally.
.. cfgcmd:: set service dhcp-server shared-network-name <name> domain-search <domain-name>
.. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-search <domain-name>
The domain-name parameter should be the domain name used when completing DNS
request where no full FQDN is passed. This option can be given multiple times
@ -49,7 +44,7 @@ Configuration
This is the configuration parameter for the entire shared network definition.
All subnets will inherit this configuration item if not specified locally.
.. cfgcmd:: set service dhcp-server shared-network-name <name> name-server <address>
.. cfgcmd:: set service dhcp-server shared-network-name <name> option name-server <address>
Inform client that the DNS server can be found at `<address>`.
@ -58,21 +53,6 @@ Configuration
Multiple DNS servers can be defined.
.. cfgcmd:: set service dhcp-server shared-network-name <name> ping-check
When the DHCP server is considering dynamically allocating an IP address to a
client, it first sends an ICMP Echo request (a ping) to the address being
assigned. It waits for a second, and if no ICMP Echo response has been heard,
it assigns the address.
If a response is heard, the lease is abandoned, and the server does not
respond to the client. The lease will remain abandoned for a minimum of
abandon-lease-time seconds (defaults to 24 hours).
If there are no free addresses but there are abandoned IP addresses, the
DHCP server will attempt to reclaim an abandoned IP address regardless of the
value of abandon-lease-time.
.. cfgcmd:: set service dhcp-server listen-address <address>
This configuration parameter lets the DHCP server to listen for DHCP
@ -91,14 +71,20 @@ Individual Client Subnet
network.
.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
default-router <address>
subnet-id <id>
This configuration parameter is required and must be unique to each subnet.
It is required to map subnets to lease file entries.
.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
option default-router <address>
This is a configuration parameter for the `<subnet>`, saying that as part of
the response, tell the client that the default gateway can be reached at
`<address>`.
.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
name-server <address>
option name-server <address>
This is a configuration parameter for the subnet, saying that as part of the
response, tell the client that the DNS server can be found at `<address>`.
@ -133,40 +119,19 @@ Individual Client Subnet
This option can be specified multiple times.
.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
domain-name <domain-name>
option domain-name <domain-name>
The domain-name parameter should be the domain name that will be appended to
the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP
Option 015).
.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
domain-search <domain-name>
option domain-search <domain-name>
The domain-name parameter should be the domain name used when completing DNS
request where no full FQDN is passed. This option can be given multiple times
if you need multiple search domains (DHCP Option 119).
.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
ping-check
When the DHCP server is considering dynamically allocating an IP address to a
client, it first sends an ICMP Echo request (a ping) to the address being
assigned. It waits for a second, and if no ICMP Echo response has been heard,
it assigns the address.
If a response is heard, the lease is abandoned, and the server does not
respond to the client. The lease will remain abandoned for a minimum of
abandon-lease-time seconds (defaults to 24 hours).
If a there are no free addresses but there are abandoned IP addresses, the
DHCP server will attempt to reclaim an abandoned IP address regardless of the
value of abandon-lease-time.
.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
enable-failover
Enable DHCP failover configuration for this address pool.
Failover
--------
@ -238,6 +203,7 @@ inside the subnet definition but can be outside of the range statement.
.. code-block:: none
set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1
set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100
set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00
@ -251,6 +217,7 @@ The configuration will look as follows:
ip-address 192.168.1.100
mac-address aa:bb:11:22:33:00
}
subnet-id 1
}
Options
@ -391,32 +358,6 @@ Options
Multi: can be specified multiple times.
Raw Parameters
==============
Raw parameters can be passed to shared-network-name, subnet and static-mapping:
.. code-block:: none
set service dhcp-server shared-network-name <name> shared-network-parameters
<text> Additional shared-network parameters for DHCP server.
set service dhcp-server shared-network-name <name> subnet <subnet> subnet-parameters
<text> Additional subnet parameters for DHCP server.
set service dhcp-server shared-network-name <name> subnet <subnet> static-mapping <description> static-mapping-parameters
<text> Additional static-mapping parameters for DHCP server.
Will be placed inside the "host" block of the mapping.
These parameters are passed as-is to isc-dhcp's dhcpd.conf under the
configuration node they are defined in. They are not validated so an error in
the raw parameters won't be caught by vyos's scripts and will cause dhcpd to
fail to start. Always verify that the parameters are correct before committing
the configuration. Refer to isc-dhcp's dhcpd.conf manual for more information:
https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf
Quotes can be used inside parameter values by replacing all quote characters
with the string ``&quot;``. They will be replaced with literal quote characters
when generating dhcpd.conf.
Example
=======
@ -439,12 +380,12 @@ Common configuration, valid for both primary and secondary node.
.. code-block:: none
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254'
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 name-server '192.0.2.254'
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net'
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option default-router '192.0.2.254'
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option name-server '192.0.2.254'
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net'
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10'
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250'
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 enable-failover
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 subnet-id '1'
**Primary**
@ -467,47 +408,6 @@ Common configuration, valid for both primary and secondary node.
.. _dhcp-server:v4_example_raw:
Raw Parameters
--------------
* Override static-mapping's name-server with a custom one that will be sent only
to this host.
* An option that takes a quoted string is set by replacing all quote characters
with the string ``&quot;`` inside the static-mapping-parameters value.
The resulting line in dhcpd.conf will be
``option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";``.
.. code-block:: none
set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;"
set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option pxelinux.configfile &quot;pxelinux.cfg/01-00-15-17-44-2d-aa&quot;;"
Option 43 for UniFI
-------------------
* These parameters need to be part of the DHCP global options.
They stay unchanged.
.. code-block:: none
set service dhcp-server global-parameters 'option space ubnt;'
set service dhcp-server global-parameters 'option ubnt.unifi-address code 1 = ip-address;'
set service dhcp-server global-parameters 'class &quot;ubnt&quot; {'
set service dhcp-server global-parameters 'match if substring (option vendor-class-identifier, 0, 4) = &quot;ubnt&quot;;'
set service dhcp-server global-parameters 'option vendor-class-identifier &quot;ubnt&quot;;'
set service dhcp-server global-parameters 'vendor-option-space ubnt;'
set service dhcp-server global-parameters '}'
* Now we add the option to the scope, adapt to your setup
.. code-block:: none
set service dhcp-server shared-network-name example-scope subnet 10.1.1.0/24 subnet-parameters 'option ubnt.unifi-address 172.16.1.10;'
Operation Mode
==============
@ -549,18 +449,43 @@ Operation Mode
.. code-block:: none
vyos@vyos:~$ show dhcp server leases
IP address Hardware address State Lease start Lease expiration Remaining Pool Hostname
-------------- ------------------ ------- ------------------- ------------------- ---------- ----------- ---------
192.0.2.104 00:53:01:dd:ee:ff active 2019/12/05 14:24:23 2019/12/06 02:24:23 6:05:35 dhcpexample test1
192.0.2.115 00:53:01:ae:af:bf active 2019/12/05 18:02:37 2019/12/06 06:02:37 9:43:49 dhcpexample test2
IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin
-------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- --------
192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:24:10 LAN VPCS1 local
192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:43 LAN VYOS-6 local
10.11.11.108 50:00:00:05:00:00 active 2023/11/29 09:51:43 2023/11/29 10:21:43 0:24:48 VIF-1001 VYOS5 local
192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote
vyos@vyos:~$
.. hint:: Static mappings aren't shown. To show all states, use
``show dhcp server leases state all``.
.. opcmd:: show dhcp server leases origin [local | remote]
Show statuses of all active leases granted by local (this server) or
remote (failover server):
.. code-block:: none
vyos@vyos:~$ show dhcp server leases origin remote
IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin
-------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- --------
192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote
vyos@vyos:~$
.. opcmd:: show dhcp server leases pool <pool>
Show only leases in the specified pool.
.. code-block:: none
vyos@vyos:~$ show dhcp server leases pool LAN
IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin
-------------- ----------------- ------- ------------------- ------------------- ----------- ------ ---------- --------
192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:23:55 LAN VPCS1 local
192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:28 LAN VYOS-6 local
vyos@vyos:~$
.. opcmd:: show dhcp server leases sort <key>
Sort the output by the specified key. Possible keys: ip, hardware_address,
@ -572,7 +497,6 @@ Operation Mode
free, expired, released, abandoned, reset, backup (default = active)
***********
IPv6 server
***********
@ -590,6 +514,12 @@ Configuration
Clients receiving advertise messages from multiple servers choose the server
with the highest preference value. The range for this value is ``0...255``.
.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet <subnet>
subnet-id <id>
This configuration parameter is required and must be unique to each subnet.
It is required to map subnets to lease file entries.
.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
<prefix> lease-time {default | maximum | minimum}
@ -666,6 +596,7 @@ server. The following example describes a common scenario.
set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199
set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff
set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1
The configuration will look as follows:
@ -680,6 +611,7 @@ The configuration will look as follows:
}
}
name-server 2001:db8::ffff
subnet-id 1
}
}

25
docs/configuration/service/dns.rst
View File

@ -143,6 +143,19 @@ avoid being tracked by the provider of your upstream DNS server.
168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream
DNS server(s) to be used for reverse lookups of these zones.
.. cfgcmd:: set service dns forwarding serve-stale-extension <0-65535>
Maximum number of times an expired records TTL is extended by 30s when
serving stale. Extension only occurs if a record cannot be refreshed. A
value of 0 means the Serve Stale mechanism is not used. To allow records
becoming stale to be served for an hour, use a value of 120.
.. cfgcmd:: set service dns forwarding exclude-throttle-address <ip|prefix>
When an authoritative server does not answer a query or sends a reply the
recursor does not like, it is throttled. Any servers matching the supplied
netmasks will never be throttled.
Example
=======
@ -381,12 +394,12 @@ By default, ddclient_ will update a dynamic dns record using the IP address
directly attached to the interface. If your VyOS instance is behind NAT, your
record will be updated to point to your internal IP.
Above, command syntax isn noted to configure dynamic dns on a specific interface.
It is possible to overlook the additional address option, web, when completeing
those commands. ddclient_ has another way to determine the WAN IP address, using
a web-based url to determine the external IP. Each of the commands above will
need to be modified to use 'web' as the 'interface' specified if this functionality
is to be utilized.
Above, command syntax isn noted to configure dynamic dns on a specific interface.
It is possible to overlook the additional address option, web, when completeing
those commands. ddclient_ has another way to determine the WAN IP address, using
a web-based url to determine the external IP. Each of the commands above will
need to be modified to use 'web' as the 'interface' specified if this functionality
is to be utilized.
This functionality is controlled by adding the following configuration:

96
docs/configuration/service/https.rst
View File

@ -1,7 +1,7 @@
.. _http-api:
########
HTTP-API
HTTP API
########
VyOS provide an HTTP API. You can use it to execute op-mode commands,
@ -13,6 +13,51 @@ Please take a look at the :ref:`vyosapi` page for an detailed how-to.
Configuration
*************
.. cfgcmd:: set service https allow-client address <address>
Only allow certain IP addresses or prefixes to access the https
webserver.
.. cfgcmd:: set service https certificates ca-certificate <name>
Use CA certificate from PKI subsystem
.. cfgcmd:: set service https certificates certificate <name>
Use certificate from PKI subsystem
.. cfgcmd:: set service https certificates dh-params <name>
Use :abbr:`DH (DiffieHellman)` parameters from PKI subsystem.
Must be at least 2048 bits in length.
.. cfgcmd:: set service https listen-address <address>
Webserver should only listen on specified IP address
.. cfgcmd:: set service https port <number>
Webserver should listen on specified port.
Default: 443
.. cfgcmd:: set service https enable-http-redirect
Enable automatic redirect from http to https.
.. cfgcmd:: set service https tls-version <1.2 | 1.3>
Select TLS version used.
This defaults to both 1.2 and 1.3.
.. cfgcmd:: set service https vrf <name>
Start Webserver in given VRF.
API
===
.. cfgcmd:: set service https api keys id <name> key <apikey>
Set a named api key. Every key has the same, full permissions
@ -27,42 +72,6 @@ Configuration
Enforce strict path checking
.. cfgcmd:: set service https virtual-host <vhost> listen-address
<ipv4 or ipv6 address>
Address to listen for HTTPS requests
.. cfgcmd:: set service https virtual-host <vhost> port <1-65535>
Port to listen for HTTPS requests; default 443
.. cfgcmd:: set service https virtual-host <vhost> server-name <text>
Server names for virtual hosts it can be exact, wildcard or regex.
.. cfgcmd:: set service https api-restrict virtual-host <vhost>
By default, nginx exposes the local API on all virtual servers.
Use this to restrict nginx to one or more virtual hosts.
.. cfgcmd:: set service https certificates certbot domain-name <text>
Domain name(s) for which to obtain certificate
.. cfgcmd:: set service https certificates certbot email
Email address to associate with certificate
.. cfgcmd:: set service https certificates system-generated-certificate
Use an automatically generated self-signed certificate
.. cfgcmd:: set service https certificates system-generated-certificate
lifetime <days>
Lifetime in days; default is 365
*********************
Example Configuration
*********************
@ -72,16 +81,3 @@ Set an API-KEY is the minimal configuration to get a working API Endpoint.
.. code-block:: none
set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY
To use this full configuration we asume a public accessible hostname.
.. code-block:: none
set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY
set service https certificates certbot domain-name rtr01.example.com
set service https certificates certbot email mail@example.com
set service https virtual-host rtr01 listen-address 198.51.100.2
set service https virtual-host rtr01 port 11443
set service https virtual-host rtr01 server-name rtr01.example.com
set service https api-restrict virtual-host rtr01

2
docs/configuration/service/lldp.rst
View File

@ -54,7 +54,7 @@ Configuration
Disable transmit of LLDP frames on given `<interface>`. Useful to exclude
certain interfaces from LLDP when ``all`` have been enabled.
.. cfgcmd:: set service lldp snmp enable
.. cfgcmd:: set service lldp snmp
Enable SNMP queries of the LLDP database

19
docs/configuration/service/monitoring.rst
View File

@ -109,11 +109,11 @@ Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided.
Telegraf is the open source server agent to help you collect metrics, events
and logs from your routers.
.. cfgcmd:: set service monitoring telegraf authentication organization <organization>
.. cfgcmd:: set service monitoring telegraf influxdb authentication organization <organization>
Authentication organization name
.. cfgcmd:: set service monitoring telegraf authentication token <token>
.. cfgcmd:: set service monitoring telegraf influxdb authentication token <token>
Authentication token
@ -121,11 +121,11 @@ and logs from your routers.
Remote ``InfluxDB`` bucket name
.. cfgcmd:: set service monitoring port <port>
.. cfgcmd:: set service monitoring telegraf influxdb port <port>
Remote port
.. cfgcmd:: set service monitoring telegraf url <url>
.. cfgcmd:: set service monitoring telegraf influxdb url <url>
Remote URL
@ -138,12 +138,11 @@ An example of a configuration that sends ``telegraf`` metrics to remote
.. code-block:: none
set service monitoring telegraf authentication organization 'vyos'
set service monitoring telegraf authentication token 'ZAml9Uy5wrhA...=='
set service monitoring telegraf bucket 'bucket_vyos'
set service monitoring telegraf port '8086'
set service monitoring telegraf source 'all'
set service monitoring telegraf url 'http://r1.influxdb2.local'
set service monitoring telegraf influxdb authentication organization 'vyos'
set service monitoring telegraf influxdb authentication token 'ZAml9Uy5wrhA...=='
set service monitoring telegraf influxdb bucket 'bucket_vyos'
set service monitoring telegraf influxdb port '8086'
set service monitoring telegraf influxdb url 'http://r1.influxdb2.local'
.. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer
.. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client

63
docs/configuration/service/pppoe-server.rst
View File

@ -57,48 +57,35 @@ Client Address Pools
--------------------
To automatically assign the client an IP address as tunnel endpoint, a
client IP pool is needed. The source can be either RADIUS or a local
subnet or IP range definition.
Once the local tunnel endpoint ``set service pppoe-server gateway-address
'10.1.1.2'`` has been defined, the client IP pool can be either defined
as a range or as subnet using CIDR notation. If the CIDR notation is
used, multiple subnets can be setup which are used sequentially.
client IP pool is needed. The source can be either RADIUS or a
named pool. There is possibility to create multiple named pools.
Each named pool can include only one address range. To use multiple
address ranges configure ``next-pool`` option.
**Client IP address via IP range definition**
.. cfgcmd:: set service pppoe-server client-ip-pool start <address>
.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
Use this command to define the first IP address of a pool of
addresses to be given to PPPoE clients. It must be within a /24
subnet.
Use this command to define the IP address range to be given
to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``,
it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
used there is possibility to set host/netmask.
.. cfgcmd:: set service pppoe-server client-ip-pool stop <address>
.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
Use this command to define the last IP address of a pool of
addresses to be given to PPPoE clients. It must be within a /24
subnet.
Use this command to define the next address pool name.
.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME>
Use this command to define default address pool name.
.. code-block:: none
set service pppoe-server client-ip-pool start '10.1.1.100'
set service pppoe-server client-ip-pool stop '10.1.1.111'
**Client IP subnets via CIDR notation**
.. cfgcmd:: set service pppoe-server client-ip-pool subnet <address>
Use this command for every pool of client IP addresses you want to
define. The addresses of this pool will be given to PPPoE clients.
You must use CIDR notation.
.. code-block:: none
set service pppoe-server client-ip-pool subnet '10.1.1.0/24'
set service pppoe-server client-ip-pool subnet '10.1.2.0/23'
set service pppoe-server client-ip-pool subnet '10.1.4.0/22'
set service pppoe-server client-ip-pool IP-POOL next-pool 'IP-POOL2'
set service pppoe-server client-ip-pool IP-POOL range '10.0.10.5/24'
set service pppoe-server client-ip-pool IP-POOL2 range '10.0.0.10-10.0.0.12'
set service pppoe-server default-pool 'IP-POOL'
**RADIUS based IP pools (Framed-IP-Address)**
@ -213,8 +200,8 @@ For Local Users
set service pppoe-server authentication local-users username foo rate-limit download '20480'
set service pppoe-server authentication local-users username foo rate-limit upload '10240'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool start '10.1.1.100'
set service pppoe-server client-ip-pool stop '10.1.1.111'
set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100/24'
set service pppoe-server default-pool 'IP-POOL'
set service pppoe-server name-server '10.100.100.1'
set service pppoe-server name-server '10.100.200.1'
set service pppoe-server interface 'eth1'
@ -367,8 +354,8 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint
set service pppoe-server access-concentrator 'ACN'
set service pppoe-server authentication local-users username foo password 'bar'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool start '10.1.1.100'
set service pppoe-server client-ip-pool stop '10.1.1.111'
set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100-10.1.1.111'
set service pppoe-server default-pool 'IP-POOL'
set service pppoe-server interface eth1
set service pppoe-server gateway-address '10.1.1.2'
set service pppoe-server name-server '10.100.100.1'
@ -385,8 +372,8 @@ The example below covers a dual-stack configuration via pppoe-server.
set service pppoe-server authentication local-users username test password 'test'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool start '192.168.0.1'
set service pppoe-server client-ip-pool stop '192.168.0.10'
set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24'
set service pppoe-server default-pool 'IP-POOL'
set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56'
set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64'
set service pppoe-server ppp-options ipv6 allow

147
docs/configuration/system/conntrack.rst
View File

@ -46,9 +46,23 @@ Configure
| Use `delete system conntrack modules` to deactive all modules.
| Or, for example ftp, `delete system conntrack modules ftp`.
.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836>
:defaultvalue:
Define Conection Timeouts
=========================
Set the maximum number of TCP half-open connections.
.. cfgcmd:: set system conntrack tcp loose <enable | disable>
:defaultvalue:
Policy to track previously established connections.
.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647>
:defaultvalue:
Set the number of TCP maximum retransmit attempts.
Contrack Timeouts
=================
VyOS supports setting timeouts for connections according to the
connection type. You can set timeout values for generic connections, for ICMP
@ -82,34 +96,48 @@ states.
Set the timeout in secounds for a protocol or state.
You can also define custom timeout values to apply to a specific subset of
connections, based on a packet and flow selector. To do this, you need to
create a rule defining the packet and flow selector.
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description <test>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
description <test>
Set a rule description.
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
destination address <ip-address>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
source address <ip-address>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address <ip-address>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address <ip-address>
set a destination and/or source address. Accepted input:
Set a destination and/or source address. Accepted input for ipv4:
.. code-block:: none
<x.x.x.x> IP address to match
<x.x.x.x/x> Subnet to match
<x.x.x.x>-<x.x.x.x>
IP range to match
!<x.x.x.x> Match everything except the specified address
!<x.x.x.x/x> Match everything except the specified subnet
!<x.x.x.x>-<x.x.x.x>
Match everything except the specified range
set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address
Possible completions:
<x.x.x.x> IPv4 address to match
<x.x.x.x/x> IPv4 prefix to match
<x.x.x.x>-<x.x.x.x> IPv4 address range to match
!<x.x.x.x> Match everything except the specified address
!<x.x.x.x/x> Match everything except the specified prefix
!<x.x.x.x>-<x.x.x.x> Match everything except the specified range
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port <value>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port <value>
set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address
Possible completions:
<h:h:h:h:h:h:h:h> IP address to match
<h:h:h:h:h:h:h:h/x> Subnet to match
<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
IP range to match
!<h:h:h:h:h:h:h:h> Match everything except the specified address
!<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix
!<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
Match everything except the specified range
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
destination port <value>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
source port <value>
Set a destination and/or source port. Accepted input:
@ -123,49 +151,58 @@ create a rule defining the packet and flow selector.
The whole list can also be "negated" using '!'. For example:
`!22,telnet,http,123,1001-1005``
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol tcp close <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol tcp close-wait <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol tcp established <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol tcp fin-wait <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol tcp last-ack <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol tcp syn-recv <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol tcp syn-sent <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol tcp time-wait <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol udp replied <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
protocol udp unreplied <1-21474836>
Set the timeout in secounds for a protocol or state in a custom rule.
.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836>
:defaultvalue:
Set the maximum number of TCP half-open connections.
.. cfgcmd:: set system conntrack tcp loose <enable | disable>
:defaultvalue:
Policy to track previously established connections.
.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647>
:defaultvalue:
Set the number of TCP maximum retransmit attempts.
.. cfgcmd:: set system conntrack ignore rule <1-9999> description <text>
.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address <ip-address>
.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port <port>
.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface <interface>
.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol <protocol>
.. cfgcmd:: set system conntrack ignore rule <1-9999> source address <ip-address>
.. cfgcmd:: set system conntrack ignore rule <1-9999> source port <port>
Conntrack ignore rules
======================
Customized ignore rules, based on a packet and flow selector.
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
description <text>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
destination address <ip-address>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
destination port <port>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
inbound-interface <interface>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
protocol <protocol>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
source address <ip-address>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
source port <port>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
tcp flags [not] <text>
Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
inverted selection use ``not``, as shown in the example.
Conntrack log
=============
.. cfgcmd:: set system conntrack log icmp destroy
.. cfgcmd:: set system conntrack log icmp new
.. cfgcmd:: set system conntrack log icmp update

38
docs/configuration/system/frr.rst Normal file
View File

@ -0,0 +1,38 @@
.. _system_frr:
###
FRR
###
VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic
and static routing. The routing daemon behavior can be adjusted during runtime,
but require either a restart of the routing daemon, or a reboot of the system.
.. cfgcmd:: set system frr bmp
Enable :abbr:`BMP (BGP Monitoring Protocol)` support
.. cfgcmd:: set system frr descriptors <numer>
This allows the operator to control the number of open file descriptors
each daemon is allowed to start with. If the operator plans to run bgp with
several thousands of peers then this is where we would modify FRR to allow
this to happen.
.. cfgcmd:: set system frr irdp
Enable ICMP Router Discovery Protocol support
.. cfgcmd:: set system frr snmp <daemon>
Enable SNMP support for an individual routing daemon.
Supported daemons:
- bgpd
- isisd
- ldpd
- ospf6d
- ospfd
- ripd
- zebra

2
docs/configuration/system/index.rst
View File

@ -11,6 +11,7 @@ System
conntrack
console
flow-accounting
frr
host-name
ip
ipv6
@ -24,6 +25,7 @@ System
sysctl
task-scheduler
time-zone
updates
.. toctree::

28
docs/configuration/system/ipv6.rst
View File

@ -81,6 +81,7 @@ Show commands
static Show IPv6 static routes
summary Show IPv6 routes summary
table Show IP routes in policy table
tag Show only routes with tag
vrf Show IPv6 routes in VRF
@ -112,33 +113,6 @@ Show commands
<Enter> Execute the current command
<text> Show specified IPv6 access-list
.. opcmd:: show ipv6 bgp
Use this command to show IPv6 Border Gateway Protocol information.
In addition, you can specify many other parameters to get BGP
information:
.. code-block:: none
vyos@vyos:~$ show ipv6 bgp
Possible completions:
<Enter> Execute the current command
<X:X::X:X> Show BGP information for given address or prefix
<X:X::X:X/M>
community Show routes matching the communities
community-list
Show routes matching the community-list
filter-list Show routes conforming to the filter-list
large-community
Show routes matching the large-community-list
large-community-list
neighbors Show detailed information on TCP and BGP neighbor connections
prefix-list Show routes matching the prefix-list
regexp Show routes matching the AS path regular expression
route-map Show BGP routes matching the specified route map
summary Show summary of BGP neighbor status
.. opcmd:: show ipv6 ospfv3

8
docs/configuration/system/name-server.rst
View File

@ -48,7 +48,7 @@ In order for the system to use and complete unqualified host names, a
list can be defined which will be used for domain searches.
.. cfgcmd:: set system domain-search domain <domain>
.. cfgcmd:: set system domain-search <domain>
Use this command to define domains, one at a time, so that the system
uses them to complete unqualified host names. Maximum: 6 entries.
@ -68,7 +68,7 @@ order: vyos.io (first), vyos.net (second) and vyos.network (last):
.. code-block:: none
set system domain-search domain vyos.io
set system domain-search domain vyos.net
set system domain-search domain vyos.network
set system domain-search vyos.io
set system domain-search vyos.net
set system domain-search vyos.network

39
docs/configuration/system/updates.rst Normal file
View File

@ -0,0 +1,39 @@
#######
Updates
#######
VyOS supports online checking for updates
Configuration
=============
.. cfgcmd:: set system update-check auto-check
Configure auto-checking for new images
.. cfgcmd:: set system update-check url <url>
Configure a URL that contains information about images.
Example
=======
.. code-block:: none
set system update-check auto-check
set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json'
Check:
.. code-block:: none
vyos@r4:~$ show system updates
Current version: 1.5-rolling-202312220023
Update available: 1.5-rolling-202312250024
Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso
vyos@r4:~$
vyos@r4:~$ add system image latest

12
docs/configuration/vpn/l2tp.rst
View File

@ -17,8 +17,8 @@ with native Windows and Mac VPN clients):
set vpn ipsec interface eth0
set vpn l2tp remote-access outside-address 192.0.2.2
set vpn l2tp remote-access client-ip-pool start 192.168.255.2
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
set vpn l2tp remote-access default-pool 'L2TP-POOL'
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
set vpn l2tp remote-access authentication mode local
@ -95,8 +95,8 @@ Below is an example to configure a LNS:
.. code-block:: none
set vpn l2tp remote-access outside-address 192.0.2.2
set vpn l2tp remote-access client-ip-pool start 192.168.255.2
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
set vpn l2tp remote-access default-pool 'L2TP-POOL'
set vpn l2tp remote-access lns shared-secret 'secret'
set vpn l2tp remote-access ccp-disable
set vpn l2tp remote-access authentication mode local
@ -122,8 +122,8 @@ The rate-limit is set in kbit/sec.
.. code-block:: none
set vpn l2tp remote-access outside-address 192.0.2.2
set vpn l2tp remote-access client-ip-pool start 192.168.255.2
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
set vpn l2tp remote-access default-pool 'L2TP-POOL'
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password test
set vpn l2tp remote-access authentication local-users username test rate-limit download 20480

7
docs/configuration/vpn/openconnect.rst
View File

@ -165,6 +165,13 @@ Simple setup with one user added and password authentication:
set vpn openconnect ssl ca-certificate 'ca-ocserv'
set vpn openconnect ssl certificate 'srv-ocserv'
To enable the HTTP security headers in the configuration file, use the command:
.. code-block:: none
set vpn openconnect http-security-headers
Adding a 2FA with an OTP-key
============================

4
docs/configuration/vpn/pptp.rst
View File

@ -20,8 +20,8 @@ server example
set vpn pptp remote-access authentication local-users username test password 'test'
set vpn pptp remote-access authentication mode 'local'
set vpn pptp remote-access client-ip-pool start '192.168.0.10'
set vpn pptp remote-access client-ip-pool stop '192.168.0.15'
set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15
set vpn pptp remote-access default-pool 'PPTP-POOL'
set vpn pptp remote-access gateway-address '10.100.100.1'
set vpn pptp remote-access outside-address '10.1.1.120'

129
docs/configuration/vpn/site2site_ipsec.rst
View File

@ -10,8 +10,8 @@ connected/routed networks.
To configure site-to-site connection you need to add peers with the
``set vpn ipsec site-to-site peer <name>`` command.
The peer name must be an alphanumeric and can have hypen or underscore as
special characters. It is purely informational.
The peer name must be an alphanumeric and can have hypen or underscore as
special characters. It is purely informational.
Each site-to-site peer has the next options:
@ -20,11 +20,11 @@ Each site-to-site peer has the next options:
* ``psk`` - Preshared secret key name:
* ``dhcp-interface`` - ID for authentication generated from DHCP address
* ``dhcp-interface`` - ID for authentication generated from DHCP address
dynamically;
* ``id`` - static ID's for authentication. In general local and remote
* ``id`` - static ID's for authentication. In general local and remote
address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
* ``secret`` - predefined shared secret. Used if configured mode
* ``secret`` - predefined shared secret. Used if configured mode
``pre-shared-secret``;
@ -110,7 +110,7 @@ Each site-to-site peer has the next options:
* ``remote-address`` - remote IP address or hostname for IPSec connection.
IPv4 or IPv6 address is used when a peer has a public static IP address.
Hostname is a DNS name which could be used when a peer has a public IP
Hostname is a DNS name which could be used when a peer has a public IP
address and DNS name, but an IP address could be changed from time to time.
* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
@ -149,9 +149,9 @@ Each site-to-site peer has the next options:
* ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
interface.
* ``virtual-address`` - Defines a virtual IP address which is requested by the
initiator and one or several IPv4 and/or IPv6 addresses are assigned from
multiple pools by the responder.
* ``virtual-address`` - Defines a virtual IP address which is requested by the
initiator and one or several IPv4 and/or IPv6 addresses are assigned from
multiple pools by the responder.
Examples:
------------------
@ -308,31 +308,35 @@ Imagine the following topology
set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces vti vti10 address '10.0.0.2/31'
set vpn ipsec option disable-route-autoinstall
set vpn ipsec authentication psk OFFICE-B id '172.18.201.10'
set vpn ipsec authentication psk OFFICE-B id '172.18.202.10'
set vpn ipsec authentication psk OFFICE-B secret 'secretkey'
set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10'
set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10'
set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.201'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer OFFICE-B local-address '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10'
set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
@ -344,34 +348,35 @@ Imagine the following topology
set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces vti vti10 address '10.0.0.3/31'
set vpn ipsec option disable-route-autoinstall
set vpn ipsec authentication psk OFFICE-A id '172.18.201.10'
set vpn ipsec authentication psk OFFICE-A id '172.18.202.10'
set vpn ipsec authentication psk OFFICE-A secret 'secretkey'
set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10'
set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10'
set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.202'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10'
set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10
@ -379,44 +384,44 @@ Key Parameters:
* ``authentication local-id/remote-id`` - IKE identification is used for
validation of VPN peer devices during IKE negotiation. If you do not configure
local/remote-identity, the device uses the IPv4 or IPv6 address that
local/remote-identity, the device uses the IPv4 or IPv6 address that
corresponds to the local/remote peer by default.
In certain network setups (like ipsec interface with dynamic address, or
behind the NAT ), the IKE ID received from the peer does not match the IKE
gateway configured on the device. This can lead to a Phase 1 validation
In certain network setups (like ipsec interface with dynamic address, or
behind the NAT ), the IKE ID received from the peer does not match the IKE
gateway configured on the device. This can lead to a Phase 1 validation
failure.
So, make sure to configure the local/remote id explicitly and ensure that the
So, make sure to configure the local/remote id explicitly and ensure that the
IKE ID is the same as the remote-identity configured on the peer device.
* ``disable-route-autoinstall`` - This option when configured disables the
routes installed in the default table 220 for site-to-site ipsec.
It is mostly used with VTI configuration.
* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
are periodically sent in order to check the liveliness of the IPsec peer. The
values clear, hold, and restart all activate DPD and determine the action to
* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
are periodically sent in order to check the liveliness of the IPsec peer. The
values clear, hold, and restart all activate DPD and determine the action to
perform on a timeout.
With ``clear`` the connection is closed with no further actions taken.
``hold`` installs a trap policy, which will catch matching traffic and tries
to re-negotiate the connection on demand.
``restart`` will immediately trigger an attempt to re-negotiate the
With ``clear`` the connection is closed with no further actions taken.
``hold`` installs a trap policy, which will catch matching traffic and tries
to re-negotiate the connection on demand.
``restart`` will immediately trigger an attempt to re-negotiate the
connection.
* ``close-action = none | clear | hold | restart`` - defines the action to take
if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
* ``close-action = none | clear | hold | restart`` - defines the action to take
if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
values). A closeaction should not be used if the peer uses reauthentication or
uniqueids.
When the close-action option is set on the peers, the connection-type
When the close-action option is set on the peers, the connection-type
of each peer has to considered carefully. For example, if the option is set
on both peers, then both would attempt to initiate and hold open multiple
copies of each child SA. This might lead to instability of the device or
cpu/memory utilization.
Below flow-chart could be a quick reference for the close-action
combination depending on how the peer is configured.
on both peers, then both would attempt to initiate and hold open multiple
copies of each child SA. This might lead to instability of the device or
cpu/memory utilization.
Below flow-chart could be a quick reference for the close-action
combination depending on how the peer is configured.
.. figure:: /_static/images/IPSec_close_action_settings.jpg
Similar combinations are applicable for the dead-peer-detection.

18
docs/configuration/vpn/sstp.rst
View File

@ -116,9 +116,20 @@ Configuration
Specifies the port `<port>` that the SSTP port will listen on (default 443).
.. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet>
.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
Use `<subnet>` as the IP pool for all connecting clients.
Use this command to define the first IP address of a pool of
addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``,
it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
used there is possibility to set host/netmask.
.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
Use this command to define the next address pool name.
.. cfgcmd:: set vpn sstp default-pool <POOL-NAME>
Use this command to define default address pool name.
.. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits>
@ -282,7 +293,8 @@ Example
set vpn sstp authentication local-users username vyos password vyos
set vpn sstp authentication mode local
set vpn sstp gateway-address 192.0.2.254
set vpn sstp client-ip-pool subnet 192.0.2.0/25
set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25
set vpn sstp default-pool 'SSTP-POOL'
set vpn sstp name-server 10.0.0.1
set vpn sstp name-server 10.0.0.2
set vpn sstp ssl ca-cert-file /config/auth/ca.crt

138
docs/contributing/build-vyos.rst
View File

@ -23,10 +23,60 @@ also set up your own build machine and run a :ref:`build_native`.
The source code remains public and an ISO can be built using the process
outlined in this chapter.
The following includes the build process for VyOS 1.2 to the latest version.
This will guide you through the process of building a VyOS ISO using Docker_.
This process has been tested on clean installs of Debian Jessie, Stretch, and
Buster.
.. _build_native:
Native Build
============
To build VyOS natively you require a properly configured build host with the
following Debian versions installed:
- Debian Jessie for VyOS 1.2 (crux)
- Debian Buster for VyOS 1.3 (equuleus)
- Debian Bookworm for VyOS 1.4 (sagitta)
- Debian Bookworm for the upcoming VyOS 1.5/circinus/current
(subject to change) - aka the rolling release
To start, clone the repository to your local machine:
.. code-block:: none
# For VyOS 1.2 (crux)
$ git clone -b crux --single-branch https://github.com/vyos/vyos-build
# For VyOS 1.3 (equuleus)
$ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build
# For VyOS 1.4 (sagitta)
$ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build
# For VyOS 1.5 (circinus,current)
$ git clone -b current --single-branch https://github.com/vyos/vyos-build
$ cd vyos-build
# For VyOS 1.2 (crux) and VyOS 1.3 (equuleus)
$ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io"
$ sudo make iso
# For VyOS 1.4 (sagitta) and VyOS 1.5 (circinus,current)
$ sudo make clean
$ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io"
For the packages required, you can refer to the ``docker/Dockerfile`` file
in the repository_. The ``./build-vyos-image`` script will also warn you if any
dependencies are missing.
This will guide you through the process of building a VyOS ISO using Docker.
This process has been tested on clean installs of Debian Bullseye (11) and
Bookworm (12).
.. _build_docker:
Docker
@ -34,14 +84,26 @@ Docker
Installing Docker_ and prerequisites:
.. hint:: Due to the updated version of Docker, the following examples may
become invalid.
.. code-block:: none
$ sudo apt-get update
$ sudo apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common
$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
$ sudo apt-get update
$ sudo apt-get install -y docker-ce
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
To be able to use Docker_ without ``sudo``, the current non-root user must be
added to the ``docker`` group by calling: ``sudo usermod -aG docker
@ -79,7 +141,7 @@ To manually download the container from DockerHub, run:
$ docker pull vyos/vyos-build:crux # For VyOS 1.2
$ docker pull vyos/vyos-build:equuleus # For VyOS 1.3
$ docker pull vyos/vyos-build:sagitta # For VyOS 1.4
$ docker pull vyos/vyos-build:current # For rolling release
$ docker pull vyos/vyos-build:current # For VyOS 1.5 rolling release
Build from source
^^^^^^^^^^^^^^^^^
@ -94,15 +156,19 @@ The container can also be built directly from source:
$ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build
# For VyOS 1.4 (sagitta)
$ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build
# For VyOS 1.5 (circinus,current)
$ git clone -b current --single-branch https://github.com/vyos/vyos-build
$ cd vyos-build
$ docker build -t vyos/vyos-build:crux docker # For VyOS 1.2
$ docker build -t vyos/vyos-build:current docker # For rolling release
.. note:: Since VyOS has switched to Debian (11) Bullseye in its ``current``
branch, you will require individual container for `current`, `equuleus` and
`crux` builds.
$ docker build -t vyos/vyos-build:crux docker # For VyOS 1.2
$ docker build -t vyos/vyos-build:equuleus docker # For VyOS 1.3
$ docker build -t vyos/vyos-build:sagitta docker # For VyOS 1.4
$ docker build -t vyos/vyos-build:current docker # For VyOS 1.5 rolling release
.. note:: VyOS has switched to Debian (12) Bookworm in its ``current`` branch,
Due to software version updates, it is recommended to use the official
Docker Hub image to build VyOS ISO.
Tips and Tricks
---------------
@ -141,39 +207,6 @@ your development containers in your current working directory.
``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will
fail.
.. _build_native:
Native Build
============
To build VyOS natively you require a properly configured build host with the
following Debian versions installed:
- Debian Jessie for VyOS 1.2 (crux)
- Debian Buster for VyOS 1.3 (equuleus)
- Debian Bullseye for VyOS 1.4 (sagitta)
To start, clone the repository to your local machine:
.. code-block:: none
# For VyOS 1.2 (crux)
$ git clone -b crux --single-branch https://github.com/vyos/vyos-build
# For VyOS 1.3 (equuleus)
$ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build
# For VyOS 1.4 (sagitta)
$ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build
For the packages required, you can refer to the ``docker/Dockerfile`` file
in the repository_. The ``./build-vyos-image`` script will also warn you if any
dependencies are missing.
Once you have the required dependencies installed, you may proceed with the
steps described in :ref:`build_iso`.
.. _build_iso:
@ -196,6 +229,10 @@ Please note as this will differ for both `current` and `crux`.
# For VyOS 1.4 (sagitta)
$ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build
# For VyOS 1.5 (circinus,current)
$ git clone -b current --single-branch https://github.com/vyos/vyos-build
Now a fresh build of the VyOS ISO can begin. Change directory to the
``vyos-build`` directory and run:
@ -210,7 +247,10 @@ Now a fresh build of the VyOS ISO can begin. Change directory to the
# For VyOS 1.4 (sagitta)
$ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:sagitta bash
# For VyOS 1.5 (current)
$ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:current bash
.. code-block:: none
# For MacOS (crux, equuleus, sagitta)
@ -234,7 +274,7 @@ Start the build:
vyos_bld@8153428c7e1f:/vyos$ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io"
vyos_bld@8153428c7e1f:/vyos$ sudo make iso
# For VyOS 1.4 (sagitta)
# For VyOS 1.4 (sagitta) For VyOS 1.5 (circinus,current)
vyos_bld@8153428c7e1f:/vyos$ sudo make clean
vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io"
@ -836,7 +876,7 @@ information.
.. stop_vyoslinter
.. _Docker: https://www.docker.com
.. _Docker: https://docs.docker.com/engine/install/debian/
.. _`Docker as non-root`: https://docs.docker.com/engine/install/linux-postinstall
.. _VyOS DockerHub organisation: https://hub.docker.com/u/vyos
.. _repository: https://github.com/vyos/vyos-build

9
docs/contributing/testing.rst
View File

@ -4,10 +4,11 @@
Testing
#######
One of the major advantages introduced in VyOS 1.3 is an autmated test framework.
When assembling an ISO image multiple things can go wrong badly and publishing
a faulty ISO makes no sense. The user is disappointed by the quality of the image
and the developers get flodded with bug reports over and over again.
One of the major advantages introduced in VyOS 1.3 is an automated test
framework. When assembling an ISO image multiple things can go wrong badly and
publishing a faulty ISO makes no sense. The user is disappointed by the quality
of the image and the developers get flodded with bug reports over and over
again.
As the VyOS documentation is not only for users but also for the developers -
and we keep no secret documentation - this section describes how the automated

9
docs/installation/install.rst
View File

@ -458,13 +458,16 @@ In this example we configured an existent VyOS as the DHCP server:
vyos@vyos# show service dhcp-server
shared-network-name mydhcp {
subnet 192.168.1.0/24 {
bootfile-name pxelinux.0
bootfile-server 192.168.1.50
default-router 192.168.1.50
option {
bootfile-name pxelinux.0
bootfile-server 192.168.1.50
default-router 192.168.1.50
}
range 0 {
start 192.168.1.70
stop 192.168.1.100
}
subnet-id 1
}
}

9
docs/installation/update.rst
View File

@ -10,7 +10,7 @@ for the new image to boot using the current configuration.
.. note:: Only LTS releases are PGP-signed.
.. opcmd:: add system image <url | path> [vrf name]
.. opcmd:: add system image <url | path> | [latest] [vrf name]
[username user [password pass]]
Use this command to install a new system image. You can reach the
@ -72,6 +72,13 @@ Example
OK. This image will be named: vyos-1.3-rolling-201912201452
You can use ``latest`` option. It loads the latest available Rolling release.
.. code-block:: none
vyos@vyos:~$ add system image latest
.. note:: To use the `latest` option the "system update-check url" must be configured.
.. hint:: The most up-do-date Rolling Release for AMD64 can be accessed using
the following URL:

38
docs/quick-start.rst
View File

@ -93,12 +93,13 @@ DNS server.
.. code-block:: none
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 name-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'vyos.net'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'vyos.net'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.9'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address '192.168.0.1'
@ -141,7 +142,7 @@ networks, addresses, ports, and domains that describe different parts of
our network. We can then use them for filtering within our firewall rulesets,
allowing for more concise and readable configuration.
In this case, we will create two interface groups—a ``WAN`` group for our
In this case, we will create two interface groups a ``WAN`` group for our
interfaces connected to the public internet and a ``LAN`` group for the
interfaces connected to our internal network. Additionally, we will create a
network group, ``NET-INSIDE-v4``, that contains our internal subnet.
@ -156,10 +157,26 @@ Configure Stateful Packet Filtering
-----------------------------------
With the new firewall structure, we have have a lot of flexibility in how we
group and order our rules, as shown by the two alternative approaches below.
group and order our rules, as shown by the three alternative approaches below.
Option 1: Common Chain
^^^^^^^^^^^^^^^^^^^^^^
Option 1: Global State Policies
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Using options defined in ``set firewall global-options state-policy``, state
policy rules that applies for both IPv4 and IPv6 are created. These global
state policies also applies for all traffic that passes through the router
(transit) and for traffic originated/destinated to/from the router itself, and
will be avaluated before any other rule defined in the firewall.
Most installations would choose this option, and will contain:
.. code-block:: none
set firewall global-options state-policy established action accept
set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop
Option 2: Common/Custom Chain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We can create a common chain for stateful connection filtering of multiple
interfaces (or multiple netfilter hooks on one interface). Those individual
@ -196,12 +213,11 @@ hooks as the first filtering rule in the respective chains:
set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 jump-target CONN_FILTER
Option 2: Per-Hook Chain
Option 3: Per-Hook Chain
^^^^^^^^^^^^^^^^^^^^^^^^
Alternatively, instead of configuring the ``CONN_FILTER`` chain described above,
you can take the more traditional stateful connection filtering approach by
creating rules on each hook's chain:
Alternatively, you can take the more traditional stateful connection
filtering approach by creating rules on each base hook's chain:
.. code-block:: none