mirror of
				https://github.com/vyos/vyos-documentation.git
				synced 2025-10-26 01:31:44 +02:00 
			
		
		
		
	Merge branch 'master' of github.com:vyos/vyos-documentation
This commit is contained in:
		
						commit
						14c94be155
					
				
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -7,6 +7,7 @@ venv/ | ||||
| ENV/ | ||||
| .venv | ||||
| Pipfile.lock | ||||
| Pipfile | ||||
| 
 | ||||
| # put various editor ignores here | ||||
| .vscode/ | ||||
|  | ||||
| @ -1 +1 @@ | ||||
| Subproject commit 11d531ece3e06dc68349d8ea1fd3bf39d5d857f3 | ||||
| Subproject commit 9753fafbfed02a3b6ebe7b6ddf51783c5dcbcf62 | ||||
| @ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p | ||||
| msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." | ||||
| 
 | ||||
| #: ../../configuration/loadbalancing/reverse-proxy.rst:108 | ||||
| msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" | ||||
| msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" | ||||
| msgid "``least-connection`` Distributes requests to the server with the fewest active connections" | ||||
| msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" | ||||
| 
 | ||||
| #: ../../configuration/vpn/ipsec.rst:125 | ||||
| msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" | ||||
|  | ||||
| @ -19468,7 +19468,7 @@ msgid "``latency``: A server profile focused on lowering network latency. This p | ||||
| msgstr "``latency``: un perfil de servidor centrado en reducir la latencia de la red. Este perfil favorece el rendimiento sobre el ahorro de energía configurando ``intel_pstate`` y ``min_perf_pct=100``." | ||||
| 
 | ||||
| #: ../../configuration/loadbalancing/reverse-proxy.rst:108 | ||||
| msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" | ||||
| msgid "``least-connection`` Distributes requests to the server with the fewest active connections" | ||||
| msgstr "``least-connection`` Distribuye las solicitudes al servidor con la menor cantidad de conexiones activas" | ||||
| 
 | ||||
| #: ../../configuration/vpn/ipsec.rst:125 | ||||
|  | ||||
| @ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p | ||||
| msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." | ||||
| 
 | ||||
| #: ../../configuration/loadbalancing/reverse-proxy.rst:108 | ||||
| msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" | ||||
| msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" | ||||
| msgid "``least-connection`` Distributes requests to the server with the fewest active connections" | ||||
| msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" | ||||
| 
 | ||||
| #: ../../configuration/vpn/ipsec.rst:125 | ||||
| msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" | ||||
|  | ||||
| @ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p | ||||
| msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." | ||||
| 
 | ||||
| #: ../../configuration/loadbalancing/reverse-proxy.rst:108 | ||||
| msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" | ||||
| msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" | ||||
| msgid "``least-connection`` Distributes requests to the server with the fewest active connections" | ||||
| msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" | ||||
| 
 | ||||
| #: ../../configuration/vpn/ipsec.rst:125 | ||||
| msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" | ||||
|  | ||||
| @ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p | ||||
| msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." | ||||
| 
 | ||||
| #: ../../configuration/loadbalancing/reverse-proxy.rst:108 | ||||
| msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" | ||||
| msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" | ||||
| msgid "``least-connection`` Distributes requests to the server with the fewest active connections" | ||||
| msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" | ||||
| 
 | ||||
| #: ../../configuration/vpn/ipsec.rst:125 | ||||
| msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" | ||||
|  | ||||
							
								
								
									
										
											BIN
										
									
								
								docs/_static/images/firewall-bridge-packet-flow.png
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										
											BIN
										
									
								
								docs/_static/images/firewall-bridge-packet-flow.png
									
									
									
									
										vendored
									
									
								
							
										
											Binary file not shown.
										
									
								
							| Before Width: | Height: | Size: 22 KiB After Width: | Height: | Size: 26 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/_static/images/firewall-gral-packet-flow.png
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										
											BIN
										
									
								
								docs/_static/images/firewall-gral-packet-flow.png
									
									
									
									
										vendored
									
									
								
							
										
											Binary file not shown.
										
									
								
							| Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 41 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 341 KiB | 
| @ -17,3 +17,5 @@ VyOS Automation | ||||
|    vyos-salt | ||||
|    command-scripting | ||||
|    cloud-init | ||||
|    vyos-pyvyos | ||||
|     | ||||
|  | ||||
							
								
								
									
										148
									
								
								docs/automation/vyos-pyvyos.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										148
									
								
								docs/automation/vyos-pyvyos.rst
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,148 @@ | ||||
| :lastproofread: 2023-12-15 | ||||
| 
 | ||||
| .. _vyos-pyvyos: | ||||
| 
 | ||||
| PyVyOS | ||||
| ====== | ||||
| 
 | ||||
| PyVyOS is a Python library for interacting with VyOS devices via their API.  | ||||
| This documentation guides you on using PyVyOS to manage your VyOS devices programmatically.  | ||||
| The complete PyVyOS documentation is available on [Read the Docs](https://pyvyos.readthedocs.io/en/latest/),  | ||||
| and the library can be found on [GitHub](https://github.com/robertoberto/pyvyos)  | ||||
| and [PyPI](https://pypi.org/project/pyvyos/). | ||||
| 
 | ||||
| Installation | ||||
| ------------ | ||||
| 
 | ||||
| You can install PyVyOS using pip: | ||||
| 
 | ||||
| .. code-block:: bash | ||||
| 
 | ||||
|     pip install pyvyos | ||||
| 
 | ||||
| Getting Started | ||||
| --------------- | ||||
| 
 | ||||
| Importing and Disabling Warnings for verify=False | ||||
| ------------------------------------------------- | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     import urllib3 | ||||
|     urllib3.disable_warnings() | ||||
| 
 | ||||
| Using API Response Class | ||||
| ------------------------ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     @dataclass | ||||
|     class ApiResponse: | ||||
|         status: int | ||||
|         request: dict | ||||
|         result: dict | ||||
|         error: str | ||||
| 
 | ||||
| Initializing a VyDevice Object | ||||
| ------------------------------ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     from dotenv import load_dotenv | ||||
|     load_dotenv() | ||||
| 
 | ||||
|     hostname = os.getenv('VYDEVICE_HOSTNAME') | ||||
|     apikey = os.getenv('VYDEVICE_APIKEY') | ||||
|     port = os.getenv('VYDEVICE_PORT') | ||||
|     protocol = os.getenv('VYDEVICE_PROTOCOL') | ||||
|     verify_ssl = os.getenv('VYDEVICE_VERIFY_SSL') | ||||
| 
 | ||||
|     verify = verify_ssl.lower() == "true" if verify_ssl else True  | ||||
| 
 | ||||
|     device = VyDevice(hostname=hostname, apikey=apikey, port=port, protocol=protocol, verify=verify) | ||||
| 
 | ||||
| Using PyVyOS | ||||
| ------------ | ||||
| 
 | ||||
| Configure, then Set | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     response = device.configure_set(path=["interfaces", "ethernet", "eth0", "address", "192.168.1.1/24"]) | ||||
|     if not response.error: | ||||
|         print(response.result) | ||||
| 
 | ||||
| Configure, then Show a Single Object Value | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     response = device.retrieve_return_values(path=["interfaces", "dummy", "dum1", "address"]) | ||||
|     print(response.result) | ||||
| 
 | ||||
| Configure, then Show Object | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     response = device.retrieve_show_config(path=[]) | ||||
|     if not response.error: | ||||
|         print(response.result) | ||||
| 
 | ||||
| Configure, then Delete Object | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     response = device.configure_delete(path=["interfaces", "dummy", "dum1"]) | ||||
| 
 | ||||
| Configure, then Save | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     response = device.config_file_save() | ||||
| 
 | ||||
| Configure, then Save File | ||||
| ------------------------- | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     response = device.config_file_save(file="/config/test300.config") | ||||
| 
 | ||||
| Show Object | ||||
| ^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     response = device.show(path=["system", "image"]) | ||||
|     print(response.result) | ||||
| 
 | ||||
| Generate Object | ||||
| ^^^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     randstring = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(20)) | ||||
|     keyrand =  f'/tmp/key_{randstring}' | ||||
|     response = device.generate(path=["ssh", "client-key", keyrand]) | ||||
| 
 | ||||
| Reset Object | ||||
| ^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     response = device.reset(path=["conntrack-sync", "internal-cache"]) | ||||
|     if not response.error: | ||||
|         print(response.result) | ||||
| 
 | ||||
| Configure, then Load File | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|     response = device.config_file_load(file="/config/test300.config") | ||||
| 
 | ||||
| 
 | ||||
| .. _pyvyos: https://github.com/robertoberto/pyvyos | ||||
| @ -8,6 +8,71 @@ | ||||
|    _ext/releasenotes.py | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-29 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5852` ``(bug): Reboots fail with eapol WAN interface`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-22 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T4760` ``(bug): VyOS does not support running multiple instances of DHCPv6 clients`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-21 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5714` ``(bug): IPSec VPN: op-mode: "show log vpn" does not show results`` | ||||
| * :vytask:`T3039` ``(feature): Resize a root partition and filesystem automatically during deployment in virtual environments`` | ||||
| * :vytask:`T2404` ``(bug): Cannot change MTU`` | ||||
| * :vytask:`T2353` ``(bug): Interface [conf_mode] errors parent task`` | ||||
| * :vytask:`T5796` ``(bug): Openconnect - HTTPS  security headers are missing`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-19 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T2116` ``(feature): Processing configuration via Cloud-init User-Data`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-18 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T2191` ``(feature): Using tallow to block sshd probes`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-15 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5824` ``(bug): busybox cannot connect some websites from initramfs`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-12 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5817` ``(bug): Show openvpn server fails in some cases`` | ||||
| * :vytask:`T5413` ``(default): Deny the opportunity to use one public/private key pair on both wireguard peers.`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-30 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T4601` ``(bug): dhcp : relay agent IP address issue.`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-28 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5777` ``(bug): frr: backport and upstream recent bgpd daemon crashes`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-27 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5763` ``(bug): Fix imprecise check for remote file name in vyos-load-config.py`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-25 | ||||
| ========== | ||||
| 
 | ||||
|  | ||||
| @ -8,6 +8,235 @@ | ||||
|    _ext/releasenotes.py | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-07 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5891` ``(bug): OpenVPN IPv6 config issue with 1.4-rc1`` | ||||
| * :vytask:`T5887` ``(feature): Upgrade Linux Kernel to 6.6.y (2023 LTS edition)`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-06 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T3670` ``(feature): Option to disable HTTP port 80 redirect`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-05 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T3642` ``(feature): PKI configuration`` | ||||
| * :vytask:`T5894` ``(feature): Extend get_config_dict() with additional parameter with_pki that defaults to False`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-04 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T4072` ``(feature): Feature Request: Firewall on bridge interfaces`` | ||||
| * :vytask:`T3459` ``(default): Inform the user when unable to install outdated image`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-03 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5880` ``(bug): verify_source_interface should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces`` | ||||
| * :vytask:`T5879` ``(bug): tunnel: sourceing from dynamic pppoe0 interface will fail on reboots`` | ||||
| * :vytask:`T4500` ``(bug): Missing firewall logs`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-02 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5885` ``(default): image-tools: relax restriction on image-name length from 32 to 64`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-01 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5883` ``(bug): Preserve file ownership in /config subdirs on add system image`` | ||||
| * :vytask:`T5474` ``(feature): Establish common file name pattern for XML conf mode commands`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-30 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5875` ``(bug): login: removing and re-adding a user keeps the home directory but UID will change, thus SSH keys no longer work`` | ||||
| * :vytask:`T5653` ``(feature): Command to display fingerprint`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-29 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5829` ``(bug): Can't Add IPv6 Address to Containers`` | ||||
| * :vytask:`T5852` ``(bug): Reboots fail with eapol WAN interface`` | ||||
| * :vytask:`T5869` ``(bug): vyos.template.first_host_address() does not honor RFC4291 section 2.6.1`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-28 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T4163` ``(feature): [BMP-BGP]  Routing monitoring  feature`` | ||||
| * :vytask:`T5867` ``(feature): Upgrade podman to Debian Trixie version 4.7.x`` | ||||
| * :vytask:`T5866` ``(feature): Add op-mode command to restart IPv6 RA daemon`` | ||||
| * :vytask:`T5861` ``(bug): Flavor build system fails with third-party packages`` | ||||
| * :vytask:`T5854` ``(feature): Extend override-default script to allow embedded defaultValue settings`` | ||||
| * :vytask:`T5566` ``(feature): Be able to disable 802.3az/EEE (energy efficient ethernet) for a particular interface`` | ||||
| * :vytask:`T5792` ``(default): Upgrade ddclient 3.11.2 release`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-25 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5855` ``(feature): Migrate "set service lldp snmp enable" -> `set service lldp snmp"`` | ||||
| * :vytask:`T5837` ``(bug): vyos.configdict.node_changed does not return keys per adding`` | ||||
| * :vytask:`T5856` ``(bug): SNMP service removal fails`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-24 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5853` ``(default): Typo interfaces-virtual-ethernet.xml.in`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-22 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5811` ``(bug): static dhcp-interface routes not installed`` | ||||
| * :vytask:`T5804` ``(bug): SNAT "any" interface error`` | ||||
| * :vytask:`T4760` ``(bug): VyOS does not support running multiple instances of DHCPv6 clients`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-21 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5778` ``(bug): The show dhcp server leases operation mode command does not work as expected`` | ||||
| * :vytask:`T5775` ``(default): Migrated Firewall Global State Policy ineffective on latest firewall zone config`` | ||||
| * :vytask:`T5637` ``(bug): Firewall default-action log`` | ||||
| * :vytask:`T5796` ``(bug): Openconnect - HTTPS  security headers are missing`` | ||||
| * :vytask:`T3580` ``(feature): Refactoring firewall ipv6 rule icmpv6`` | ||||
| * :vytask:`T2898` ``(feature): Support NDP proxy`` | ||||
| * :vytask:`T2229` ``(feature): PPPOE Default Queue type selection`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-20 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5823` ``(feature): Protocol BGP add default values for config dictionary`` | ||||
| * :vytask:`T5798` ``(enhancment): reverse-proxy load-balancing service should support multiple certificates for frontend`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-19 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5828` ``(default): Fix GRUB installation on arm64`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-18 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5751` ``(feature): Adjust new image tools for non-interactive use`` | ||||
| * :vytask:`T5831` ``(feature): show system image should reverse order by addition date`` | ||||
| * :vytask:`T5825` ``(bug): image-tools: restore authentication on 'add system image'`` | ||||
| * :vytask:`T5821` ``(bug): image-tools: restore vrf-aware 'add system image'`` | ||||
| * :vytask:`T5819` ``(bug): Don't echo password on install image`` | ||||
| * :vytask:`T5806` ``(bug): Clear old raid data on new install image`` | ||||
| * :vytask:`T5789` ``(bug): image-tools should copy ssh host keys on image update`` | ||||
| * :vytask:`T5758` ``(default): Restore scanning configs when live installing`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-15 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5824` ``(bug): busybox cannot connect some websites from initramfs`` | ||||
| * :vytask:`T5803` ``(default): git/github: Adjust configuration for safe and baseline defaults`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-14 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5773` ``(bug): Unable to load config via HTTP`` | ||||
| * :vytask:`T5816` ``(bug): BGP Large Community List Validation Broken`` | ||||
| * :vytask:`T5812` ``(bug): rollback check max revision number does not work`` | ||||
| * :vytask:`T5749` ``(feature): Show MAC address VRF and MTU by default for "show interfaces"`` | ||||
| * :vytask:`T5774` ``(bug): commit-archive to FTP server broken after update (VyOS 1.5-rolling)`` | ||||
| * :vytask:`T5826` ``(default): Add dmicode as an explicit dependency`` | ||||
| * :vytask:`T5793` ``(default): mdns-repeater: Cleanup avahi-daemon configuration in /etc`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-13 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T591` ``(feature): Support SRv6`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-12 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T4704` ``(feature): Allow to set metric  (MED) to rtt with rtt,+rtt or -rtt`` | ||||
| * :vytask:`T5815` ``(enhancment): Add load_config module`` | ||||
| * :vytask:`T5413` ``(default): Deny the opportunity to use one public/private key pair on both wireguard peers.`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-11 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5741` ``(bug): WAN Load Balancing failover route tables aren't created`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-10 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5658` ``(default): Add VRF support for mtr`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-09 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5808` ``(bug): op-mode: ipv6 ospfv3 graceful-restart description contains incorrect info`` | ||||
| * :vytask:`T5802` ``(bug): ping (ip or hostname) interface <tab> produces error`` | ||||
| * :vytask:`T5747` ``(feature): op-mode add MAC VRF and MTU for show interfaces summary`` | ||||
| * :vytask:`T3983` ``(bug): show pki certificate Doesnt show x509 certificates`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-08 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5782` ``(enhancment): Use a single config mode script for https and http-api`` | ||||
| * :vytask:`T5768` ``(enhancment): Remove auxiliary http-api.conf for simplification of http-api config mode script`` | ||||
| * :vytask:`T5809` ``(default): Enable GRUB support for gzip compressed kernels`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-04 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5769` ``(bug): VTI tunnels lose their v6 Link Local addresses when set down/up`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-03 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5753` ``(feature): Add VXLAN vnifilter support`` | ||||
| * :vytask:`T5759` ``(feature): Change VXLAN default MTU to 1500 bytes`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-30 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T4601` ``(bug): dhcp : relay agent IP address issue.`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-28 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T4276` ``(bug): IPsec peers dh-group negotiation issue with pfs enabled and multiple proposals configured with IKEv1`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-27 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5763` ``(bug): Fix imprecise check for remote file name in vyos-load-config.py`` | ||||
| * :vytask:`T5783` ``(feature): frr: smoketests must notice any daemon crash`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-26 | ||||
| ========== | ||||
| 
 | ||||
|  | ||||
| @ -8,6 +8,210 @@ | ||||
|    _ext/releasenotes.py | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-07 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5899` ``(feature): VyOS vm images use bookworm repo`` | ||||
| * :vytask:`T5887` ``(feature): Upgrade Linux Kernel to 6.6.y (2023 LTS edition)`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-06 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T3214` ``(bug): OpenVPN IPv6 fixes`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-05 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5894` ``(feature): Extend get_config_dict() with additional parameter with_pki that defaults to False`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-03 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5880` ``(bug): verify_source_interface should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces`` | ||||
| * :vytask:`T5879` ``(bug): tunnel: sourceing from dynamic pppoe0 interface will fail on reboots`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-02 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5885` ``(default): image-tools: relax restriction on image-name length from 32 to 64`` | ||||
| 
 | ||||
| 
 | ||||
| 2024-01-01 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5883` ``(bug): Preserve file ownership in /config subdirs on add system image`` | ||||
| * :vytask:`T5474` ``(feature): Establish common file name pattern for XML conf mode commands`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-30 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5875` ``(bug): login: removing and re-adding a user keeps the home directory but UID will change, thus SSH keys no longer work`` | ||||
| * :vytask:`T5653` ``(feature): Command to display fingerprint`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-29 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5829` ``(bug): Can't Add IPv6 Address to Containers`` | ||||
| * :vytask:`T5852` ``(bug): Reboots fail with eapol WAN interface`` | ||||
| * :vytask:`T5869` ``(bug): vyos.template.first_host_address() does not honor RFC4291 section 2.6.1`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-28 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5827` ``(bug): image-tools: 'show system image' Command Not in Order`` | ||||
| * :vytask:`T4163` ``(feature): [BMP-BGP]  Routing monitoring  feature`` | ||||
| * :vytask:`T5867` ``(feature): Upgrade podman to Debian Trixie version 4.7.x`` | ||||
| * :vytask:`T5866` ``(feature): Add op-mode command to restart IPv6 RA daemon`` | ||||
| * :vytask:`T5861` ``(bug): Flavor build system fails with third-party packages`` | ||||
| * :vytask:`T5854` ``(feature): Extend override-default script to allow embedded defaultValue settings`` | ||||
| * :vytask:`T5566` ``(feature): Be able to disable 802.3az/EEE (energy efficient ethernet) for a particular interface`` | ||||
| * :vytask:`T5792` ``(default): Upgrade ddclient 3.11.2 release`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-25 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5855` ``(feature): Migrate "set service lldp snmp enable" -> `set service lldp snmp"`` | ||||
| * :vytask:`T5837` ``(bug): vyos.configdict.node_changed does not return keys per adding`` | ||||
| * :vytask:`T5856` ``(bug): SNMP service removal fails`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-23 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5678` ``(feature): Improvements in PPPoE configuration`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-22 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5804` ``(bug): SNAT "any" interface error`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-21 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5807` ``(bug): NAT66  op-mode bugs`` | ||||
| * :vytask:`T5778` ``(bug): The show dhcp server leases operation mode command does not work as expected`` | ||||
| * :vytask:`T5775` ``(default): Migrated Firewall Global State Policy ineffective on latest firewall zone config`` | ||||
| * :vytask:`T5676` ``(bug): NAT66 source rule with negation source/destination prefix causes TypeError`` | ||||
| * :vytask:`T5637` ``(bug): Firewall default-action log`` | ||||
| * :vytask:`T5796` ``(bug): Openconnect - HTTPS  security headers are missing`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-20 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5823` ``(feature): Protocol BGP add default values for config dictionary`` | ||||
| * :vytask:`T5798` ``(enhancment): reverse-proxy load-balancing service should support multiple certificates for frontend`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-19 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5828` ``(default): Fix GRUB installation on arm64`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-18 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5751` ``(feature): Adjust new image tools for non-interactive use`` | ||||
| * :vytask:`T5831` ``(feature): show system image should reverse order by addition date`` | ||||
| * :vytask:`T5825` ``(bug): image-tools: restore authentication on 'add system image'`` | ||||
| * :vytask:`T5821` ``(bug): image-tools: restore vrf-aware 'add system image'`` | ||||
| * :vytask:`T5819` ``(bug): Don't echo password on install image`` | ||||
| * :vytask:`T5806` ``(bug): Clear old raid data on new install image`` | ||||
| * :vytask:`T5789` ``(bug): image-tools should copy ssh host keys on image update`` | ||||
| * :vytask:`T5758` ``(default): Restore scanning configs when live installing`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-15 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5824` ``(bug): busybox cannot connect some websites from initramfs`` | ||||
| * :vytask:`T5770` ``(bug): MACsec not encrypting`` | ||||
| * :vytask:`T5803` ``(default): git/github: Adjust configuration for safe and baseline defaults`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-14 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5773` ``(bug): Unable to load config via HTTP`` | ||||
| * :vytask:`T5816` ``(bug): BGP Large Community List Validation Broken`` | ||||
| * :vytask:`T5812` ``(bug): rollback check max revision number does not work`` | ||||
| * :vytask:`T5749` ``(feature): Show MAC address VRF and MTU by default for "show interfaces"`` | ||||
| * :vytask:`T5774` ``(bug): commit-archive to FTP server broken after update (VyOS 1.5-rolling)`` | ||||
| * :vytask:`T5826` ``(default): Add dmicode as an explicit dependency`` | ||||
| * :vytask:`T5793` ``(default): mdns-repeater: Cleanup avahi-daemon configuration in /etc`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-13 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T591` ``(feature): Support SRv6`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-12 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5815` ``(enhancment): Add load_config module`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-11 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5741` ``(bug): WAN Load Balancing failover route tables aren't created`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-10 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5658` ``(default): Add VRF support for mtr`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-09 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5808` ``(bug): op-mode: ipv6 ospfv3 graceful-restart description contains incorrect info`` | ||||
| * :vytask:`T5802` ``(bug): ping (ip or hostname) interface <tab> produces error`` | ||||
| * :vytask:`T5747` ``(feature): op-mode add MAC VRF and MTU for show interfaces summary`` | ||||
| * :vytask:`T3983` ``(bug): show pki certificate Doesnt show x509 certificates`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-08 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5782` ``(enhancment): Use a single config mode script for https and http-api`` | ||||
| * :vytask:`T5768` ``(enhancment): Remove auxiliary http-api.conf for simplification of http-api config mode script`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-04 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5769` ``(bug): VTI tunnels lose their v6 Link Local addresses when set down/up`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-12-03 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5753` ``(feature): Add VXLAN vnifilter support`` | ||||
| * :vytask:`T5759` ``(feature): Change VXLAN default MTU to 1500 bytes`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-27 | ||||
| ========== | ||||
| 
 | ||||
| * :vytask:`T5763` ``(bug): Fix imprecise check for remote file name in vyos-load-config.py`` | ||||
| * :vytask:`T5783` ``(feature): frr: smoketests must notice any daemon crash`` | ||||
| 
 | ||||
| 
 | ||||
| 2023-11-26 | ||||
| ========== | ||||
| 
 | ||||
|  | ||||
| @ -8,6 +8,7 @@ set protocols static route 10.0.10.0/24 next-hop 10.0.20.254 | ||||
| set protocols static route 192.168.0.0/24 next-hop 127.16.0.2 | ||||
| set service dhcp-server listen-address '172.16.0.1' | ||||
| set service dhcp-server shared-network-name DHCPTun100 authoritative | ||||
| set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 default-router '192.168.0.254' | ||||
| set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 option default-router '192.168.0.254' | ||||
| set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 start '192.168.0.30' | ||||
| set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30' | ||||
| set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 subnet-id '1' | ||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -3,8 +3,8 @@ Wireguard | ||||
| ######### | ||||
| 
 | ||||
| 
 | ||||
| | Testdate: 2023-08-31 | ||||
| | Version: 1.4-rolling-202308240020 | ||||
| | Testdate: 2024-01-13 | ||||
| | Version: 1.5-rolling-202401121239 | ||||
| 
 | ||||
| 
 | ||||
| This simple structure show how to connect two offices. One remote branch and the | ||||
| @ -44,9 +44,9 @@ After this, the public key can be displayed, to save for later. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|    vyos@central:~$ generate pki wireguard key-pair | ||||
|    Private key: cMNGHtb5dW92ORG3HS8JJlvQF8pmVGt2Ydny8hTBLnY= | ||||
|    Public key: WyfLCTXi31gL+YbYOwoAHCl2RgS+y56cYHEK6pQsTQ8= | ||||
|    vyos@central:~$ generate pki wireguard | ||||
|    Private key: wHQS+ib3eMIp2DxRiAeXfFVaSCMMP1YHBaKfSR1xfV8= | ||||
|    Public key: RCMy6BAER0uEcPvspUb3K38MHyHJpK5kiV5IOX943HI= | ||||
| 
 | ||||
| 
 | ||||
| After you have each public key. The wireguard interfaces can be setup. | ||||
| @ -102,11 +102,11 @@ And ping the Branch PC from your central router to check the response. | ||||
| 
 | ||||
|    vyos@central:~$ ping 10.0.2.100 count 4 | ||||
|    PING 10.0.2.100 (10.0.2.100) 56(84) bytes of data. | ||||
|    64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.641 ms | ||||
|    64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=0.836 ms | ||||
|    64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=0.792 ms | ||||
|    64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=1.09 ms | ||||
|    64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.894 ms | ||||
|    64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=0.869 ms | ||||
|    64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=0.966 ms | ||||
|    64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=0.998 ms | ||||
|     | ||||
|    --- 10.0.2.100 ping statistics --- | ||||
|    4 packets transmitted, 4 received, 0% packet loss, time 3013ms | ||||
|    rtt min/avg/max/mdev = 0.641/0.838/1.086/0.160 ms | ||||
|    4 packets transmitted, 4 received, 0% packet loss, time 3004ms | ||||
|    rtt min/avg/max/mdev = 0.869/0.931/0.998/0.052 ms | ||||
|  | ||||
| @ -1,14 +1,14 @@ | ||||
| set interface ethernet eth2 address 10.0.2.254/24 | ||||
| set interface ethernet eth1 address 198.51.100.2/24 | ||||
| 
 | ||||
| set interfaces wireguard wg01 private-key 'oDZ2S/4S6UEuhOyk0MvNSQTebugihX5RKCrI3exmHV8=' | ||||
| set interfaces wireguard wg01 private-key 'QM3ZtmaxstxIDoz00AVLE/F/UVjmdcrOvfKYW/TVw18=' | ||||
| set interfaces wireguard wg01 address 192.168.0.2/24 | ||||
| set interfaces wireguard wg01 description 'VPN-to-central' | ||||
| set interfaces wireguard wg01 peer central allowed-ips 10.0.1.0/24 | ||||
| set interfaces wireguard wg01 peer central allowed-ips 192.168.0.0/24 | ||||
| set interfaces wireguard wg01 peer central address 198.51.100.1 | ||||
| set interfaces wireguard wg01 peer central port 51820 | ||||
| set interfaces wireguard wg01 peer central public-key 'WyfLCTXi31gL+YbYOwoAHCl2RgS+y56cYHEK6pQsTQ8=' | ||||
| set interfaces wireguard wg01 peer central public-key 'RCMy6BAER0uEcPvspUb3K38MHyHJpK5kiV5IOX943HI=' | ||||
| set interfaces wireguard wg01 port 51820 | ||||
| 
 | ||||
| set protocols static route 10.0.1.0/24 interface wg01 | ||||
| @ -1,14 +1,14 @@ | ||||
| set interface ethernet eth2 address 10.0.1.254/24 | ||||
| set interface ethernet eth1 address 198.51.100.1/24 | ||||
| 
 | ||||
| set interfaces wireguard wg01 private-key 'cMNGHtb5dW92ORG3HS8JJlvQF8pmVGt2Ydny8hTBLnY=' | ||||
| set interfaces wireguard wg01 private-key 'wHQS+ib3eMIp2DxRiAeXfFVaSCMMP1YHBaKfSR1xfV8=' | ||||
| set interfaces wireguard wg01 address 192.168.0.1/24 | ||||
| set interfaces wireguard wg01 description 'VPN-to-Branch' | ||||
| set interfaces wireguard wg01 peer branch allowed-ips 10.0.2.0/24 | ||||
| set interfaces wireguard wg01 peer branch allowed-ips 192.168.0.0/24 | ||||
| set interfaces wireguard wg01 peer branch address 198.51.100.2 | ||||
| set interfaces wireguard wg01 peer branch port 51820 | ||||
| set interfaces wireguard wg01 peer branch public-key '9ySVcjER2cY1tG/L7598zHg8g1xyggjxALqzeCxLgw4=' | ||||
| set interfaces wireguard wg01 peer branch public-key 'nWhMTjGQbQiJwaNqHpZ/p8+iAH29HaJDNsdfsRdW9As=' | ||||
| set interfaces wireguard wg01 port 51820 | ||||
| 
 | ||||
| set protocols static route 10.0.2.0/24 interface wg01 | ||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -4,8 +4,8 @@ | ||||
| Tunnelbroker.net (IPv6) | ||||
| ####################### | ||||
| 
 | ||||
| | Testdate: 2023-08-31 | ||||
| | Version: 1.4-rolling-202308240020 | ||||
| | Testdate: 2024-01-13 | ||||
| | Version: 1.5-rolling-202401121239 | ||||
| 
 | ||||
| This guide walks through the setup of https://www.tunnelbroker.net/ for an | ||||
| IPv6 Tunnel. | ||||
| @ -61,14 +61,14 @@ Now you should be able to ping a public IPv6 Address | ||||
| 
 | ||||
|    vyos@vyos-wan:~$ ping 2001:470:20::2 count 4 | ||||
|    PING 2001:470:20::2(2001:470:20::2) 56 data bytes | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=39.4 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=29.9 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.0 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=29.9 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=33.8 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=43.9 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=43.4 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=42.5 ms | ||||
|     | ||||
|    --- 2001:470:20::2 ping statistics --- | ||||
|    4 packets transmitted, 4 received, 0% packet loss, time 3005ms | ||||
|    rtt min/avg/max/mdev = 29.885/32.293/39.371/4.086 ms | ||||
|    4 packets transmitted, 4 received, 0% packet loss, time 2999ms | ||||
|    rtt min/avg/max/mdev = 33.802/40.920/43.924/4.139 ms | ||||
| 
 | ||||
| 
 | ||||
| Assuming the pings are successful, you need to add some DNS servers. | ||||
| @ -85,14 +85,14 @@ You should now be able to ping something by IPv6 DNS name: | ||||
| 
 | ||||
|    vyos@vyos-wan:~$ ping tunnelbroker.net count 4 | ||||
|    PING tunnelbroker.net(tunnelbroker.net (2001:470:0:63::2)) 56 data bytes | ||||
|    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=46 time=200 ms | ||||
|    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=46 time=176 ms | ||||
|    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=46 time=244 ms | ||||
|    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=46 time=176 ms | ||||
|    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=48 time=285 ms | ||||
|    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=48 time=186 ms | ||||
|    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=48 time=178 ms | ||||
|    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=48 time=177 ms | ||||
|     | ||||
|    --- tunnelbroker.net ping statistics --- | ||||
|    4 packets transmitted, 4 received, 0% packet loss, time 3002ms | ||||
|    rtt min/avg/max/mdev = 175.737/198.653/243.621/27.714 ms | ||||
|    rtt min/avg/max/mdev = 176.707/206.638/285.128/45.457 ms | ||||
| 
 | ||||
| 
 | ||||
| ***************** | ||||
| @ -148,14 +148,14 @@ Now the Client is able to ping a public IPv6 address | ||||
| 
 | ||||
|    vyos@client:~$ ping 2001:470:20::2 count 4 | ||||
|    PING 2001:470:20::2(2001:470:20::2) 56 data bytes | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=30.5 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=29.6 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=29.9 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=29.8 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=32.1 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=41.8 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=41.7 ms | ||||
|    64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=47.1 ms | ||||
|     | ||||
|    --- 2001:470:20::2 ping statistics --- | ||||
|    4 packets transmitted, 4 received, 0% packet loss, time 3005ms | ||||
|    rtt min/avg/max/mdev = 29.578/29.959/30.490/0.333 ms | ||||
|    rtt min/avg/max/mdev = 32.128/40.688/47.107/5.403 ms | ||||
| 
 | ||||
| 
 | ||||
| Multiple LAN/DMZ Setup | ||||
|  | ||||
| @ -89,24 +89,28 @@ To have basic protection while keeping IPv6 network functional, we need to: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|    set firewall ipv6-name WAN_IN default-action 'drop' | ||||
|    set firewall ipv6-name WAN_IN rule 10 action 'accept' | ||||
|    set firewall ipv6-name WAN_IN rule 10 state established 'enable' | ||||
|    set firewall ipv6-name WAN_IN rule 10 state related 'enable' | ||||
|    set firewall ipv6-name WAN_IN rule 20 action 'accept' | ||||
|    set firewall ipv6-name WAN_IN rule 20 protocol 'icmpv6' | ||||
|    set firewall ipv6-name WAN_LOCAL default-action 'drop' | ||||
|    set firewall ipv6-name WAN_LOCAL rule 10 action 'accept' | ||||
|    set firewall ipv6-name WAN_LOCAL rule 10 state established 'enable' | ||||
|    set firewall ipv6-name WAN_LOCAL rule 10 state related 'enable' | ||||
|    set firewall ipv6-name WAN_LOCAL rule 20 action 'accept' | ||||
|    set firewall ipv6-name WAN_LOCAL rule 20 protocol 'icmpv6' | ||||
|    set firewall ipv6-name WAN_LOCAL rule 30 action 'accept' | ||||
|    set firewall ipv6-name WAN_LOCAL rule 30 destination port '546' | ||||
|    set firewall ipv6-name WAN_LOCAL rule 30 protocol 'udp' | ||||
|    set firewall ipv6-name WAN_LOCAL rule 30 source port '547' | ||||
|    set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN' | ||||
|    set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL' | ||||
|    set firewall ipv6 name WAN_IN default-action 'drop' | ||||
|    set firewall ipv6 name WAN_IN rule 10 action 'accept' | ||||
|    set firewall ipv6 name WAN_IN rule 10 state established 'enable' | ||||
|    set firewall ipv6 name WAN_IN rule 10 state related 'enable' | ||||
|    set firewall ipv6 name WAN_IN rule 20 action 'accept' | ||||
|    set firewall ipv6 name WAN_IN rule 20 protocol 'icmpv6' | ||||
|    set firewall ipv6 name WAN_LOCAL default-action 'drop' | ||||
|    set firewall ipv6 name WAN_LOCAL rule 10 action 'accept' | ||||
|    set firewall ipv6 name WAN_LOCAL rule 10 state established 'enable' | ||||
|    set firewall ipv6 name WAN_LOCAL rule 10 state related 'enable' | ||||
|    set firewall ipv6 name WAN_LOCAL rule 20 action 'accept' | ||||
|    set firewall ipv6 name WAN_LOCAL rule 20 protocol 'icmpv6' | ||||
|    set firewall ipv6 name WAN_LOCAL rule 30 action 'accept' | ||||
|    set firewall ipv6 name WAN_LOCAL rule 30 destination port '546' | ||||
|    set firewall ipv6 name WAN_LOCAL rule 30 protocol 'udp' | ||||
|    set firewall ipv6 name WAN_LOCAL rule 30 source port '547' | ||||
|    set firewall ipv6 forward filter rule 10 action jump | ||||
|    set firewall ipv6 forward filter rule 10 jump-target 'WAN_IN' | ||||
|    set firewall ipv6 forward filter rule 10 inbound-interface name 'pppoe0' | ||||
|    set firewall ipv6 input filter rule 10 action jump | ||||
|    set firewall ipv6 input filter rule 10 jump-target 'WAN_LOCAL' | ||||
|    set firewall ipv6 input filter rule 10 inbound-interface name 'pppoe0' | ||||
| 
 | ||||
| Note to allow the router to receive DHCPv6 response from ISP. We need to allow | ||||
| packets with source port 547 (server) and destination port 546 (client). | ||||
|  | ||||
| @ -182,11 +182,11 @@ Example Configuration | ||||
| 
 | ||||
|     .. code-block:: none | ||||
| 
 | ||||
|         set container network zabbix-net prefix 172.20.0.0/16 | ||||
|         set container network zabbix-net description 'Network for Zabbix component containers' | ||||
|         set container network zabbix prefix 172.20.0.0/16 | ||||
|         set container network zabbix description 'Network for Zabbix component containers' | ||||
| 
 | ||||
|         set container name mysql-server image mysql:8.0 | ||||
|         set container name mysql-server network zabbix-net | ||||
|         set container name mysql-server network zabbix | ||||
| 
 | ||||
|         set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix' | ||||
|         set container name mysql-server environment 'MYSQL_USER' value 'zabbix' | ||||
| @ -194,10 +194,10 @@ Example Configuration | ||||
|         set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'  | ||||
| 
 | ||||
|         set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest | ||||
|         set container name zabbix-java-gateway network zabbix-net | ||||
|         set container name zabbix-java-gateway network zabbix | ||||
| 
 | ||||
|         set container name zabbix-server-mysql image zabbix/zabbix-server-mysql:alpine-5.2-latest | ||||
|         set container name zabbix-server-mysql network zabbix-net | ||||
|         set container name zabbix-server-mysql network zabbix | ||||
| 
 | ||||
|         set container name zabbix-server-mysql environment 'DB_SERVER_HOST' value 'mysql-server' | ||||
|         set container name zabbix-server-mysql environment 'MYSQL_DATABASE' value 'zabbix' | ||||
| @ -210,7 +210,7 @@ Example Configuration | ||||
|         set container name zabbix-server-mysql port zabbix destination 10051 | ||||
| 
 | ||||
|         set container name zabbix-web-nginx-mysql image zabbix/zabbix-web-nginx-mysql:alpine-5.2-latest | ||||
|         set container name zabbix-web-nginx-mysql network zabbix-net | ||||
|         set container name zabbix-web-nginx-mysql network zabbix | ||||
| 
 | ||||
|         set container name zabbix-web-nginx-mysql environment 'MYSQL_DATABASE' value 'zabbix' | ||||
|         set container name zabbix-web-nginx-mysql environment 'ZBX_SERVER_HOST' value 'zabbix-server-mysql' | ||||
|  | ||||
| @ -39,4 +39,363 @@ for this layer is shown next: | ||||
| 
 | ||||
| For traffic that needs to be forwared internally by the bridge, base chain is | ||||
| is **forward**, and it's base command for filtering is ``set firewall bridge | ||||
| forward filter ...`` | ||||
| forward filter ...``, which happens in stage 4, highlightened with red color. | ||||
| 
 | ||||
| Custom bridge firewall chains can be create with command ``set firewall bridge | ||||
| name <name> ...``. In order to use such custom chain, a rule with action jump, | ||||
| and the appropiate target should be defined in a base chain. | ||||
| 
 | ||||
| .. note:: **Layer 3 bridge**: | ||||
|       When an IP address is assigned to the bridge interface, and if traffic | ||||
|       is sent to the router to this IP (for example using such IP as | ||||
|       default gateway), then rules defined for **bridge firewall** won't | ||||
|       match, and firewall analysis continues at **IP layer**. | ||||
| 
 | ||||
| ************ | ||||
| Bridge Rules | ||||
| ************ | ||||
| 
 | ||||
| For firewall filtering, firewall rules needs to be created. Each rule is | ||||
| numbered, has an action to apply if the rule is matched, and the ability | ||||
| to specify multiple criteria matchers. Data packets go through the rules | ||||
| from 1 - 999999, so order is crucial. At the first match the action of the | ||||
| rule will be executed. | ||||
| 
 | ||||
| Actions | ||||
| ======= | ||||
| 
 | ||||
| If a rule is defined, then an action must be defined for it. This tells the | ||||
| firewall what to do if all criteria matchers defined for such rule do match. | ||||
| 
 | ||||
| In firewall bridge rules, the action can be: | ||||
| 
 | ||||
|    * ``accept``: accept the packet. | ||||
| 
 | ||||
|    * ``continue``: continue parsing next rule. | ||||
| 
 | ||||
|    * ``drop``: drop the packet. | ||||
| 
 | ||||
|    * ``jump``: jump to another custom chain. | ||||
| 
 | ||||
|    * ``return``: Return from the current chain and continue at the next rule | ||||
|      of the last chain. | ||||
| 
 | ||||
|    * ``queue``: Enqueue packet to userspace. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> action | ||||
|    [accept | continue | drop | jump | queue | return] | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> action | ||||
|    [accept | continue | drop | jump | queue | return] | ||||
| 
 | ||||
|    This required setting defines the action of the current rule. If action is | ||||
|    set to jump, then jump-target is also needed. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    jump-target <text> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    jump-target <text> | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    queue <0-65535> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    queue <0-65535> | ||||
| 
 | ||||
|    To be used only when action is set to ``queue``. Use this command to specify | ||||
|    queue target to use. Queue range is also supported. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    queue-options bypass | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    queue-options bypass | ||||
| 
 | ||||
|    To be used only when action is set to ``queue``. Use this command to let | ||||
|    packet go through firewall when no userspace software is connected to the | ||||
|    queue. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    queue-options fanout | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    queue-options fanout | ||||
| 
 | ||||
|    To be used only when action is set to ``queue``. Use this command to | ||||
|    distribute packets between several queues. | ||||
| 
 | ||||
| Also, **default-action** is an action that takes place whenever a packet does | ||||
| not match any rule in it's chain. For base chains, possible options for | ||||
| **default-action** are **accept** or **drop**. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter default-action | ||||
|    [accept | drop] | ||||
| .. cfgcmd:: set firewall bridge name <name> default-action | ||||
|    [accept | continue | drop | jump | queue | return] | ||||
| 
 | ||||
|    This set the default action of the rule-set if no rule matched a packet | ||||
|    criteria. If default-action is set to ``jump``, then | ||||
|    ``default-jump-target`` is also needed. Note that for base chains, default | ||||
|    action can only be set to ``accept`` or ``drop``, while on custom chain, | ||||
|    more actions are available. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge name <name> default-jump-target <text> | ||||
| 
 | ||||
|    To be used only when ``defult-action`` is set to ``jump``. Use this | ||||
|    command to specify jump target for default rule. | ||||
| 
 | ||||
| .. note:: **Important note about default-actions:** | ||||
|    If default action for any base chain is not defined, then the default | ||||
|    action is set to **accept** for that chain. For custom chains, if default | ||||
|    action is not defined, then the default-action is set to **drop**. | ||||
| 
 | ||||
| Firewall Logs | ||||
| ============= | ||||
| 
 | ||||
| Logging can be enable for every single firewall rule. If enabled, other | ||||
| log options can be defined. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> log | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> log | ||||
| 
 | ||||
|    Enable logging for the matched packet. If this configuration command is not | ||||
|    present, then log is not enabled. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter enable-default-log | ||||
| .. cfgcmd:: set firewall bridge name <name> enable-default-log | ||||
| 
 | ||||
|    Use this command to enable the logging of the default action on | ||||
|    the specified chain. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    log-options level [emerg | alert | crit | err | warn | notice | ||||
|    | info | debug] | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    log-options level [emerg | alert | crit | err | warn | notice | ||||
|    | info | debug] | ||||
| 
 | ||||
|    Define log-level. Only applicable if rule log is enable. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    log-options group <0-65535> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    log-options group <0-65535> | ||||
| 
 | ||||
|    Define log group to send message to. Only applicable if rule log is enable. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    log-options snapshot-length <0-9000> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    log-options snapshot-length <0-9000> | ||||
| 
 | ||||
|    Define length of packet payload to include in netlink message. Only | ||||
|    applicable if rule log is enable and log group is defined. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    log-options queue-threshold <0-65535> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    log-options queue-threshold <0-65535> | ||||
| 
 | ||||
|    Define number of packets to queue inside the kernel before sending them to | ||||
|    userspace. Only applicable if rule log is enable and log group is defined. | ||||
| 
 | ||||
| Firewall Description | ||||
| ==================== | ||||
| 
 | ||||
| For reference, a description can be defined for every defined custom chain. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge name <name> description <text> | ||||
| 
 | ||||
|    Provide a rule-set description to a custom firewall chain. | ||||
| 
 | ||||
| Rule Status | ||||
| =========== | ||||
| 
 | ||||
| When defining a rule, it is enable by default. In some cases, it is useful to | ||||
| just disable the rule, rather than removing it. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> disable | ||||
| 
 | ||||
|    Command for disabling a rule but keep it in the configuration. | ||||
| 
 | ||||
| Matching criteria | ||||
| ================= | ||||
| 
 | ||||
| There are a lot of matching criteria against which the packet can be tested. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    destination mac-address <mac-address> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    destination mac-address <mac-address> | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    source mac-address <mac-address> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    source mac-address <mac-address> | ||||
| 
 | ||||
|    Match criteria based on source and/or destination mac-address. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    inbound-interface name <iface> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    inbound-interface name <iface> | ||||
| 
 | ||||
|    Match based on inbound interface. Wilcard ``*`` can be used. | ||||
|    For example: ``eth2*``. Prepending character ``!`` for inverted matching | ||||
|    criteria is also supportd. For example ``!eth2`` | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    inbound-interface group <iface_group> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    inbound-interface group <iface_group> | ||||
| 
 | ||||
|    Match based on inbound interface group. Prepending character ``!`` for | ||||
|    inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    outbound-interface name <iface> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    outbound-interface name <iface> | ||||
| 
 | ||||
|    Match based on outbound interface. Wilcard ``*`` can be used. | ||||
|    For example: ``eth2*``. Prepending character ``!`` for inverted matching | ||||
|    criteria is also supportd. For example ``!eth2`` | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    outbound-interface group <iface_group> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    outbound-interface group <iface_group> | ||||
| 
 | ||||
|    Match based on outbound interface group. Prepending character ``!`` for | ||||
|    inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    vlan id <0-4096> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    vlan id <0-4096> | ||||
| 
 | ||||
|    Match based on vlan ID. Range is also supported. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall bridge forward filter rule <1-999999> | ||||
|    vlan priority <0-7> | ||||
| .. cfgcmd:: set firewall bridge name <name> rule <1-999999> | ||||
|    vlan priority <0-7> | ||||
| 
 | ||||
|    Match based on vlan priority(pcp). Range is also supported. | ||||
| 
 | ||||
| *********************** | ||||
| Operation-mode Firewall | ||||
| *********************** | ||||
| 
 | ||||
| Rule-set overview | ||||
| ================= | ||||
| 
 | ||||
| In this section you can find all useful firewall op-mode commands. | ||||
| 
 | ||||
| General commands for firewall configuration, counter and statiscits: | ||||
| 
 | ||||
| .. opcmd:: show firewall | ||||
| .. opcmd:: show firewall summary | ||||
| .. opcmd:: show firewall statistics | ||||
| 
 | ||||
| And, to print only bridge firewall information: | ||||
| 
 | ||||
| .. opcmd:: show firewall bridge | ||||
| .. opcmd:: show firewall bridge forward filter | ||||
| .. opcmd:: show firewall bridge forward filter rule <rule> | ||||
| .. opcmd:: show firewall bridge name <name> | ||||
| .. opcmd:: show firewall bridge name <name> rule <rule> | ||||
| 
 | ||||
| Show Firewall log | ||||
| ================= | ||||
| 
 | ||||
| .. opcmd:: show log firewall | ||||
| .. opcmd:: show log firewall bridge | ||||
| .. opcmd:: show log firewall bridge forward | ||||
| .. opcmd:: show log firewall bridge forward filter | ||||
| .. opcmd:: show log firewall bridge name <name> | ||||
| .. opcmd:: show log firewall bridge forward filter rule <rule> | ||||
| .. opcmd:: show log firewall bridge name <name> rule <rule> | ||||
| 
 | ||||
|    Show the logs of all firewall; show all bridge firewall logs; show all logs | ||||
|    for forward hook; show all logs for forward hook and priority filter; show | ||||
|    all logs for particular custom chain; show logs for specific Rule-Set. | ||||
| 
 | ||||
| Example | ||||
| ======= | ||||
| 
 | ||||
| Configuration example: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|    set firewall bridge forward filter default-action 'drop' | ||||
|    set firewall bridge forward filter enable-default-log | ||||
|    set firewall bridge forward filter rule 10 action 'continue' | ||||
|    set firewall bridge forward filter rule 10 inbound-interface name 'eth2' | ||||
|    set firewall bridge forward filter rule 10 vlan id '22' | ||||
|    set firewall bridge forward filter rule 20 action 'drop' | ||||
|    set firewall bridge forward filter rule 20 inbound-interface group 'TRUNK-RIGHT' | ||||
|    set firewall bridge forward filter rule 20 vlan id '60' | ||||
|    set firewall bridge forward filter rule 30 action 'jump' | ||||
|    set firewall bridge forward filter rule 30 jump-target 'TEST' | ||||
|    set firewall bridge forward filter rule 30 outbound-interface name '!eth1' | ||||
|    set firewall bridge forward filter rule 35 action 'accept' | ||||
|    set firewall bridge forward filter rule 35 vlan id '11' | ||||
|    set firewall bridge forward filter rule 40 action 'continue' | ||||
|    set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11' | ||||
|    set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66' | ||||
|    set firewall bridge name TEST default-action 'accept' | ||||
|    set firewall bridge name TEST enable-default-log | ||||
|    set firewall bridge name TEST rule 10 action 'continue' | ||||
|    set firewall bridge name TEST rule 10 log | ||||
|    set firewall bridge name TEST rule 10 vlan priority '0' | ||||
| 
 | ||||
| And op-mode commands: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|       vyos@BRI:~$ show firewall bridge | ||||
|       Rulesets bridge Information | ||||
| 
 | ||||
|       --------------------------------- | ||||
|       bridge Firewall "forward filter" | ||||
| 
 | ||||
|       Rule     Action    Protocol      Packets    Bytes  Conditions | ||||
|       -------  --------  ----------  ---------  -------  --------------------------------------------------------------------- | ||||
|       10       continue  all                 0        0  iifname "eth2" vlan id 22  continue | ||||
|       20       drop      all                 0        0  iifname @I_TRUNK-RIGHT vlan id 60 | ||||
|       30       jump      all              2130   170688  oifname != "eth1"  jump NAME_TEST | ||||
|       35       accept    all              2080   168616  vlan id 11  accept | ||||
|       40       continue  all                 0        0  ether daddr 66:55:44:33:22:11 ether saddr 11:22:33:44:55:66  continue | ||||
|       default  drop      all                 0        0 | ||||
| 
 | ||||
|       --------------------------------- | ||||
|       bridge Firewall "name TEST" | ||||
| 
 | ||||
|       Rule     Action    Protocol      Packets    Bytes  Conditions | ||||
|       -------  --------  ----------  ---------  -------  -------------------------------------------------- | ||||
|       10       continue  all              2130   170688  vlan pcp 0  prefix "[bri-NAM-TEST-10-C]"  continue | ||||
|       default  accept    all              2130   170688 | ||||
| 
 | ||||
|       vyos@BRI:~$ | ||||
|       vyos@BRI:~$ show firewall bridge name TEST | ||||
|       Ruleset Information | ||||
| 
 | ||||
|       --------------------------------- | ||||
|       bridge Firewall "name TEST" | ||||
| 
 | ||||
|       Rule     Action    Protocol      Packets    Bytes  Conditions | ||||
|       -------  --------  ----------  ---------  -------  -------------------------------------------------- | ||||
|       10       continue  all              2130   170688  vlan pcp 0  prefix "[bri-NAM-TEST-10-C]"  continue | ||||
|       default  accept    all              2130   170688 | ||||
| 
 | ||||
|       vyos@BRI:~$ | ||||
| 
 | ||||
| Inspect logs: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|       vyos@BRI:~$ show log firewall bridge | ||||
|       Dec 05 14:37:47 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 | ||||
|       Dec 05 14:37:48 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 | ||||
|       Dec 05 14:37:49 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 | ||||
|       ... | ||||
|       vyos@BRI:~$ show log firewall bridge forward filter | ||||
|       Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 | ||||
|       Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 | ||||
|  | ||||
| @ -1,4 +1,4 @@ | ||||
| :lastproofread: 2023-11-08 | ||||
| :lastproofread: 2023-12-26 | ||||
| 
 | ||||
| .. _firewall-flowtables-configuration: | ||||
| 
 | ||||
| @ -13,7 +13,7 @@ Overview | ||||
| ******** | ||||
| 
 | ||||
| In this section there's useful information of all firewall configuration that | ||||
| can be done regarding flowtables | ||||
| can be done regarding flowtables. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall flowtables ... | ||||
| 
 | ||||
| @ -50,3 +50,139 @@ flowtable (flowtable miss), the packet follows the classic IP forwarding path. | ||||
| 
 | ||||
| .. note:: **Flowtable Reference:** | ||||
|    https://docs.kernel.org/networking/nf_flowtable.html | ||||
| 
 | ||||
| 
 | ||||
| *********************** | ||||
| Flowtable Configuration | ||||
| *********************** | ||||
| 
 | ||||
| In order to use flowtables, the minimal configuration needed includes: | ||||
| 
 | ||||
|    * Create flowtable: create flowtable, which includes the interfaces | ||||
|      that are going to be used by the flowtable. | ||||
| 
 | ||||
|    * Create firewall rule: create a firewall rule, setting action to | ||||
|      ``offload`` and using desired flowtable for ``offload-target``. | ||||
| 
 | ||||
| Creating a flow table: | ||||
| 
 | ||||
| .. cfgcmd:: set firewall flowtable <flow_table_name> interface <iface> | ||||
| 
 | ||||
|    Define interfaces to be used in the flowtable. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall flowtable <flow_table_name> description <text> | ||||
| 
 | ||||
| Provide a description to the flow table. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall flowtable <flow_table_name> offload | ||||
|    <hardware | software> | ||||
| 
 | ||||
|    Define type of offload to be used by the flowtable: ``hardware`` or | ||||
|    ``software``. By default, ``software`` offload is used. | ||||
| 
 | ||||
| .. note:: **Hardware offload:** should be supported by the NICs used. | ||||
| 
 | ||||
| Creating rules for using flow tables: | ||||
| 
 | ||||
| .. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> | ||||
|    action offload | ||||
| 
 | ||||
|    Create firewall rule in forward chain, and set action to ``offload``. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> | ||||
|    offload-target <flowtable> | ||||
| 
 | ||||
|    Create firewall rule in forward chain, and define which flowtbale | ||||
|    should be used. Only applicable if action is ``offload``. | ||||
| 
 | ||||
| ********************* | ||||
| Configuration Example | ||||
| ********************* | ||||
| 
 | ||||
| Things to be considred in this setup: | ||||
| 
 | ||||
|    * Two interfaces are going to be used in the flowtables: eth0 and eth1 | ||||
| 
 | ||||
|    * Minumum firewall ruleset is provided, which includes some filtering rules, | ||||
|      and appropiate rules for using flowtable offload capabilities. | ||||
| 
 | ||||
| As described, first packet will be evaluated by all the firewall path, so | ||||
| desired connection should be explicitely accepted. Same thing should be taken | ||||
| into account for traffic in reverse order. In most cases state policies are | ||||
| used in order to accept connection in reverse patch. | ||||
| 
 | ||||
| We will only accept traffic comming from interface eth0, protocol tcp and | ||||
| destination port 1122. All other traffic traspassing the router should be | ||||
| blocked. | ||||
| 
 | ||||
| Commands | ||||
| -------- | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|       set firewall flowtable FT01 interface 'eth0' | ||||
|       set firewall flowtable FT01 interface 'eth1' | ||||
|       set firewall ipv4 forward filter default-action 'drop' | ||||
|       set firewall ipv4 forward filter rule 10 action 'offload' | ||||
|       set firewall ipv4 forward filter rule 10 offload-target 'FT01' | ||||
|       set firewall ipv4 forward filter rule 10 state 'established' | ||||
|       set firewall ipv4 forward filter rule 10 state 'related' | ||||
|       set firewall ipv4 forward filter rule 20 action 'accept' | ||||
|       set firewall ipv4 forward filter rule 20 state 'established' | ||||
|       set firewall ipv4 forward filter rule 20 state 'related' | ||||
|       set firewall ipv4 forward filter rule 110 action 'accept' | ||||
|       set firewall ipv4 forward filter rule 110 destination address '192.0.2.100' | ||||
|       set firewall ipv4 forward filter rule 110 destination port '1122' | ||||
|       set firewall ipv4 forward filter rule 110 inbound-interface name 'eth0' | ||||
|       set firewall ipv4 forward filter rule 110 protocol 'tcp' | ||||
| 
 | ||||
| Explanation | ||||
| ----------- | ||||
| 
 | ||||
| Analysis on what happens for desired connection: | ||||
| 
 | ||||
|    1. First packet is received on eht0, with destination address 192.0.2.100, | ||||
|    protocol tcp and destination port 1122. Assume such destination address is | ||||
|    reachable through interface eth1. | ||||
| 
 | ||||
|    2. Since this is the first packet, connection status of this connection, | ||||
|    so far is **new**. So neither rule 10 nor 20 are valid. | ||||
| 
 | ||||
|    3. Rule 110 is hit, so connection is accepted. | ||||
| 
 | ||||
|    4. Once answer from server 192.0.2.100 is seen in opposite direction, | ||||
|    connection state will be triggered to **established**, so this reply is | ||||
|    accepted in rule 10. | ||||
| 
 | ||||
|    5. Second packet for this connection is received by the router. Since | ||||
|    connection state is **established**, then rule 10 is hit, and a new entry | ||||
|    in the flowtable FT01 is added for this connection. | ||||
| 
 | ||||
|    6. All subsecuent packets will skip traditional path, and will be offloaded | ||||
|    and will use the **Fast Path**. | ||||
| 
 | ||||
| Checks | ||||
| ------ | ||||
| 
 | ||||
| It's time to check conntrack table, to see if any connection was accepted, | ||||
| and if was properly offloaded | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|       vyos@FlowTables:~$ show firewall ipv4 forward filter | ||||
|       Ruleset Information | ||||
|        | ||||
|       --------------------------------- | ||||
|       ipv4 Firewall "forward filter" | ||||
|        | ||||
|       Rule     Action    Protocol      Packets    Bytes  Conditions | ||||
|       -------  --------  ----------  ---------  -------  ---------------------------------------------------------------- | ||||
|       10       offload   all                 8      468  ct state { established, related }  flow add @VYOS_FLOWTABLE_FT01 | ||||
|       20       accept    all                 8      468  ct state { established, related }  accept | ||||
|       110      accept    tcp                 2      120  ip daddr 192.0.2.100 tcp dport 1122 iifname "eth0"  accept | ||||
|       default  drop      all                 7      420 | ||||
|        | ||||
|       vyos@FlowTables:~$ sudo conntrack -L | grep tcp | ||||
|       conntrack v1.4.6 (conntrack-tools): 5 flow entries have been shown. | ||||
|       tcp      6 src=198.51.100.100 dst=192.0.2.100 sport=41676 dport=1122 src=192.0.2.100 dst=198.51.100.100 sport=1122 dport=41676 [OFFLOAD] mark=0 use=2 | ||||
|       vyos@FlowTables:~$ | ||||
|  | ||||
| @ -1,4 +1,4 @@ | ||||
| :lastproofread: 2023-11-07 | ||||
| :lastproofread: 2023-12-26 | ||||
| 
 | ||||
| .. _firewall-global-options-configuration: | ||||
| 
 | ||||
| @ -115,3 +115,33 @@ Configuration | ||||
|    The following system parameter will be altered: | ||||
| 
 | ||||
|    * ``net.ipv4.tcp_rfc1337`` | ||||
| 
 | ||||
| .. cfgcmd:: set firewall global-options state-policy established action | ||||
|    [accept | drop | reject] | ||||
| 
 | ||||
| .. cfgcmd:: set firewall global-options state-policy established log | ||||
| 
 | ||||
| .. cfgcmd:: set firewall global-options state-policy established log-level | ||||
|    [emerg | alert | crit | err | warn | notice | info | debug] | ||||
| 
 | ||||
|    Set the global setting for an established connection. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall global-options state-policy invalid action | ||||
|    [accept | drop | reject] | ||||
| 
 | ||||
| .. cfgcmd:: set firewall global-options state-policy invalid log | ||||
| 
 | ||||
| .. cfgcmd:: set firewall global-options state-policy invalid log-level | ||||
|    [emerg | alert | crit | err | warn | notice | info | debug] | ||||
| 
 | ||||
|    Set the global setting for invalid packets. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall global-options state-policy related action | ||||
|    [accept | drop | reject] | ||||
| 
 | ||||
| .. cfgcmd:: set firewall global-options state-policy related log | ||||
| 
 | ||||
| .. cfgcmd:: set firewall global-options state-policy related log-level | ||||
|    [emerg | alert | crit | err | warn | notice | info | debug] | ||||
| 
 | ||||
|    Set the global setting for related connections. | ||||
|  | ||||
| @ -4,31 +4,32 @@ | ||||
| Firewall | ||||
| ######## | ||||
| 
 | ||||
| With VyOS being based on top of Linux and its kernel, the Netfilter project | ||||
| created the iptables and now the successor nftables for the Linux kernel to | ||||
| work directly on the data flows. This now extends the concept of zone-based | ||||
| security to allow for manipulating the data at multiple stages once accepted | ||||
| by the network interface and the driver before being handed off to the | ||||
| destination (e.g. a web server OR another device). | ||||
| As VyOS is based on Linux it leverages its firewall. The Netfilter project | ||||
| created iptables and its successor nftables for the Linux kernel to | ||||
| work directly on packet data flows. This now extends the concept of  | ||||
| zone-based security to allow for manipulating the data at multiple stages once  | ||||
| accepted by the network interface and the driver before being handed off to  | ||||
| the destination (e.g., a web server OR another device). | ||||
| 
 | ||||
| A simplified traffic flow, based on Netfilter packet flow, is shown next, in | ||||
| order to have a full view and understanding of how packets are processed, and | ||||
| what possible paths can take. | ||||
| A simplified traffic flow diagram, based on Netfilter packet flow, is shown  | ||||
| next, in order to have a full view and understanding of how packets are  | ||||
| processed, and what possible paths traffic can take. | ||||
| 
 | ||||
| .. figure:: /_static/images/firewall-gral-packet-flow.png | ||||
| 
 | ||||
| Main notes regarding this packet flow and terminology used in VyOS firewall: | ||||
| The main points regarding this packet flow and terminology used in VyOS  | ||||
| firewall are covered below: | ||||
| 
 | ||||
|    * **Bridge Port?**: choose appropiate path based on if interface were the | ||||
|      packet was received is part of a bridge, or not. | ||||
|    * **Bridge Port?**: choose appropriate path based on whether interface  | ||||
|      where the packet was received is part of a bridge, or not. | ||||
| 
 | ||||
| If interface were the packet was received isn't part of a bridge, then packet | ||||
| is processed at the **IP Layer**: | ||||
| If the interface where the packet was received isn't part of a bridge, then  | ||||
| packetis processed at the **IP Layer**: | ||||
| 
 | ||||
|    * **Prerouting**: several actions can be done in this stage, and currently | ||||
|      these actions are defined in different parts in vyos configuration. Order | ||||
|      these actions are defined in different parts in VyOS configuration. Order | ||||
|      is important, and all these actions are performed before any actions | ||||
|      define under ``firewall`` section. Relevant configuration that acts in | ||||
|      defined under ``firewall`` section. Relevant configuration that acts in | ||||
|      this stage are: | ||||
| 
 | ||||
|       * **Conntrack Ignore**: rules defined under ``set system conntrack ignore | ||||
| @ -40,12 +41,12 @@ is processed at the **IP Layer**: | ||||
|       * **Destination NAT**: rules defined under ``set [nat | nat66] | ||||
|         destination...``. | ||||
| 
 | ||||
|    * **Destination is the router?**: choose appropiate path based on | ||||
|      destination IP address. Transit forward continunes to **forward**, | ||||
|    * **Destination is the router?**: choose appropriate path based on | ||||
|      destination IP address. Transit forward continues to **forward**, | ||||
|      while traffic that destination IP address is configured on the router | ||||
|      continues to **input**. | ||||
| 
 | ||||
|    * **Input**: stage where traffic destinated to the router itself can be | ||||
|    * **Input**: stage where traffic destined for the router itself can be | ||||
|      filtered and controlled. This is where all rules for securing the router | ||||
|      should take place. This includes ipv4 and ipv6 filtering rules, defined | ||||
|      in: | ||||
| @ -61,10 +62,10 @@ is processed at the **IP Layer**: | ||||
| 
 | ||||
|      * ``set firewall ipv6 forward filter ...``. | ||||
| 
 | ||||
|    * **Output**: stage where traffic that is originated by the router itself | ||||
|      can be filtered and controlled. Bare in mind that this traffic can be a | ||||
|      new connection originted by a internal process running on VyOS router, | ||||
|      such as NTP, or can be a response to traffic received externaly through | ||||
|    * **Output**: stage where traffic that originates from the router itself | ||||
|      can be filtered and controlled. Bear in mind that this traffic can be a | ||||
|      new connection originated by a internal process running on VyOS router, | ||||
|      such as NTP, or a response to traffic received externaly through | ||||
|      **inputt** (for example response to an ssh login attempt to the router). | ||||
|      This includes ipv4 and ipv6 filtering rules, defined in: | ||||
| 
 | ||||
| @ -79,16 +80,16 @@ is processed at the **IP Layer**: | ||||
|      * **Source NAT**: rules defined under ``set [nat | nat66] | ||||
|        destination...``. | ||||
| 
 | ||||
| If interface were the packet was received is part of a bridge, then packet | ||||
| is processed at the **Bridge Layer**, which contains a ver basic setup where | ||||
| for bridge filtering: | ||||
| If the interface where the packet was received is part of a bridge, then  | ||||
| packetis processed at the **Bridge Layer**, which contains a basic setup for | ||||
| bridge filtering: | ||||
| 
 | ||||
|    * **Forward (Bridge)**: stage where traffic that is trasspasing through the | ||||
|    * **Forward (Bridge)**: stage where traffic that is trespasing through the | ||||
|      bridge is filtered and controlled: | ||||
| 
 | ||||
|      * ``set firewall bridge forward filter ...``. | ||||
| 
 | ||||
| Main structure VyOS firewall cli is shown next: | ||||
| The main structure VyOS firewall cli is shown next: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
| @ -134,7 +135,7 @@ Main structure VyOS firewall cli is shown next: | ||||
|             - custom_zone_name | ||||
|                + ... | ||||
| 
 | ||||
| Please, refer to appropiate section for more information about firewall | ||||
| Please, refer to appropriate section for more information about firewall | ||||
| configuration: | ||||
| 
 | ||||
| .. toctree:: | ||||
|  | ||||
| @ -123,9 +123,46 @@ The action can be : | ||||
| .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> | ||||
|    jump-target <text> | ||||
| 
 | ||||
|    To be used only when action is set to jump. Use this command to specify | ||||
|    To be used only when action is set to ``jump``. Use this command to specify | ||||
|    jump target. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> | ||||
|    queue <0-65535> | ||||
| .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> | ||||
|    queue <0-65535> | ||||
| .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> | ||||
|    queue <0-65535> | ||||
| .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> | ||||
|    queue <0-65535> | ||||
| 
 | ||||
|    To be used only when action is set to ``queue``. Use this command to specify | ||||
|    queue target to use. Queue range is also supported. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> | ||||
|    queue-options bypass | ||||
| .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> | ||||
|    queue-options bypass | ||||
| .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> | ||||
|    queue-options bypass | ||||
| .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> | ||||
|    queue-options bypass | ||||
| 
 | ||||
|    To be used only when action is set to ``queue``. Use this command to let | ||||
|    packet go through firewall when no userspace software is connected to the | ||||
|    queue. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> | ||||
|    queue-options fanout | ||||
| .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> | ||||
|    queue-options fanout | ||||
| .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> | ||||
|    queue-options fanout | ||||
| .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> | ||||
|    queue-options fanout | ||||
| 
 | ||||
|    To be used only when action is set to ``queue``. Use this command to | ||||
|    distribute packets between several queues. | ||||
| 
 | ||||
| Also, **default-action** is an action that takes place whenever a packet does | ||||
| not match any rule in it's chain. For base chains, possible options for | ||||
| **default-action** are **accept** or **drop**.  | ||||
| @ -140,7 +177,7 @@ not match any rule in it's chain. For base chains, possible options for | ||||
|    [accept | drop | jump | queue | reject | return] | ||||
| 
 | ||||
|    This set the default action of the rule-set if no rule matched a packet | ||||
|    criteria. If defacult-action is set to ``jump``, then | ||||
|    criteria. If default-action is set to ``jump``, then | ||||
|    ``default-jump-target`` is also needed. Note that for base chains, default | ||||
|    action can only be set to ``accept`` or ``drop``, while on custom chain, | ||||
|    more actions are available. | ||||
| @ -153,7 +190,7 @@ not match any rule in it's chain. For base chains, possible options for | ||||
| .. note:: **Important note about default-actions:** | ||||
|    If default action for any base chain is not defined, then the default | ||||
|    action is set to **accept** for that chain. For custom chains, if default | ||||
|    action is not defined, then the default-action is set to **drop** | ||||
|    action is not defined, then the default-action is set to **drop**. | ||||
| 
 | ||||
| Firewall Logs | ||||
| ============= | ||||
| @ -162,15 +199,12 @@ Logging can be enable for every single firewall rule. If enabled, other | ||||
| log options can be defined.  | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log | ||||
|    [disable | enable] | ||||
| .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log | ||||
|    [disable | enable] | ||||
| .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log | ||||
|    [disable | enable] | ||||
| .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log | ||||
|    [disable | enable] | ||||
| 
 | ||||
|    Enable or disable logging for the matched packet. | ||||
|    Enable logging for the matched packet. If this configuration command is not | ||||
|    present, then log is not enabled. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv4 forward filter enable-default-log | ||||
| .. cfgcmd:: set firewall ipv4 input filter enable-default-log | ||||
| @ -266,7 +300,7 @@ just disable the rule, rather than removing it. | ||||
| Matching criteria | ||||
| ================= | ||||
| 
 | ||||
| There are a lot of matching criteria against which the package can be tested. | ||||
| There are a lot of matching criteria against which the packet can be tested. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> | ||||
|    connection-status nat [destination | source] | ||||
|  | ||||
| @ -123,9 +123,46 @@ The action can be : | ||||
| .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> | ||||
|    jump-target <text> | ||||
| 
 | ||||
|    To be used only when action is set to jump. Use this command to specify | ||||
|    To be used only when action is set to ``jump``. Use this command to specify | ||||
|    jump target. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> | ||||
|    queue <0-65535> | ||||
| .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> | ||||
|    queue <0-65535> | ||||
| .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> | ||||
|    queue <0-65535> | ||||
| .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> | ||||
|    queue <0-65535> | ||||
| 
 | ||||
|    To be used only when action is set to ``queue``. Use this command to specify | ||||
|    queue target to use. Queue range is also supported. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> | ||||
|    queue-options bypass | ||||
| .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> | ||||
|    queue-options bypass | ||||
| .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> | ||||
|    queue-options bypass | ||||
| .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> | ||||
|    queue-options bypass | ||||
| 
 | ||||
|    To be used only when action is set to ``queue``. Use this command to let | ||||
|    packet go through firewall when no userspace software is connected to the | ||||
|    queue. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> | ||||
|    queue-options fanout | ||||
| .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> | ||||
|    queue-options fanout | ||||
| .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> | ||||
|    queue-options fanout | ||||
| .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> | ||||
|    queue-options fanout | ||||
| 
 | ||||
|    To be used only when action is set to ``queue``. Use this command to | ||||
|    distribute packets between several queues. | ||||
| 
 | ||||
| Also, **default-action** is an action that takes place whenever a packet does | ||||
| not match any rule in it's chain. For base chains, possible options for | ||||
| **default-action** are **accept** or **drop**.  | ||||
| @ -140,7 +177,7 @@ not match any rule in it's chain. For base chains, possible options for | ||||
|    [accept | drop | jump | queue | reject | return] | ||||
| 
 | ||||
|    This set the default action of the rule-set if no rule matched a packet | ||||
|    criteria. If defacult-action is set to ``jump``, then | ||||
|    criteria. If default-action is set to ``jump``, then | ||||
|    ``default-jump-target`` is also needed. Note that for base chains, default | ||||
|    action can only be set to ``accept`` or ``drop``, while on custom chain, | ||||
|    more actions are available. | ||||
| @ -153,7 +190,7 @@ not match any rule in it's chain. For base chains, possible options for | ||||
| .. note:: **Important note about default-actions:** | ||||
|    If default action for any base chain is not defined, then the default | ||||
|    action is set to **accept** for that chain. For custom chains, if default | ||||
|    action is not defined, then the default-action is set to **drop** | ||||
|    action is not defined, then the default-action is set to **drop**. | ||||
| 
 | ||||
| Firewall Logs | ||||
| ============= | ||||
| @ -162,15 +199,12 @@ Logging can be enable for every single firewall rule. If enabled, other | ||||
| log options can be defined.  | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log | ||||
|    [disable | enable] | ||||
| .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log | ||||
|    [disable | enable] | ||||
| .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log | ||||
|    [disable | enable] | ||||
| .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log | ||||
|    [disable | enable] | ||||
| 
 | ||||
|    Enable or disable logging for the matched packet. | ||||
|    Enable logging for the matched packet. If this configuration command is not | ||||
|    present, then log is not enabled. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv6 forward filter enable-default-log | ||||
| .. cfgcmd:: set firewall ipv6 input filter enable-default-log | ||||
| @ -266,7 +300,7 @@ just disable the rule, rather than removing it. | ||||
| Matching criteria | ||||
| ================= | ||||
| 
 | ||||
| There are a lot of matching criteria against which the package can be tested. | ||||
| There are a lot of matching criteria against which the packet can be tested. | ||||
| 
 | ||||
| .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> | ||||
|    connection-status nat [destination | source] | ||||
| @ -1049,29 +1083,30 @@ Rule-set overview | ||||
| 
 | ||||
| .. opcmd:: show firewall ipv6 [forward | input | output] filter | ||||
| 
 | ||||
| .. opcmd:: show firewall ipv4 name <name> | ||||
| 
 | ||||
| .. opcmd:: show firewall ipv6 ipv6-name <name> | ||||
| 
 | ||||
|    This command will give an overview of a single rule-set. | ||||
| 
 | ||||
|    .. code-block:: none | ||||
| 
 | ||||
|       vyos@vyos:~$ show firewall ipv4 input filter  | ||||
|       vyos@vyos:~$ show firewall ipv6 input filter | ||||
|       Ruleset Information | ||||
| 
 | ||||
|       --------------------------------- | ||||
|       IPv4 Firewall "input filter" | ||||
|       ipv6 Firewall "input filter" | ||||
| 
 | ||||
|       Rule     Action    Protocol      Packets    Bytes  Conditions | ||||
|       -------  --------  ----------  ---------  -------  ----------------------------------------- | ||||
|       5        jump      all                 0        0  iifname "eth2"  jump NAME_VyOS_MANAGEMENT | ||||
|       default  accept    all | ||||
|       -------  --------  ----------  ---------  -------  ------------------------------------------------------------------------------ | ||||
|       10       jump      all                13     1456  iifname "eth1"  jump NAME6_INP-ETH1 | ||||
|       20       accept    ipv6-icmp          10     1112  meta l4proto ipv6-icmp iifname "eth0"  prefix "[ipv6-INP-filter-20-A]"  accept | ||||
|       default  accept    all                14     1584 | ||||
| 
 | ||||
|       vyos@vyos:~$ | ||||
| 
 | ||||
| .. opcmd:: show firewall ipv6 [forward | input | output] | ||||
|    filter rule <1-999999> | ||||
| 
 | ||||
| .. opcmd:: show firewall ipv4 name <name> rule <1-999999> | ||||
| .. opcmd:: show firewall ipv6 name <name> rule <1-999999> | ||||
| 
 | ||||
| .. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999> | ||||
| 
 | ||||
| @ -1120,45 +1155,38 @@ Example Partial Config | ||||
| .. code-block:: none | ||||
| 
 | ||||
|       firewall { | ||||
|       group { | ||||
|           network-group BAD-NETWORKS { | ||||
|               network 198.51.100.0/24 | ||||
|               network 203.0.113.0/24 | ||||
|           } | ||||
|           network-group GOOD-NETWORKS { | ||||
|               network 192.0.2.0/24 | ||||
|           } | ||||
|           port-group BAD-PORTS { | ||||
|               port 65535 | ||||
|           } | ||||
|       } | ||||
|       ipv4 { | ||||
|           forward { | ||||
|           ipv6 { | ||||
|               input { | ||||
|                   filter { | ||||
|                   default-action accept | ||||
|                   rule 5 { | ||||
|                       action accept | ||||
|                       source { | ||||
|                           group { | ||||
|                               network-group GOOD-NETWORKS | ||||
|                           } | ||||
|                       } | ||||
|                   } | ||||
|                       rule 10 { | ||||
|                       action drop | ||||
|                       description "Bad Networks" | ||||
|                       protocol all | ||||
|                       source { | ||||
|                           group { | ||||
|                               network-group BAD-NETWORKS | ||||
|                           } | ||||
|                       } | ||||
|                   } | ||||
|                           action jump | ||||
|                           inbound-interface { | ||||
|                               name eth1 | ||||
|                           } | ||||
|                           jump-target INP-ETH1 | ||||
|                       } | ||||
|                       rule 20 { | ||||
|                           action accept | ||||
|                           inbound-interface { | ||||
|                               name eth0 | ||||
|                           } | ||||
|                           log | ||||
|                           protocol ipv6-icmp | ||||
|                       } | ||||
|                   } | ||||
|               } | ||||
|               name INP-ETH1 { | ||||
|                   default-action drop | ||||
|                   enable-default-log | ||||
|                   rule 10 { | ||||
|                       action accept | ||||
|                       protocol tcp_udp | ||||
|                   } | ||||
|               } | ||||
|           } | ||||
|       } | ||||
| 
 | ||||
| 
 | ||||
| Update geoip database | ||||
| ===================== | ||||
| 
 | ||||
|  | ||||
| @ -123,3 +123,41 @@ written from the perspective of: *Source Zone*-to->*Destination Zone* | ||||
|       set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4 | ||||
|       set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4 | ||||
| 
 | ||||
| ************** | ||||
| Operation-mode | ||||
| ************** | ||||
| 
 | ||||
| .. opcmd:: show firewall zone-policy | ||||
| 
 | ||||
|    This will show you a basic summary of zones configuration. | ||||
| 
 | ||||
|    .. code-block:: none | ||||
| 
 | ||||
|       vyos@vyos:~$ show firewall zone-policy | ||||
|       Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6 | ||||
|       ------  ------------  -----------  ---------------  --------------- | ||||
|       LAN     eth1          WAN          WAN_to_LAN | ||||
|               eth2 | ||||
|       LOCAL   LOCAL         LAN          LAN_to_LOCAL | ||||
|                             WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6 | ||||
|       WAN     eth3          LAN          LAN_to_WAN | ||||
|               eth0          LOCAL        LOCAL_to_WAN | ||||
|       vyos@vyos:~$ | ||||
| 
 | ||||
| .. opcmd:: show firewall zone-policy zone <zone> | ||||
| 
 | ||||
|    This will show you a basic summary of a particular zone. | ||||
| 
 | ||||
|    .. code-block:: none | ||||
| 
 | ||||
|       vyos@vyos:~$ show firewall zone-policy zone WAN | ||||
|       Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6 | ||||
|       ------  ------------  -----------  ---------------  --------------- | ||||
|       WAN     eth3          LAN          LAN_to_WAN | ||||
|               eth0          LOCAL        LOCAL_to_WAN | ||||
|       vyos@vyos:~$ show firewall zone-policy zone LOCAL | ||||
|       Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6 | ||||
|       ------  ------------  -----------  ---------------  --------------- | ||||
|       LOCAL   LOCAL         LAN          LAN_to_LOCAL | ||||
|                             WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6 | ||||
|       vyos@vyos:~$ | ||||
|  | ||||
| @ -105,7 +105,7 @@ Backend | ||||
|      of the client | ||||
|    * ``round-robin`` Distributes requests in a circular manner, | ||||
|      sequentially sending each request to the next server in line | ||||
|    * ``least-connection`` Distributes requests tp tje server wotj the fewest  | ||||
|    * ``least-connection`` Distributes requests to the server with the fewest | ||||
|      active connections | ||||
| 
 | ||||
| .. cfgcmd:: set load-balancing reverse-proxy backend <name> mode | ||||
|  | ||||
| @ -9,4 +9,5 @@ NAT | ||||
|    :includehidden: | ||||
| 
 | ||||
|    nat44 | ||||
|    nat64 | ||||
|    nat66 | ||||
|  | ||||
							
								
								
									
										81
									
								
								docs/configuration/nat/nat64.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										81
									
								
								docs/configuration/nat/nat64.rst
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,81 @@ | ||||
| .. _nat64: | ||||
| 
 | ||||
| ##### | ||||
| NAT64 | ||||
| ##### | ||||
| 
 | ||||
| :abbr:`NAT64 (IPv6-to-IPv4 Prefix Translation)` is a critical component in | ||||
| modern networking, facilitating communication between IPv6 and IPv4 networks. | ||||
| This documentation outlines the setup, configuration, and usage of the NAT64 | ||||
| feature in your project. Whether you are transitioning to IPv6 or need to | ||||
| seamlessly connect IPv4 and IPv6 devices. | ||||
| NAT64 is a stateful translation mechanism that translates IPv6 addresses to | ||||
| IPv4 addresses and IPv4 addresses to IPv6 addresses. NAT64 is used to enable | ||||
| IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP. | ||||
| 
 | ||||
| 
 | ||||
| Overview | ||||
| ======== | ||||
| 
 | ||||
| Different NAT Types | ||||
| ------------------- | ||||
| 
 | ||||
| .. _source-nat64: | ||||
| 
 | ||||
| SNAT64 | ||||
| ^^^^^^ | ||||
| 
 | ||||
| :abbr:`SNAT64 (IPv6-to-IPv4 Source Address Translation)` is a stateful | ||||
| translation mechanism that translates IPv6 addresses to IPv4 addresses. | ||||
| 
 | ||||
| ``64:ff9b::/96`` is the well-known prefix for IPv4-embedded IPv6 addresses. | ||||
| The prefix is used to represent IPv4 addresses in an IPv6 address format. | ||||
| The IPv4 address is encoded in the low-order 32 bits of the IPv6 address. | ||||
| The high-order 32 bits are set to the well-known prefix 64:ff9b::/96. | ||||
| 
 | ||||
| 
 | ||||
| Configuration Examples | ||||
| ====================== | ||||
| 
 | ||||
| The following examples show how to configure NAT64 on a VyOS router. | ||||
| The 192.0.2.10 address is used as the IPv4 address for the translation pool. | ||||
| 
 | ||||
| 
 | ||||
| NAT64 server configuration: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set interfaces ethernet eth0 address '192.0.2.1/24' | ||||
|   set interfaces ethernet eth0 address '192.0.2.10/24' | ||||
|   set interfaces ethernet eth0 description 'WAN' | ||||
|   set interfaces ethernet eth1 address '2001:db8::1/64' | ||||
|   set interfaces ethernet eth1 description 'LAN' | ||||
| 
 | ||||
|   set service dns forwarding allow-from '2001:db8::/64' | ||||
|   set service dns forwarding dns64-prefix '64:ff9b::/96' | ||||
|   set service dns forwarding listen-address '2001:db8::1' | ||||
| 
 | ||||
|   set nat64 source rule 100 source prefix '64:ff9b::/96' | ||||
|   set nat64 source rule 100 translation pool 10 address '192.0.2.10' | ||||
|   set nat64 source rule 100 translation pool 10 port '1-65535' | ||||
| 
 | ||||
| NAT64 client configuration: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set interfaces ethernet eth1 address '2001:db8::2/64' | ||||
|   set protocols static route6 64:ff9b::/96 next-hop 2001:db8::1 | ||||
|   set system name-server '2001:db8::1' | ||||
| 
 | ||||
| Test from the IPv6 only client: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   vyos@r1:~$ ping 64:ff9b::192.0.2.1 count 2 | ||||
|   PING 64:ff9b::192.0.2.1(64:ff9b::c000:201) 56 data bytes | ||||
|   64 bytes from 64:ff9b::c000:201: icmp_seq=1 ttl=63 time=0.351 ms | ||||
|   64 bytes from 64:ff9b::c000:201: icmp_seq=2 ttl=63 time=0.373 ms | ||||
| 
 | ||||
|   --- 64:ff9b::192.0.2.1 ping statistics --- | ||||
|   2 packets transmitted, 2 received, 0% packet loss, time 1023ms | ||||
|   rtt min/avg/max/mdev = 0.351/0.362/0.373/0.011 ms | ||||
| @ -137,3 +137,100 @@ R2: | ||||
|   set interfaces bridge br1 member interface eth1 | ||||
|   set protocols static route6 ::/0 next-hop fc01::1 | ||||
|   set service router-advert interface br1 prefix ::/0 | ||||
| 
 | ||||
| 
 | ||||
| Use the following topology to translate internal user local addresses (``fc::/7``) | ||||
| to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair. | ||||
| 
 | ||||
| .. figure:: /_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png | ||||
|    :alt: VyOS NAT66 DHCPv6 using a dummy interface | ||||
| 
 | ||||
| Configure both routers (a and b) for DHCPv6-PD via dummy interface: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set interfaces dummy dum1 description 'DHCPv6-PD NPT dummy' | ||||
|   set interfaces bonding bond0 vif 20 dhcpv6-options pd 0 interface dum1 address '0' | ||||
|   set interfaces bonding bond0 vif 20 dhcpv6-options pd 1 interface dum1 address '0' | ||||
|   set interfaces bonding bond0 vif 20 dhcpv6-options pd 2 interface dum1 address '0' | ||||
|   set interfaces bonding bond0 vif 20 dhcpv6-options pd 3 interface dum1 address '0' | ||||
|   set interfaces bonding bond0 vif 20 dhcpv6-options rapid-commit | ||||
|   commit | ||||
| 
 | ||||
| Get the DHCPv6-PD prefixes from both routers: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   trae@cr01a-vyos# run show interfaces dummy dum1 br | ||||
|   Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down | ||||
|   Interface        IP Address                        S/L  Description | ||||
|   ---------        ----------                        ---  ----------- | ||||
|   dum1             2001:db8:123:b008::/64           u/u  DHCPv6-PD NPT dummy | ||||
|                    2001:db8:123:b00a::/64 | ||||
|                    2001:db8:123:b00b::/64 | ||||
|                    2001:db8:123:b009::/64 | ||||
| 
 | ||||
|   trae@cr01b-vyos# run show int dummy dum1 brief | ||||
|   Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down | ||||
|   Interface        IP Address                        S/L  Description | ||||
|   ---------        ----------                        ---  ----------- | ||||
|   dum1             2001:db8:123:b00d::/64           u/u  DHCPv6-PD NPT dummy | ||||
|                    2001:db8:123:b00c::/64 | ||||
|                    2001:db8:123:b00e::/64 | ||||
|                    2001:db8:123:b00f::/64 | ||||
| 
 | ||||
| Configure the A-side router for NPTv6 using the prefixes above: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set nat66 source rule 10 description 'NPT to VLAN 10' | ||||
|   set nat66 source rule 10 outbound-interface name 'bond0.20' | ||||
|   set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' | ||||
|   set nat66 source rule 10 translation address '2001:db8:123:b008::/64' | ||||
|   set nat66 source rule 20 description 'NPT to VLAN 70' | ||||
|   set nat66 source rule 20 outbound-interface name 'bond0.20' | ||||
|   set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' | ||||
|   set nat66 source rule 20 translation address '2001:db8:123:b009::/64' | ||||
|   set nat66 source rule 30 description 'NPT to VLAN 200' | ||||
|   set nat66 source rule 30 outbound-interface name 'bond0.20' | ||||
|   set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' | ||||
|   set nat66 source rule 30 translation address '2001:db8:123:b00a::/64' | ||||
|   set nat66 source rule 40 description 'NPT to VLAN 240' | ||||
|   set nat66 source rule 40 outbound-interface name 'bond0.20' | ||||
|   set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' | ||||
|   set nat66 source rule 40 translation address '2001:db8:123:b00b::/64' | ||||
|   commit | ||||
| 
 | ||||
| Configure the B-side router for NPTv6 using the prefixes above: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set nat66 source rule 10 description 'NPT to VLAN 10' | ||||
|   set nat66 source rule 10 outbound-interface name 'bond0.20' | ||||
|   set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' | ||||
|   set nat66 source rule 10 translation address '2001:db8:123:b00c::/64' | ||||
|   set nat66 source rule 20 description 'NPT to VLAN 70' | ||||
|   set nat66 source rule 20 outbound-interface name 'bond0.20' | ||||
|   set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' | ||||
|   set nat66 source rule 20 translation address '2001:db8:123:b00d::/64' | ||||
|   set nat66 source rule 30 description 'NPT to VLAN 200' | ||||
|   set nat66 source rule 30 outbound-interface name 'bond0.20' | ||||
|   set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' | ||||
|   set nat66 source rule 30 translation address '2001:db8:123:b00e::/64' | ||||
|   set nat66 source rule 40 description 'NPT to VLAN 240' | ||||
|   set nat66 source rule 40 outbound-interface name 'bond0.20' | ||||
|   set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' | ||||
|   set nat66 source rule 40 translation address '2001:db8:123:b00f::/64' | ||||
|   commit | ||||
| 
 | ||||
| Verify that connections are hitting the rule on both sides: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   trae@cr01a-vyos# run show nat66 source statistics | ||||
|   Rule    Packets    Bytes    Interface | ||||
|   ------  ---------  -------  ----------- | ||||
|   10      1          104      bond0.20 | ||||
|   20      1          104      bond0.20 | ||||
|   30      8093       669445   bond0.20 | ||||
|   40      2446       216912   bond0.20 | ||||
|  | ||||
| @ -1,4 +1,4 @@ | ||||
| :lastproofread: 2021-09-01 | ||||
| :lastproofread: 2024-01-05 | ||||
| 
 | ||||
| .. include:: /_include/need_improvement.txt | ||||
| 
 | ||||
| @ -248,6 +248,44 @@ certificates used by services on this router. | ||||
| 
 | ||||
|   If CA is present, this certificate will be included in generated CRLs | ||||
| 
 | ||||
| ACME | ||||
| ^^^^ | ||||
| 
 | ||||
| The VyOS PKI subsystem can also be used to automatically retrieve Certificates | ||||
| using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol. | ||||
| 
 | ||||
| .. cfgcmd:: set pki certificate <name> acme domain-name <name> | ||||
| 
 | ||||
|   Domain names to apply, multiple domain-names can be specified. | ||||
| 
 | ||||
|   This is a mandatory option | ||||
| 
 | ||||
| .. cfgcmd:: set pki certificate <name> acme email <address> | ||||
| 
 | ||||
|   Email used for registration and recovery contact. | ||||
| 
 | ||||
|   This is a mandatory option | ||||
| 
 | ||||
| .. cfgcmd:: set pki certificate <name> acme listen-address <address> | ||||
| 
 | ||||
|   The address the server listens to during http-01 challenge | ||||
| 
 | ||||
| .. cfgcmd:: set pki certificate <name> acme rsa-key-size <2048 | 3072 | 4096> | ||||
| 
 | ||||
|   Size of the RSA key. | ||||
| 
 | ||||
|   This options defaults to 2048 | ||||
| 
 | ||||
| .. cfgcmd:: set pki certificate <name> acme url <url> | ||||
| 
 | ||||
|   ACME Directory Resource URI. | ||||
| 
 | ||||
|   This defaults to https://acme-v02.api.letsencrypt.org/directory | ||||
| 
 | ||||
|   .. note:: During initial deployment we recommend using the staging API | ||||
|     of LetsEncrypt to prevent and blacklisting of your system. The API | ||||
|     endpoint is https://acme-staging-v02.api.letsencrypt.org/directory | ||||
| 
 | ||||
| Operation | ||||
| ========= | ||||
| 
 | ||||
| @ -292,3 +330,7 @@ also to display them. | ||||
| .. opcmd:: show pki crl | ||||
| 
 | ||||
|   Show a list of installed :abbr:`CRLs (Certificate Revocation List)`. | ||||
| 
 | ||||
| .. opcmd:: renew certbot | ||||
| 
 | ||||
|   Manually trigger certificate renewal. This will be done twice a day. | ||||
|  | ||||
| @ -318,10 +318,12 @@ Route Map | ||||
|    Set BGP local preference attribute. | ||||
| 
 | ||||
| .. cfgcmd:: set policy route-map <text> rule <1-65535> set metric | ||||
|    <+/-metric|0-4294967295> | ||||
|    <+/-metric|0-4294967295|rtt|+rtt|-rtt> | ||||
| 
 | ||||
|    Set destination routing protocol metric. Add or subtract metric, or set | ||||
|    metric value. | ||||
|    Set the route metric. When used with BGP, set the BGP attribute MED | ||||
|    to a specific value. Use ``+/-`` to add or subtract the specified value | ||||
|    to/from the existing/MED. Use ``rtt`` to set the MED to the round trip | ||||
|    time or ``+rtt/-rtt`` to add/subtract the round trip time to/from the MED. | ||||
| 
 | ||||
| .. cfgcmd:: set policy route-map <text> rule <1-65535> set metric-type | ||||
|    <type-1|type-2> | ||||
|  | ||||
| @ -952,7 +952,7 @@ Operational Mode Commands | ||||
| Show | ||||
| ==== | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp | ||||
| .. opcmd:: show bgp <ipv4|ipv6> | ||||
| 
 | ||||
|    This command displays all entries in BGP routing table. | ||||
| 
 | ||||
| @ -964,6 +964,7 @@ Show | ||||
|                   i internal, r RIB-failure, S Stale, R Removed | ||||
|    Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self | ||||
|    Origin codes:  i - IGP, e - EGP, ? - incomplete | ||||
|    RPKI validation codes: V valid, I invalid, N Not found | ||||
| 
 | ||||
|       Network          Next Hop            Metric LocPrf Weight Path | ||||
|    *> 198.51.100.0/24  10.0.34.4                0             0 65004 i | ||||
| @ -971,7 +972,7 @@ Show | ||||
| 
 | ||||
|    Displayed  2 routes and 2 total paths | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp <address|prefix> | ||||
| .. opcmd:: show bgp <ipv4|ipv6> <address|prefix> | ||||
| 
 | ||||
|    This command displays information about the particular entry in the BGP | ||||
|    routing table. | ||||
| @ -991,55 +992,55 @@ Show | ||||
| 
 | ||||
|    This command displays routes with classless interdomain routing (CIDR). | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp community <value> | ||||
| .. opcmd:: show bgp <ipv4|ipv6> community <value> | ||||
| 
 | ||||
|    This command displays routes that belong to specified BGP communities. | ||||
|    Valid value is a community number in the range from 1 to 4294967200, | ||||
|    or AA:NN (autonomous system-community number/2-byte number), no-export, | ||||
|    local-as, or no-advertise. | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp community-list <name> | ||||
| .. opcmd:: show bgp <ipv4|ipv6> community-list <name> | ||||
| 
 | ||||
|    This command displays routes that are permitted by the BGP | ||||
|    community list. | ||||
| 
 | ||||
| .. opcmd:: show ip bgp dampened-paths | ||||
| .. opcmd:: show bgp <ipv4|ipv6> dampening dampened-paths | ||||
| 
 | ||||
|    This command displays BGP dampened routes. | ||||
| 
 | ||||
| .. opcmd:: show ip bgp flap-statistics | ||||
| .. opcmd:: show bgp <ipv4|ipv6> dampening flap-statistics | ||||
| 
 | ||||
|    This command displays information about flapping BGP routes. | ||||
| 
 | ||||
| .. opcmd:: show ip bgp filter-list <name> | ||||
| .. opcmd:: show bgp <ipv4|ipv6> filter-list <name> | ||||
| 
 | ||||
|    This command displays BGP routes allowed by the specified AS Path | ||||
|    access list. | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp neighbors <address> advertised-routes | ||||
| .. opcmd:: show bgp <ipv4|ipv6> neighbors <address> advertised-routes | ||||
| 
 | ||||
|    This command displays BGP routes advertised to a neighbor. | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp neighbors <address> received-routes | ||||
| .. opcmd:: show bgp <ipv4|ipv6> neighbors <address> received-routes | ||||
| 
 | ||||
|    This command displays BGP routes originating from the specified BGP | ||||
|    neighbor before inbound policy is applied. To use this command inbound | ||||
|    soft reconfiguration must be enabled. | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp neighbors <address> routes | ||||
| .. opcmd:: show bgp <ipv4|ipv6> neighbors <address> routes | ||||
| 
 | ||||
|    This command displays BGP received-routes that are accepted after filtering. | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp neighbors <address> dampened-routes | ||||
| .. opcmd:: show bgp <ipv4|ipv6> neighbors <address> dampened-routes | ||||
| 
 | ||||
|    This command displays dampened routes received from BGP neighbor. | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp regexp <text> | ||||
| .. opcmd:: show bgp <ipv4|ipv6> regexp <text> | ||||
| 
 | ||||
|    This command displays information about BGP routes whose AS path | ||||
|    matches the specified regular expression. | ||||
| 
 | ||||
| .. opcmd:: show <ip|ipv6> bgp summary | ||||
| .. opcmd:: show bgp <ipv4|ipv6> summary | ||||
| 
 | ||||
|    This command displays the status of all BGP connections. | ||||
| 
 | ||||
|  | ||||
| @ -302,6 +302,34 @@ Timers | ||||
|   control the timing of the execution of SPF calculations in response | ||||
|   to IGP events. The process described in :rfc:`8405`. | ||||
| 
 | ||||
| Loop Free Alternate (LFA) | ||||
| ------------------------- | ||||
| 
 | ||||
| .. cfgcmd:: set protocols isis fast-reroute lfa remote prefix-list <name> | ||||
|   <level-1|level-2> | ||||
| 
 | ||||
|   This command enables IP fast re-routing that is part of :rfc:`5286`. | ||||
|   Specifically this is a prefix list which references a prefix in which | ||||
|   will select eligible PQ nodes for remote LFA backups.  | ||||
| 
 | ||||
| .. cfgcmd:: set protocols isis fast-reroute lfa local load-sharing disable | ||||
|   <level-1|level-2> | ||||
| 
 | ||||
|   This command disables the load sharing across multiple LFA backups. | ||||
| 
 | ||||
| .. cfgcmd:: set protocols isis fast-reroute lfa local tiebreaker | ||||
|   <downstream|lowest-backup-metric|node-protecting> index <number> | ||||
|   <level-1|level-2> | ||||
| 
 | ||||
|   This command will configure a tie-breaker for multiple local LFA backups. | ||||
|   The lower index numbers will be processed first. | ||||
|    | ||||
| .. cfgcmd:: set protocols isis fast-reroute lfa local priority-limit | ||||
|   <medium|high|critical> <level-1|level-2> | ||||
|    | ||||
|   This command will limit LFA backup computation up to the specified | ||||
|   prefix priority.  | ||||
| 
 | ||||
| 
 | ||||
| ******** | ||||
| Examples | ||||
|  | ||||
| @ -4,7 +4,7 @@ | ||||
| DHCP Server | ||||
| ########### | ||||
| 
 | ||||
| VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment. | ||||
| VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment. | ||||
| 
 | ||||
| *********** | ||||
| IPv4 server | ||||
| @ -26,12 +26,7 @@ Configuration | ||||
|    Create DNS record per client lease, by adding clients to /etc/hosts file. | ||||
|    Entry will have format: `<shared-network-name>_<hostname>.<domain-name>` | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server host-decl-name | ||||
| 
 | ||||
|    Will drop `<shared-network-name>_` from client DNS record, using only the | ||||
|    host declaration name and domain: `<hostname>.<domain-name>` | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> domain-name <domain-name> | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-name <domain-name> | ||||
| 
 | ||||
|    The domain-name parameter should be the domain name that will be appended to | ||||
|    the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP | ||||
| @ -40,7 +35,7 @@ Configuration | ||||
|    This is the configuration parameter for the entire shared network definition. | ||||
|    All subnets will inherit this configuration item if not specified locally. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> domain-search <domain-name> | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-search <domain-name> | ||||
| 
 | ||||
|    The domain-name parameter should be the domain name used when completing DNS | ||||
|    request where no full FQDN is passed. This option can be given multiple times | ||||
| @ -49,7 +44,7 @@ Configuration | ||||
|    This is the configuration parameter for the entire shared network definition. | ||||
|    All subnets will inherit this configuration item if not specified locally. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> name-server <address> | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> option name-server <address> | ||||
| 
 | ||||
|    Inform client that the DNS server can be found at `<address>`. | ||||
| 
 | ||||
| @ -58,21 +53,6 @@ Configuration | ||||
| 
 | ||||
|    Multiple DNS servers can be defined. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> ping-check | ||||
| 
 | ||||
|    When the DHCP server is considering dynamically allocating an IP address to a | ||||
|    client, it first sends an ICMP Echo request (a ping) to the address being | ||||
|    assigned. It waits for a second, and if no ICMP Echo response has been heard, | ||||
|    it assigns the address. | ||||
| 
 | ||||
|    If a response is heard, the lease is abandoned, and the server does not | ||||
|    respond to the client. The lease will remain abandoned for a minimum of | ||||
|    abandon-lease-time seconds (defaults to 24 hours). | ||||
| 
 | ||||
|    If there are no free addresses but there are abandoned IP addresses, the | ||||
|    DHCP server will attempt to reclaim an abandoned IP address regardless of the | ||||
|    value of abandon-lease-time. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server listen-address <address> | ||||
| 
 | ||||
|    This configuration parameter lets the DHCP server to listen for DHCP  | ||||
| @ -91,14 +71,20 @@ Individual Client Subnet | ||||
|    network. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> | ||||
|    default-router <address> | ||||
|    subnet-id <id> | ||||
| 
 | ||||
|    This configuration parameter is required and must be unique to each subnet. | ||||
|    It is required to map subnets to lease file entries. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> | ||||
|    option default-router <address> | ||||
| 
 | ||||
|    This is a configuration parameter for the `<subnet>`, saying that as part of | ||||
|    the response, tell the client that the default gateway can be reached at | ||||
|    `<address>`. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> | ||||
|    name-server <address> | ||||
|    option name-server <address> | ||||
| 
 | ||||
|    This is a configuration parameter for the subnet, saying that as part of the | ||||
|    response, tell the client that the DNS server can be found at `<address>`. | ||||
| @ -133,40 +119,19 @@ Individual Client Subnet | ||||
|    This option can be specified multiple times. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> | ||||
|    domain-name <domain-name> | ||||
|    option domain-name <domain-name> | ||||
| 
 | ||||
|    The domain-name parameter should be the domain name that will be appended to | ||||
|    the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP | ||||
|    Option 015). | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> | ||||
|    domain-search <domain-name> | ||||
|    option domain-search <domain-name> | ||||
| 
 | ||||
|    The domain-name parameter should be the domain name used when completing DNS | ||||
|    request where no full FQDN is passed. This option can be given multiple times | ||||
|    if you need multiple search domains (DHCP Option 119). | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> | ||||
|    ping-check | ||||
| 
 | ||||
|    When the DHCP server is considering dynamically allocating an IP address to a | ||||
|    client, it first sends an ICMP Echo request (a ping) to the address being | ||||
|    assigned. It waits for a second, and if no ICMP Echo response has been heard, | ||||
|    it assigns the address. | ||||
| 
 | ||||
|    If a response is heard, the lease is abandoned, and the server does not | ||||
|    respond to the client. The lease will remain abandoned for a minimum of | ||||
|    abandon-lease-time seconds (defaults to 24 hours). | ||||
| 
 | ||||
|    If a there are no free addresses but there are abandoned IP addresses, the | ||||
|    DHCP server will attempt to reclaim an abandoned IP address regardless of the | ||||
|    value of abandon-lease-time. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> | ||||
|    enable-failover | ||||
| 
 | ||||
|    Enable DHCP failover configuration for this address pool. | ||||
| 
 | ||||
| Failover | ||||
| -------- | ||||
| 
 | ||||
| @ -238,6 +203,7 @@ inside the subnet definition but can be outside of the range statement. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1 | ||||
|   set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 | ||||
|   set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 | ||||
| 
 | ||||
| @ -251,6 +217,7 @@ The configuration will look as follows: | ||||
|            ip-address 192.168.1.100 | ||||
|            mac-address aa:bb:11:22:33:00 | ||||
|        } | ||||
|        subnet-id 1 | ||||
|    } | ||||
| 
 | ||||
| Options | ||||
| @ -391,32 +358,6 @@ Options | ||||
| 
 | ||||
| Multi: can be specified multiple times. | ||||
| 
 | ||||
| Raw Parameters | ||||
| ============== | ||||
| 
 | ||||
| Raw parameters can be passed to shared-network-name, subnet and static-mapping: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set service dhcp-server shared-network-name <name> shared-network-parameters | ||||
|      <text>       Additional shared-network parameters for DHCP server. | ||||
|   set service dhcp-server shared-network-name <name> subnet <subnet> subnet-parameters | ||||
|      <text>       Additional subnet parameters for DHCP server. | ||||
|   set service dhcp-server shared-network-name <name> subnet <subnet> static-mapping <description> static-mapping-parameters | ||||
|      <text>       Additional static-mapping parameters for DHCP server. | ||||
|                   Will be placed inside the "host" block of the mapping. | ||||
| 
 | ||||
| These parameters are passed as-is to isc-dhcp's dhcpd.conf under the | ||||
| configuration node they are defined in. They are not validated so an error in | ||||
| the raw parameters won't be caught by vyos's scripts and will cause dhcpd to | ||||
| fail to start. Always verify that the parameters are correct before committing | ||||
| the configuration. Refer to isc-dhcp's dhcpd.conf manual for more information: | ||||
| https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf | ||||
| 
 | ||||
| Quotes can be used inside parameter values by replacing all quote characters | ||||
| with the string ``"``. They will be replaced with literal quote characters | ||||
| when generating dhcpd.conf. | ||||
| 
 | ||||
| Example | ||||
| ======= | ||||
| 
 | ||||
| @ -439,12 +380,12 @@ Common configuration, valid for both primary and secondary node. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254' | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 name-server '192.0.2.254' | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net' | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option default-router '192.0.2.254' | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option name-server '192.0.2.254' | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net' | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10' | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 enable-failover | ||||
|   set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 subnet-id '1' | ||||
| 
 | ||||
| 
 | ||||
| **Primary** | ||||
| @ -467,47 +408,6 @@ Common configuration, valid for both primary and secondary node. | ||||
| 
 | ||||
| .. _dhcp-server:v4_example_raw: | ||||
| 
 | ||||
| Raw Parameters | ||||
| -------------- | ||||
| 
 | ||||
| * Override static-mapping's name-server with a custom one that will be sent only | ||||
|   to this host. | ||||
| * An option that takes a quoted string is set by replacing all quote characters | ||||
|   with the string ``"`` inside the static-mapping-parameters value. | ||||
|   The resulting line in dhcpd.conf will be | ||||
|   ``option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";``. | ||||
| 
 | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;" | ||||
|   set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";" | ||||
| 
 | ||||
| Option 43 for UniFI | ||||
| ------------------- | ||||
| 
 | ||||
| * These parameters need to be part of the DHCP global options. | ||||
|   They stay unchanged. | ||||
| 
 | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|  set service dhcp-server global-parameters 'option space ubnt;' | ||||
|  set service dhcp-server global-parameters 'option ubnt.unifi-address code 1 = ip-address;' | ||||
|  set service dhcp-server global-parameters 'class "ubnt" {' | ||||
|  set service dhcp-server global-parameters 'match if substring (option vendor-class-identifier, 0, 4) = "ubnt";' | ||||
|  set service dhcp-server global-parameters 'option vendor-class-identifier "ubnt";' | ||||
|  set service dhcp-server global-parameters 'vendor-option-space ubnt;' | ||||
|  set service dhcp-server global-parameters '}' | ||||
| 
 | ||||
| * Now we add the option to the scope, adapt to your setup | ||||
| 
 | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|  set service dhcp-server shared-network-name example-scope subnet 10.1.1.0/24 subnet-parameters 'option ubnt.unifi-address 172.16.1.10;' | ||||
| 
 | ||||
| 
 | ||||
| Operation Mode | ||||
| ============== | ||||
| 
 | ||||
| @ -549,18 +449,43 @@ Operation Mode | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   vyos@vyos:~$ show dhcp server leases | ||||
|   IP address      Hardware address    State    Lease start          Lease expiration     Remaining   Pool         Hostname | ||||
|   --------------  ------------------  -------  -------------------  -------------------  ----------  -----------  --------- | ||||
|   192.0.2.104     00:53:01:dd:ee:ff   active   2019/12/05 14:24:23  2019/12/06 02:24:23  6:05:35     dhcpexample  test1 | ||||
|   192.0.2.115     00:53:01:ae:af:bf   active   2019/12/05 18:02:37  2019/12/06 06:02:37  9:43:49     dhcpexample  test2 | ||||
|   IP Address      MAC address        State    Lease start          Lease expiration     Remaining    Pool      Hostname    Origin | ||||
|   --------------  -----------------  -------  -------------------  -------------------  -----------  --------  ----------  -------- | ||||
|   192.168.11.134  00:50:79:66:68:09  active   2023/11/29 09:51:05  2023/11/29 10:21:05  0:24:10      LAN       VPCS1       local | ||||
|   192.168.11.133  50:00:00:06:00:00  active   2023/11/29 09:51:38  2023/11/29 10:21:38  0:24:43      LAN       VYOS-6      local | ||||
|   10.11.11.108    50:00:00:05:00:00  active   2023/11/29 09:51:43  2023/11/29 10:21:43  0:24:48      VIF-1001  VYOS5       local | ||||
|   192.168.11.135  00:50:79:66:68:07  active   2023/11/29 09:55:16  2023/11/29 09:59:16  0:02:21                            remote | ||||
|   vyos@vyos:~$ | ||||
| 
 | ||||
| .. hint:: Static mappings aren't shown. To show all states, use | ||||
|    ``show dhcp server leases state all``. | ||||
| 
 | ||||
| .. opcmd:: show dhcp server leases origin [local | remote] | ||||
| 
 | ||||
|    Show statuses of all active leases granted by local (this server) or | ||||
|    remote (failover server): | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   vyos@vyos:~$ show dhcp server leases origin remote | ||||
|   IP Address      MAC address        State    Lease start          Lease expiration     Remaining    Pool      Hostname    Origin | ||||
|   --------------  -----------------  -------  -------------------  -------------------  -----------  --------  ----------  -------- | ||||
|   192.168.11.135  00:50:79:66:68:07  active   2023/11/29 09:55:16  2023/11/29 09:59:16  0:02:21                            remote | ||||
|   vyos@vyos:~$ | ||||
| 
 | ||||
| .. opcmd:: show dhcp server leases pool <pool> | ||||
| 
 | ||||
|    Show only leases in the specified pool. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   vyos@vyos:~$ show dhcp server leases pool LAN | ||||
|   IP Address      MAC address        State    Lease start          Lease expiration     Remaining    Pool    Hostname    Origin | ||||
|   --------------  -----------------  -------  -------------------  -------------------  -----------  ------  ----------  -------- | ||||
|   192.168.11.134  00:50:79:66:68:09  active   2023/11/29 09:51:05  2023/11/29 10:21:05  0:23:55      LAN     VPCS1       local | ||||
|   192.168.11.133  50:00:00:06:00:00  active   2023/11/29 09:51:38  2023/11/29 10:21:38  0:24:28      LAN     VYOS-6      local | ||||
|   vyos@vyos:~$ | ||||
| 
 | ||||
| .. opcmd:: show dhcp server leases sort <key> | ||||
| 
 | ||||
|    Sort the output by the specified key. Possible keys: ip, hardware_address, | ||||
| @ -572,7 +497,6 @@ Operation Mode | ||||
|    free, expired, released, abandoned, reset, backup (default = active) | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
| *********** | ||||
| IPv6 server | ||||
| *********** | ||||
| @ -590,6 +514,12 @@ Configuration | ||||
|    Clients receiving advertise messages from multiple servers choose the server | ||||
|    with the highest preference value. The range for this value is ``0...255``. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet <subnet> | ||||
|    subnet-id <id> | ||||
| 
 | ||||
|    This configuration parameter is required and must be unique to each subnet. | ||||
|    It is required to map subnets to lease file entries. | ||||
| 
 | ||||
| .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet | ||||
|    <prefix> lease-time {default | maximum | minimum} | ||||
| 
 | ||||
| @ -666,6 +596,7 @@ server. The following example describes a common scenario. | ||||
| 
 | ||||
|   set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199 | ||||
|   set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff | ||||
|   set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1 | ||||
| 
 | ||||
| The configuration will look as follows: | ||||
| 
 | ||||
| @ -680,6 +611,7 @@ The configuration will look as follows: | ||||
|                 } | ||||
|              } | ||||
|              name-server 2001:db8::ffff | ||||
|              subnet-id 1 | ||||
|           } | ||||
|       } | ||||
| 
 | ||||
|  | ||||
| @ -143,6 +143,19 @@ avoid being tracked by the provider of your upstream DNS server. | ||||
|    168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream | ||||
|    DNS server(s) to be used for reverse lookups of these zones. | ||||
| 
 | ||||
| .. cfgcmd:: set service dns forwarding serve-stale-extension <0-65535> | ||||
| 
 | ||||
|    Maximum number of times an expired record’s TTL is extended by 30s when | ||||
|    serving stale. Extension only occurs if a record cannot be refreshed. A | ||||
|    value of 0 means the Serve Stale mechanism is not used. To allow records | ||||
|    becoming stale to be served for an hour, use a value of 120. | ||||
| 
 | ||||
| .. cfgcmd:: set service dns forwarding exclude-throttle-address <ip|prefix> | ||||
| 
 | ||||
|    When an authoritative server does not answer a query or sends a reply the | ||||
|    recursor does not like, it is throttled. Any servers matching the supplied | ||||
|    netmasks will never be throttled. | ||||
| 
 | ||||
| Example | ||||
| ======= | ||||
| 
 | ||||
|  | ||||
| @ -1,7 +1,7 @@ | ||||
| .. _http-api: | ||||
| 
 | ||||
| ######## | ||||
| HTTP-API | ||||
| HTTP API | ||||
| ######## | ||||
| 
 | ||||
| VyOS provide an HTTP API. You can use it to execute op-mode commands, | ||||
| @ -13,6 +13,51 @@ Please take a look at the :ref:`vyosapi` page for an detailed how-to. | ||||
| Configuration | ||||
| ************* | ||||
| 
 | ||||
| .. cfgcmd:: set service https allow-client address <address> | ||||
| 
 | ||||
|    Only allow certain IP addresses or prefixes to access the https | ||||
|    webserver. | ||||
| 
 | ||||
| .. cfgcmd:: set service https certificates ca-certificate <name> | ||||
| 
 | ||||
|    Use CA certificate from PKI subsystem | ||||
| 
 | ||||
| .. cfgcmd:: set service https certificates certificate <name> | ||||
| 
 | ||||
|    Use certificate from PKI subsystem | ||||
| 
 | ||||
| .. cfgcmd:: set service https certificates dh-params <name> | ||||
| 
 | ||||
|    Use :abbr:`DH (Diffie–Hellman)` parameters from PKI subsystem. | ||||
|    Must be at least 2048 bits in length. | ||||
| 
 | ||||
| .. cfgcmd:: set service https listen-address <address> | ||||
| 
 | ||||
|    Webserver should only listen on specified IP address | ||||
| 
 | ||||
| .. cfgcmd:: set service https port <number> | ||||
| 
 | ||||
|    Webserver should listen on specified port. | ||||
| 
 | ||||
|    Default: 443 | ||||
| 
 | ||||
| .. cfgcmd:: set service https enable-http-redirect | ||||
| 
 | ||||
|    Enable automatic redirect from http to https. | ||||
| 
 | ||||
| .. cfgcmd:: set service https tls-version <1.2 | 1.3> | ||||
| 
 | ||||
|    Select TLS version used. | ||||
| 
 | ||||
|    This defaults to both 1.2 and 1.3. | ||||
| 
 | ||||
| .. cfgcmd:: set service https vrf <name> | ||||
| 
 | ||||
|    Start Webserver in given  VRF. | ||||
| 
 | ||||
| API | ||||
| === | ||||
| 
 | ||||
| .. cfgcmd:: set service https api keys id <name> key <apikey> | ||||
| 
 | ||||
|    Set a named api key. Every key has the same, full permissions | ||||
| @ -27,42 +72,6 @@ Configuration | ||||
| 
 | ||||
|    Enforce strict path checking | ||||
| 
 | ||||
| .. cfgcmd:: set service https virtual-host <vhost> listen-address | ||||
|             <ipv4 or ipv6 address> | ||||
| 
 | ||||
|    Address to listen for HTTPS requests | ||||
| 
 | ||||
| .. cfgcmd:: set service https virtual-host <vhost> port <1-65535> | ||||
| 
 | ||||
|    Port to listen for HTTPS requests; default 443 | ||||
| 
 | ||||
| .. cfgcmd:: set service https virtual-host <vhost> server-name <text> | ||||
| 
 | ||||
|    Server names for virtual hosts it can be exact, wildcard or regex. | ||||
| 
 | ||||
| .. cfgcmd:: set service https api-restrict virtual-host <vhost> | ||||
| 
 | ||||
|    By default, nginx exposes the local API on all virtual servers. | ||||
|    Use this to restrict nginx to one or more virtual hosts. | ||||
| 
 | ||||
| .. cfgcmd:: set service https certificates certbot domain-name <text> | ||||
| 
 | ||||
|    Domain name(s) for which to obtain certificate | ||||
| 
 | ||||
| .. cfgcmd:: set service https certificates certbot email | ||||
| 
 | ||||
|    Email address to associate with certificate | ||||
| 
 | ||||
| .. cfgcmd:: set service https certificates system-generated-certificate | ||||
| 
 | ||||
|    Use an automatically generated self-signed certificate | ||||
| 
 | ||||
| .. cfgcmd:: set service https certificates system-generated-certificate | ||||
|    lifetime <days> | ||||
| 
 | ||||
|    Lifetime in days; default is 365 | ||||
| 
 | ||||
| 
 | ||||
| ********************* | ||||
| Example Configuration | ||||
| ********************* | ||||
| @ -72,16 +81,3 @@ Set an API-KEY is the minimal configuration to get a working API Endpoint. | ||||
| .. code-block:: none | ||||
| 
 | ||||
|    set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY | ||||
| 
 | ||||
| 
 | ||||
| To use this full configuration we asume a public accessible hostname. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|    set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY | ||||
|    set service https certificates certbot domain-name rtr01.example.com | ||||
|    set service https certificates certbot email mail@example.com | ||||
|    set service https virtual-host rtr01 listen-address 198.51.100.2 | ||||
|    set service https virtual-host rtr01 port 11443 | ||||
|    set service https virtual-host rtr01 server-name rtr01.example.com | ||||
|    set service https api-restrict virtual-host rtr01 | ||||
|  | ||||
| @ -54,7 +54,7 @@ Configuration | ||||
|    Disable transmit of LLDP frames on given `<interface>`. Useful to exclude | ||||
|    certain interfaces from LLDP when ``all`` have been enabled. | ||||
| 
 | ||||
| .. cfgcmd:: set service lldp snmp enable | ||||
| .. cfgcmd:: set service lldp snmp | ||||
| 
 | ||||
|    Enable SNMP queries of the LLDP database | ||||
| 
 | ||||
|  | ||||
| @ -109,11 +109,11 @@ Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided. | ||||
| Telegraf is the open source server agent to help you collect metrics, events | ||||
| and logs from your routers. | ||||
| 
 | ||||
| .. cfgcmd:: set service monitoring telegraf authentication organization <organization> | ||||
| .. cfgcmd:: set service monitoring telegraf influxdb authentication organization <organization> | ||||
| 
 | ||||
|    Authentication organization name | ||||
| 
 | ||||
| .. cfgcmd:: set service monitoring telegraf authentication token <token> | ||||
| .. cfgcmd:: set service monitoring telegraf influxdb authentication token <token> | ||||
| 
 | ||||
|    Authentication token | ||||
| 
 | ||||
| @ -121,11 +121,11 @@ and logs from your routers. | ||||
| 
 | ||||
|    Remote ``InfluxDB`` bucket name | ||||
| 
 | ||||
| .. cfgcmd:: set service monitoring port <port> | ||||
| .. cfgcmd:: set service monitoring telegraf influxdb port <port> | ||||
| 
 | ||||
|    Remote port | ||||
| 
 | ||||
| .. cfgcmd:: set service monitoring telegraf url <url> | ||||
| .. cfgcmd:: set service monitoring telegraf influxdb url <url> | ||||
| 
 | ||||
|    Remote URL | ||||
| 
 | ||||
| @ -138,12 +138,11 @@ An example of a configuration that sends ``telegraf`` metrics to remote | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set service monitoring telegraf authentication organization 'vyos' | ||||
|   set service monitoring telegraf authentication token 'ZAml9Uy5wrhA...==' | ||||
|   set service monitoring telegraf bucket 'bucket_vyos' | ||||
|   set service monitoring telegraf port '8086' | ||||
|   set service monitoring telegraf source 'all' | ||||
|   set service monitoring telegraf url 'http://r1.influxdb2.local' | ||||
|   set service monitoring telegraf influxdb authentication organization 'vyos' | ||||
|   set service monitoring telegraf influxdb authentication token 'ZAml9Uy5wrhA...==' | ||||
|   set service monitoring telegraf influxdb bucket 'bucket_vyos' | ||||
|   set service monitoring telegraf influxdb port '8086' | ||||
|   set service monitoring telegraf influxdb url 'http://r1.influxdb2.local' | ||||
| 
 | ||||
| .. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer | ||||
| .. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client | ||||
|  | ||||
| @ -57,48 +57,35 @@ Client Address Pools | ||||
| -------------------- | ||||
| 
 | ||||
| To automatically assign the client an IP address as tunnel endpoint, a | ||||
| client IP pool is needed. The source can be either RADIUS or a local | ||||
| subnet or IP range definition. | ||||
| 
 | ||||
| Once the local tunnel endpoint ``set service pppoe-server gateway-address | ||||
| '10.1.1.2'`` has been defined, the client IP pool can be either defined | ||||
| as a range or as subnet using CIDR notation. If the CIDR notation is | ||||
| used, multiple subnets can be setup which are used sequentially. | ||||
| client IP pool is needed. The source can be either RADIUS or a | ||||
| named pool. There is possibility to create multiple named pools. | ||||
| Each named pool can include only one address range. To use multiple | ||||
| address ranges configure ``next-pool`` option. | ||||
| 
 | ||||
| 
 | ||||
| **Client IP address via IP range definition** | ||||
| 
 | ||||
| .. cfgcmd:: set service pppoe-server client-ip-pool start <address> | ||||
| .. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> | ||||
| 
 | ||||
|    Use this command to define the first IP address of a pool of | ||||
|    addresses to be given to PPPoE clients. It must be within a /24 | ||||
|    subnet. | ||||
|    Use this command to define the IP address range to be given | ||||
|    to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``, | ||||
|    it must be within a /24 subnet. If notation ``x.x.x.x/x`` is | ||||
|    used there is possibility to set host/netmask. | ||||
| 
 | ||||
| .. cfgcmd:: set service pppoe-server client-ip-pool stop <address> | ||||
| .. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> | ||||
| 
 | ||||
|    Use this command to define the last IP address of a pool of | ||||
|    addresses to be given to PPPoE clients. It must be within a /24 | ||||
|    subnet. | ||||
|    Use this command to define the next address pool name. | ||||
| 
 | ||||
| .. cfgcmd:: set service pppoe-server default-pool <POOL-NAME> | ||||
| 
 | ||||
|    Use this command to define default address pool name. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set service pppoe-server client-ip-pool start '10.1.1.100' | ||||
|   set service pppoe-server client-ip-pool stop '10.1.1.111' | ||||
| 
 | ||||
| 
 | ||||
| **Client IP subnets via CIDR notation** | ||||
| 
 | ||||
| .. cfgcmd:: set service pppoe-server client-ip-pool subnet <address> | ||||
| 
 | ||||
|    Use this command for every pool of client IP addresses you want to | ||||
|    define. The addresses of this pool will be given to PPPoE clients. | ||||
|    You must use CIDR notation. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set service pppoe-server client-ip-pool subnet '10.1.1.0/24' | ||||
|   set service pppoe-server client-ip-pool subnet '10.1.2.0/23' | ||||
|   set service pppoe-server client-ip-pool subnet '10.1.4.0/22' | ||||
|   set service pppoe-server client-ip-pool IP-POOL next-pool 'IP-POOL2' | ||||
|   set service pppoe-server client-ip-pool IP-POOL range '10.0.10.5/24' | ||||
|   set service pppoe-server client-ip-pool IP-POOL2 range '10.0.0.10-10.0.0.12' | ||||
|   set service pppoe-server default-pool 'IP-POOL' | ||||
| 
 | ||||
| 
 | ||||
| **RADIUS based IP pools (Framed-IP-Address)** | ||||
| @ -213,8 +200,8 @@ For Local Users | ||||
|   set service pppoe-server authentication local-users username foo rate-limit download '20480' | ||||
|   set service pppoe-server authentication local-users username foo rate-limit upload '10240' | ||||
|   set service pppoe-server authentication mode 'local' | ||||
|   set service pppoe-server client-ip-pool start '10.1.1.100' | ||||
|   set service pppoe-server client-ip-pool stop '10.1.1.111' | ||||
|   set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100/24' | ||||
|   set service pppoe-server default-pool 'IP-POOL' | ||||
|   set service pppoe-server name-server '10.100.100.1' | ||||
|   set service pppoe-server name-server '10.100.200.1' | ||||
|   set service pppoe-server interface 'eth1' | ||||
| @ -367,8 +354,8 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint | ||||
|   set service pppoe-server access-concentrator 'ACN' | ||||
|   set service pppoe-server authentication local-users username foo password 'bar' | ||||
|   set service pppoe-server authentication mode 'local' | ||||
|   set service pppoe-server client-ip-pool start '10.1.1.100' | ||||
|   set service pppoe-server client-ip-pool stop '10.1.1.111' | ||||
|   set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100-10.1.1.111' | ||||
|   set service pppoe-server default-pool 'IP-POOL' | ||||
|   set service pppoe-server interface eth1 | ||||
|   set service pppoe-server gateway-address '10.1.1.2' | ||||
|   set service pppoe-server name-server '10.100.100.1' | ||||
| @ -385,8 +372,8 @@ The example below covers a dual-stack configuration via pppoe-server. | ||||
| 
 | ||||
|   set service pppoe-server authentication local-users username test password 'test' | ||||
|   set service pppoe-server authentication mode 'local' | ||||
|   set service pppoe-server client-ip-pool start '192.168.0.1' | ||||
|   set service pppoe-server client-ip-pool stop '192.168.0.10' | ||||
|   set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24' | ||||
|   set service pppoe-server default-pool 'IP-POOL' | ||||
|   set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56' | ||||
|   set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64' | ||||
|   set service pppoe-server ppp-options ipv6 allow | ||||
|  | ||||
| @ -46,9 +46,23 @@ Configure | ||||
|     | Use `delete system conntrack modules` to deactive all modules. | ||||
|     | Or, for example ftp, `delete system conntrack modules ftp`. | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> | ||||
|     :defaultvalue: | ||||
| 
 | ||||
| Define Conection Timeouts | ||||
| ========================= | ||||
|     Set the maximum number of TCP half-open connections. | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack tcp loose <enable | disable> | ||||
|     :defaultvalue: | ||||
| 
 | ||||
|     Policy to track previously established connections. | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> | ||||
|     :defaultvalue: | ||||
| 
 | ||||
|     Set the number of TCP maximum retransmit attempts. | ||||
| 
 | ||||
| Contrack Timeouts | ||||
| ================= | ||||
| 
 | ||||
| VyOS supports setting timeouts for connections according to the | ||||
| connection type. You can set timeout values for generic connections, for ICMP | ||||
| @ -82,34 +96,48 @@ states. | ||||
| 
 | ||||
|     Set the timeout in secounds for a protocol or state. | ||||
| 
 | ||||
| 
 | ||||
| You can also define custom timeout values to apply to a specific subset of | ||||
| connections, based on a packet and flow selector. To do this, you need to | ||||
| create a rule defining the packet and flow selector. | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> description <test> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    description <test> | ||||
| 
 | ||||
|     Set a rule description. | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    destination address <ip-address> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    source address <ip-address> | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address <ip-address> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address <ip-address> | ||||
| 
 | ||||
|     set a destination and/or source address. Accepted input: | ||||
|     Set a destination and/or source address. Accepted input for ipv4: | ||||
| 
 | ||||
|     .. code-block:: none | ||||
| 
 | ||||
|         <x.x.x.x>    IP address to match | ||||
|         <x.x.x.x/x>  Subnet to match | ||||
|         <x.x.x.x>-<x.x.x.x> | ||||
|                         IP range to match | ||||
|         set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address | ||||
|         Possible completions: | ||||
|            <x.x.x.x>            IPv4 address to match | ||||
|            <x.x.x.x/x>          IPv4 prefix to match | ||||
|            <x.x.x.x>-<x.x.x.x>  IPv4 address range to match | ||||
|            !<x.x.x.x>           Match everything except the specified address | ||||
|         !<x.x.x.x/x> Match everything except the specified subnet | ||||
|         !<x.x.x.x>-<x.x.x.x> | ||||
|            !<x.x.x.x/x>         Match everything except the specified prefix | ||||
|            !<x.x.x.x>-<x.x.x.x> Match everything except the specified range | ||||
| 
 | ||||
|         set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address | ||||
|         Possible completions: | ||||
|            <h:h:h:h:h:h:h:h>    IP address to match | ||||
|            <h:h:h:h:h:h:h:h/x>  Subnet to match | ||||
|            <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> | ||||
|                                 IP range to match | ||||
|            !<h:h:h:h:h:h:h:h>   Match everything except the specified address | ||||
|            !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix | ||||
|            !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> | ||||
|                                 Match everything except the specified range | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port <value> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port <value> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    destination port <value> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    source port <value> | ||||
| 
 | ||||
|     Set a destination and/or source port. Accepted input: | ||||
| 
 | ||||
| @ -123,49 +151,58 @@ create a rule defining the packet and flow selector. | ||||
|     The whole list can also be "negated" using '!'. For example: | ||||
|     `!22,telnet,http,123,1001-1005`` | ||||
| 
 | ||||
|              | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol tcp close <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol tcp close-wait <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol tcp established <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol tcp fin-wait <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol tcp last-ack <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol tcp syn-recv <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol tcp syn-sent <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol tcp time-wait <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol udp replied <1-21474836> | ||||
| .. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol udp unreplied <1-21474836> | ||||
| 
 | ||||
|     Set the timeout in secounds for a protocol or state in a custom rule. | ||||
| 
 | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> | ||||
|     :defaultvalue: | ||||
| 
 | ||||
|     Set the maximum number of TCP half-open connections. | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack tcp loose <enable | disable> | ||||
|     :defaultvalue: | ||||
| 
 | ||||
|     Policy to track previously established connections. | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> | ||||
|     :defaultvalue: | ||||
| 
 | ||||
|     Set the number of TCP maximum retransmit attempts. | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack ignore rule <1-9999> description <text> | ||||
| .. cfgcmd:: set system conntrack ignore rule <1-9999> destination address <ip-address> | ||||
| .. cfgcmd:: set system conntrack ignore rule <1-9999> destination port <port> | ||||
| .. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface <interface> | ||||
| .. cfgcmd:: set system conntrack ignore rule <1-9999> protocol <protocol> | ||||
| .. cfgcmd:: set system conntrack ignore rule <1-9999> source address <ip-address> | ||||
| .. cfgcmd:: set system conntrack ignore rule <1-9999> source port <port> | ||||
| Conntrack ignore rules | ||||
| ====================== | ||||
| 
 | ||||
|     Customized ignore rules, based on a packet and flow selector. | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | ||||
|    description <text> | ||||
| .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | ||||
|    destination address <ip-address> | ||||
| .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | ||||
|    destination port <port> | ||||
| .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | ||||
|    inbound-interface <interface> | ||||
| .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | ||||
|    protocol <protocol> | ||||
| .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | ||||
|    source address <ip-address> | ||||
| .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | ||||
|    source port <port> | ||||
| .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | ||||
|    tcp flags [not] <text> | ||||
| 
 | ||||
|    Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, | ||||
|    ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for | ||||
|    inverted selection use ``not``, as shown in the example. | ||||
| 
 | ||||
| Conntrack log | ||||
| ============= | ||||
| 
 | ||||
| .. cfgcmd:: set system conntrack log icmp destroy | ||||
| .. cfgcmd:: set system conntrack log icmp new | ||||
| .. cfgcmd:: set system conntrack log icmp update | ||||
|  | ||||
							
								
								
									
										38
									
								
								docs/configuration/system/frr.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								docs/configuration/system/frr.rst
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,38 @@ | ||||
| .. _system_frr: | ||||
| 
 | ||||
| ### | ||||
| FRR | ||||
| ### | ||||
| 
 | ||||
| VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic | ||||
| and static routing. The routing daemon behavior can be adjusted during runtime, | ||||
| but require either a restart of the routing daemon, or a reboot of the system. | ||||
| 
 | ||||
| .. cfgcmd:: set system frr bmp | ||||
| 
 | ||||
|    Enable :abbr:`BMP (BGP Monitoring Protocol)` support | ||||
| 
 | ||||
| .. cfgcmd:: set system frr descriptors <numer> | ||||
| 
 | ||||
|    This allows the operator to control the number of open file descriptors | ||||
|    each daemon is allowed to start with. If the operator plans to run bgp with | ||||
|    several thousands of peers then this is where we would modify FRR to allow | ||||
|    this to happen. | ||||
| 
 | ||||
| .. cfgcmd:: set system frr irdp | ||||
| 
 | ||||
|    Enable ICMP Router Discovery Protocol support | ||||
| 
 | ||||
| .. cfgcmd:: set system frr snmp <daemon> | ||||
| 
 | ||||
|    Enable SNMP support for an individual routing daemon. | ||||
| 
 | ||||
|    Supported daemons: | ||||
| 
 | ||||
|    - bgpd | ||||
|    - isisd | ||||
|    - ldpd | ||||
|    - ospf6d | ||||
|    - ospfd | ||||
|    - ripd | ||||
|    - zebra | ||||
| @ -11,6 +11,7 @@ System | ||||
|    conntrack | ||||
|    console | ||||
|    flow-accounting | ||||
|    frr | ||||
|    host-name | ||||
|    ip | ||||
|    ipv6 | ||||
| @ -24,6 +25,7 @@ System | ||||
|    sysctl | ||||
|    task-scheduler | ||||
|    time-zone | ||||
|    updates | ||||
| 
 | ||||
| 
 | ||||
| .. toctree:: | ||||
|  | ||||
| @ -81,6 +81,7 @@ Show commands | ||||
|         static        Show IPv6 static routes | ||||
|         summary       Show IPv6 routes summary | ||||
|         table         Show IP routes in policy table | ||||
|         tag           Show only routes with tag | ||||
|         vrf           Show IPv6 routes in VRF | ||||
| 
 | ||||
| 
 | ||||
| @ -112,33 +113,6 @@ Show commands | ||||
|         <Enter>       Execute the current command | ||||
|         <text>        Show specified IPv6 access-list | ||||
| 
 | ||||
| .. opcmd:: show ipv6 bgp | ||||
| 
 | ||||
|    Use this command to show IPv6 Border Gateway Protocol information. | ||||
| 
 | ||||
| 
 | ||||
|    In addition, you can specify many other parameters to get BGP | ||||
|    information: | ||||
| 
 | ||||
|    .. code-block:: none | ||||
| 
 | ||||
|       vyos@vyos:~$ show ipv6 bgp | ||||
|       Possible completions: | ||||
|         <Enter>       Execute the current command | ||||
|         <X:X::X:X>    Show BGP information for given address or prefix | ||||
|         <X:X::X:X/M> | ||||
|         community     Show routes matching the communities | ||||
|         community-list | ||||
|                       Show routes matching the community-list | ||||
|         filter-list   Show routes conforming to the filter-list | ||||
|         large-community | ||||
|                       Show routes matching the large-community-list | ||||
|         large-community-list | ||||
|         neighbors     Show detailed information on TCP and BGP neighbor connections | ||||
|         prefix-list   Show routes matching the prefix-list | ||||
|         regexp        Show routes matching the AS path regular expression | ||||
|         route-map     Show BGP routes matching the specified route map | ||||
|         summary       Show summary of BGP neighbor status | ||||
| 
 | ||||
| 
 | ||||
| .. opcmd:: show ipv6 ospfv3 | ||||
|  | ||||
| @ -48,7 +48,7 @@ In order for the system to use and complete unqualified host names, a | ||||
| list can be defined which will be used for domain searches. | ||||
| 
 | ||||
| 
 | ||||
| .. cfgcmd:: set system domain-search domain <domain> | ||||
| .. cfgcmd:: set system domain-search <domain> | ||||
| 
 | ||||
|    Use this command to define domains, one at a time, so that the system | ||||
|    uses them to complete unqualified host names. Maximum: 6 entries. | ||||
| @ -68,7 +68,7 @@ order: vyos.io (first), vyos.net (second) and vyos.network (last): | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|    set system domain-search domain vyos.io | ||||
|    set system domain-search domain vyos.net | ||||
|    set system domain-search domain vyos.network | ||||
|    set system domain-search vyos.io | ||||
|    set system domain-search vyos.net | ||||
|    set system domain-search vyos.network | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										39
									
								
								docs/configuration/system/updates.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										39
									
								
								docs/configuration/system/updates.rst
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,39 @@ | ||||
| ####### | ||||
| Updates | ||||
| ####### | ||||
| 
 | ||||
| VyOS supports online checking for updates | ||||
| 
 | ||||
| Configuration | ||||
| ============= | ||||
| 
 | ||||
| .. cfgcmd:: set system update-check auto-check | ||||
| 
 | ||||
|    Configure auto-checking for new images | ||||
| 
 | ||||
| 
 | ||||
| .. cfgcmd:: set system update-check url <url> | ||||
| 
 | ||||
|    Configure a URL that contains information about images. | ||||
| 
 | ||||
| 
 | ||||
| Example | ||||
| ======= | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set system update-check auto-check | ||||
|   set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json' | ||||
| 
 | ||||
| Check: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   vyos@r4:~$ show system updates  | ||||
|   Current version: 1.5-rolling-202312220023 | ||||
| 
 | ||||
|   Update available: 1.5-rolling-202312250024 | ||||
|   Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso | ||||
|   vyos@r4:~$ | ||||
| 
 | ||||
|   vyos@r4:~$ add system image latest | ||||
| @ -17,8 +17,8 @@ with native Windows and Mac VPN clients): | ||||
|   set vpn ipsec interface eth0 | ||||
| 
 | ||||
|   set vpn l2tp remote-access outside-address 192.0.2.2 | ||||
|   set vpn l2tp remote-access client-ip-pool start 192.168.255.2 | ||||
|   set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 | ||||
|   set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 | ||||
|   set vpn l2tp remote-access default-pool 'L2TP-POOL' | ||||
|   set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret | ||||
|   set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> | ||||
|   set vpn l2tp remote-access authentication mode local | ||||
| @ -95,8 +95,8 @@ Below is an example to configure a LNS: | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set vpn l2tp remote-access outside-address 192.0.2.2 | ||||
|   set vpn l2tp remote-access client-ip-pool start 192.168.255.2 | ||||
|   set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 | ||||
|   set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 | ||||
|   set vpn l2tp remote-access default-pool 'L2TP-POOL' | ||||
|   set vpn l2tp remote-access lns shared-secret 'secret' | ||||
|   set vpn l2tp remote-access ccp-disable | ||||
|   set vpn l2tp remote-access authentication mode local | ||||
| @ -122,8 +122,8 @@ The rate-limit is set in kbit/sec. | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set vpn l2tp remote-access outside-address 192.0.2.2 | ||||
|   set vpn l2tp remote-access client-ip-pool start 192.168.255.2 | ||||
|   set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 | ||||
|   set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 | ||||
|   set vpn l2tp remote-access default-pool 'L2TP-POOL' | ||||
|   set vpn l2tp remote-access authentication mode local | ||||
|   set vpn l2tp remote-access authentication local-users username test password test | ||||
|   set vpn l2tp remote-access authentication local-users username test rate-limit download 20480 | ||||
|  | ||||
| @ -165,6 +165,13 @@ Simple setup with one user added and password authentication: | ||||
|   set vpn openconnect ssl ca-certificate 'ca-ocserv' | ||||
|   set vpn openconnect ssl certificate 'srv-ocserv' | ||||
| 
 | ||||
| To enable the HTTP security headers in the configuration file, use the command: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set vpn openconnect http-security-headers | ||||
| 
 | ||||
| 
 | ||||
| Adding a 2FA with an OTP-key | ||||
| ============================ | ||||
| 
 | ||||
|  | ||||
| @ -20,8 +20,8 @@ server example | ||||
| 
 | ||||
|   set vpn pptp remote-access authentication local-users username test password 'test' | ||||
|   set vpn pptp remote-access authentication mode 'local' | ||||
|   set vpn pptp remote-access client-ip-pool start '192.168.0.10' | ||||
|   set vpn pptp remote-access client-ip-pool stop '192.168.0.15' | ||||
|   set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15 | ||||
|   set vpn pptp remote-access default-pool 'PPTP-POOL' | ||||
|   set vpn pptp remote-access gateway-address '10.100.100.1' | ||||
|   set vpn pptp remote-access outside-address '10.1.1.120' | ||||
| 
 | ||||
|  | ||||
| @ -308,31 +308,35 @@ Imagine the following topology | ||||
|   set interfaces dummy dum0 address '10.0.11.1/24' | ||||
|   set interfaces vti vti10 address '10.0.0.2/31' | ||||
| 
 | ||||
|   set vpn ipsec option disable-route-autoinstall | ||||
|   set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' | ||||
|   set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' | ||||
|   set vpn ipsec authentication psk OFFICE-B secret 'secretkey' | ||||
|   set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10' | ||||
|   set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10' | ||||
|   set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' | ||||
|   set vpn ipsec interface 'eth0.201' | ||||
|   set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' | ||||
|   set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' | ||||
|   set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' | ||||
|   set vpn ipsec site-to-site peer OFFICE-B local-address '172.18.201.10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT' | ||||
| 
 | ||||
|   set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 | ||||
| 
 | ||||
| @ -344,34 +348,35 @@ Imagine the following topology | ||||
|   set interfaces dummy dum0 address '10.0.12.1/24' | ||||
|   set interfaces vti vti10 address '10.0.0.3/31' | ||||
| 
 | ||||
|   set vpn ipsec option disable-route-autoinstall | ||||
|   set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' | ||||
|   set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' | ||||
|   set vpn ipsec authentication psk OFFICE-A secret 'secretkey' | ||||
|   set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10' | ||||
|   set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10' | ||||
|   set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' | ||||
|   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' | ||||
|   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' | ||||
|   set vpn ipsec interface 'eth0.202' | ||||
|   set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' | ||||
|   set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' | ||||
|   set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' | ||||
|   set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10' | ||||
|   set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10' | ||||
|   set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT' | ||||
| 
 | ||||
|   set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 | ||||
| 
 | ||||
|  | ||||
| @ -116,9 +116,20 @@ Configuration | ||||
|   Specifies the port `<port>` that the SSTP port will listen on (default 443). | ||||
| 
 | ||||
| 
 | ||||
| .. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet> | ||||
| .. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> | ||||
| 
 | ||||
|   Use `<subnet>` as the IP pool for all connecting clients. | ||||
|    Use this command to define the first IP address of a pool of | ||||
|    addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, | ||||
|    it must be within a /24 subnet. If notation ``x.x.x.x/x`` is | ||||
|    used there is possibility to set host/netmask. | ||||
| 
 | ||||
| .. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> | ||||
| 
 | ||||
|    Use this command to define the next address pool name. | ||||
| 
 | ||||
| .. cfgcmd:: set vpn sstp default-pool <POOL-NAME> | ||||
| 
 | ||||
|    Use this command to define default address pool name. | ||||
| 
 | ||||
| 
 | ||||
| .. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits> | ||||
| @ -282,7 +293,8 @@ Example | ||||
|   set vpn sstp authentication local-users username vyos password vyos | ||||
|   set vpn sstp authentication mode local | ||||
|   set vpn sstp gateway-address 192.0.2.254 | ||||
|   set vpn sstp client-ip-pool subnet 192.0.2.0/25 | ||||
|   set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25 | ||||
|   set vpn sstp default-pool 'SSTP-POOL' | ||||
|   set vpn sstp name-server 10.0.0.1 | ||||
|   set vpn sstp name-server 10.0.0.2 | ||||
|   set vpn sstp ssl ca-cert-file /config/auth/ca.crt | ||||
|  | ||||
| @ -23,10 +23,60 @@ also set up your own build machine and run a :ref:`build_native`. | ||||
|    The source code remains public and an ISO can be built using the process | ||||
|    outlined in this chapter. | ||||
| 
 | ||||
|    The following includes the build process for VyOS 1.2 to the latest version. | ||||
| 
 | ||||
| This will guide you through the process of building a VyOS ISO using Docker_. | ||||
| This process has been tested on clean installs of Debian Jessie, Stretch, and | ||||
| Buster. | ||||
| 
 | ||||
| .. _build_native: | ||||
| 
 | ||||
| Native Build | ||||
| ============ | ||||
| 
 | ||||
| To build VyOS natively you require a properly configured build host with the | ||||
| following Debian versions installed: | ||||
| 
 | ||||
| - Debian Jessie for VyOS 1.2 (crux) | ||||
| - Debian Buster for VyOS 1.3 (equuleus)  | ||||
| - Debian Bookworm for VyOS 1.4 (sagitta) | ||||
| - Debian Bookworm for the upcoming VyOS 1.5/circinus/current  | ||||
|   (subject to change) - aka the rolling release | ||||
| 
 | ||||
| To start, clone the repository to your local machine: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   # For VyOS 1.2 (crux) | ||||
|   $ git clone -b crux --single-branch https://github.com/vyos/vyos-build | ||||
| 
 | ||||
|   # For VyOS 1.3 (equuleus) | ||||
|   $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build | ||||
| 
 | ||||
|   # For VyOS 1.4 (sagitta) | ||||
|   $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build | ||||
| 
 | ||||
|   # For VyOS 1.5 (circinus,current) | ||||
|   $ git clone -b current --single-branch https://github.com/vyos/vyos-build | ||||
| 
 | ||||
|   $ cd vyos-build | ||||
| 
 | ||||
|   # For VyOS 1.2 (crux) and VyOS 1.3 (equuleus) | ||||
|   $ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||
|   $ sudo make iso | ||||
| 
 | ||||
|   # For VyOS 1.4 (sagitta) and VyOS 1.5 (circinus,current) | ||||
|   $ sudo make clean | ||||
|   $ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||
| 
 | ||||
| For the packages required, you can refer to the ``docker/Dockerfile`` file | ||||
| in the repository_. The ``./build-vyos-image`` script will also warn you if any | ||||
| dependencies are missing. | ||||
| 
 | ||||
| This will guide you through the process of building a VyOS ISO using Docker.  | ||||
| This process has been tested on clean installs of Debian Bullseye (11) and  | ||||
| Bookworm (12). | ||||
| 
 | ||||
| .. _build_docker: | ||||
| 
 | ||||
| Docker | ||||
| @ -34,14 +84,26 @@ Docker | ||||
| 
 | ||||
| Installing Docker_ and prerequisites: | ||||
| 
 | ||||
| .. hint:: Due to the updated version of Docker, the following examples may  | ||||
|    become invalid. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   $ sudo apt-get update | ||||
|   $ sudo apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common | ||||
|   $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - | ||||
|   $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | ||||
|   $ sudo apt-get update | ||||
|   $ sudo apt-get install -y docker-ce | ||||
|   # Add Docker's official GPG key: | ||||
|   sudo apt-get update | ||||
|   sudo apt-get install ca-certificates curl gnupg | ||||
|   sudo install -m 0755 -d /etc/apt/keyrings | ||||
|   curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg | ||||
|   sudo chmod a+r /etc/apt/keyrings/docker.gpg | ||||
| 
 | ||||
|   # Add the repository to Apt sources: | ||||
|   echo \ | ||||
|     "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ | ||||
|     $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ | ||||
|     sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | ||||
| 
 | ||||
|   sudo apt-get update | ||||
|   sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin | ||||
| 
 | ||||
| To be able to use Docker_ without ``sudo``, the current non-root user must be | ||||
| added to the ``docker`` group by calling: ``sudo usermod -aG docker | ||||
| @ -79,7 +141,7 @@ To manually download the container from DockerHub, run: | ||||
|   $ docker pull vyos/vyos-build:crux     # For VyOS 1.2 | ||||
|   $ docker pull vyos/vyos-build:equuleus # For VyOS 1.3 | ||||
|   $ docker pull vyos/vyos-build:sagitta  # For VyOS 1.4 | ||||
|   $ docker pull vyos/vyos-build:current  # For rolling release | ||||
|   $ docker pull vyos/vyos-build:current  # For VyOS 1.5 rolling release | ||||
| 
 | ||||
| Build from source | ||||
| ^^^^^^^^^^^^^^^^^ | ||||
| @ -94,14 +156,18 @@ The container can also be built directly from source: | ||||
|   $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build | ||||
|   # For VyOS 1.4 (sagitta) | ||||
|   $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build | ||||
|   # For VyOS 1.5 (circinus,current) | ||||
|   $ git clone -b current --single-branch https://github.com/vyos/vyos-build | ||||
|    | ||||
|   $ cd vyos-build | ||||
|   $ docker build -t vyos/vyos-build:crux docker           # For VyOS 1.2 | ||||
|   $ docker build -t vyos/vyos-build:current docker      # For rolling release | ||||
|   $ docker build -t vyos/vyos-build:equuleus docker       # For VyOS 1.3 | ||||
|   $ docker build -t vyos/vyos-build:sagitta docker        # For VyOS 1.4 | ||||
|   $ docker build -t vyos/vyos-build:current docker        # For VyOS 1.5 rolling release | ||||
| 
 | ||||
| .. note:: Since VyOS has switched to Debian (11) Bullseye in its ``current`` | ||||
|    branch, you will require individual container for `current`, `equuleus` and | ||||
|    `crux` builds. | ||||
| .. note:: VyOS has switched to Debian (12) Bookworm in its ``current`` branch, | ||||
|    Due to software version updates, it is recommended to use the official  | ||||
|    Docker Hub image to build VyOS ISO. | ||||
|     | ||||
| Tips and Tricks | ||||
| --------------- | ||||
| @ -141,39 +207,6 @@ your development containers in your current working directory. | ||||
|    ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will | ||||
|    fail. | ||||
| 
 | ||||
| .. _build_native: | ||||
| 
 | ||||
| Native Build | ||||
| ============ | ||||
| 
 | ||||
| To build VyOS natively you require a properly configured build host with the | ||||
| following Debian versions installed: | ||||
| 
 | ||||
| - Debian Jessie for VyOS 1.2 (crux) | ||||
| - Debian Buster for VyOS 1.3 (equuleus)  | ||||
| - Debian Bullseye for VyOS 1.4 (sagitta) | ||||
| 
 | ||||
| To start, clone the repository to your local machine: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   # For VyOS 1.2 (crux) | ||||
|   $ git clone -b crux --single-branch https://github.com/vyos/vyos-build | ||||
| 
 | ||||
|   # For VyOS 1.3 (equuleus) | ||||
|   $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build | ||||
| 
 | ||||
|   # For VyOS 1.4 (sagitta) | ||||
|   $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build | ||||
| 
 | ||||
| 
 | ||||
| For the packages required, you can refer to the ``docker/Dockerfile`` file | ||||
| in the repository_. The ``./build-vyos-image`` script will also warn you if any | ||||
| dependencies are missing. | ||||
| 
 | ||||
| Once you have the required dependencies installed, you may proceed with the | ||||
| steps described in :ref:`build_iso`. | ||||
| 
 | ||||
| 
 | ||||
| .. _build_iso: | ||||
| 
 | ||||
| @ -196,6 +229,10 @@ Please note as this will differ for both `current` and `crux`. | ||||
|   # For VyOS 1.4 (sagitta) | ||||
|   $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build | ||||
| 
 | ||||
|   # For VyOS 1.5 (circinus,current) | ||||
|   $ git clone -b current --single-branch https://github.com/vyos/vyos-build | ||||
| 
 | ||||
| 
 | ||||
| Now a fresh build of the VyOS ISO can begin. Change directory to the | ||||
| ``vyos-build`` directory and run: | ||||
| 
 | ||||
| @ -211,6 +248,9 @@ Now a fresh build of the VyOS ISO can begin. Change directory to the | ||||
|   # For VyOS 1.4 (sagitta) | ||||
|   $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:sagitta bash | ||||
| 
 | ||||
|   # For VyOS 1.5 (current) | ||||
|   $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:current bash | ||||
|      | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   # For MacOS (crux, equuleus, sagitta) | ||||
| @ -234,7 +274,7 @@ Start the build: | ||||
|   vyos_bld@8153428c7e1f:/vyos$ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||
|   vyos_bld@8153428c7e1f:/vyos$ sudo make iso | ||||
| 
 | ||||
|   # For VyOS 1.4 (sagitta) | ||||
|   # For VyOS 1.4 (sagitta) For VyOS 1.5 (circinus,current) | ||||
|   vyos_bld@8153428c7e1f:/vyos$ sudo make clean | ||||
|   vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||
| 
 | ||||
| @ -836,7 +876,7 @@ information. | ||||
| 
 | ||||
| .. stop_vyoslinter | ||||
| 
 | ||||
| .. _Docker: https://www.docker.com | ||||
| .. _Docker: https://docs.docker.com/engine/install/debian/ | ||||
| .. _`Docker as non-root`: https://docs.docker.com/engine/install/linux-postinstall | ||||
| .. _VyOS DockerHub organisation: https://hub.docker.com/u/vyos | ||||
| .. _repository: https://github.com/vyos/vyos-build | ||||
|  | ||||
| @ -4,10 +4,11 @@ | ||||
| Testing | ||||
| ####### | ||||
| 
 | ||||
| One of the major advantages introduced in VyOS 1.3 is an autmated test framework. | ||||
| When assembling an ISO image multiple things can go wrong badly and publishing | ||||
| a faulty ISO makes no sense. The user is disappointed by the quality of the image | ||||
| and the developers get flodded with bug reports over and over again. | ||||
| One of the major advantages introduced in VyOS 1.3 is an automated test | ||||
| framework. When assembling an ISO image multiple things can go wrong badly and | ||||
| publishing a faulty ISO makes no sense. The user is disappointed by the quality | ||||
| of the image and the developers get flodded with bug reports over and over | ||||
| again. | ||||
| 
 | ||||
| As the VyOS documentation is not only for users but also for the developers - | ||||
| and we keep no secret documentation - this section describes how the automated | ||||
|  | ||||
| @ -458,13 +458,16 @@ In this example we configured an existent VyOS as the DHCP server: | ||||
|   vyos@vyos# show service dhcp-server | ||||
|    shared-network-name mydhcp { | ||||
|        subnet 192.168.1.0/24 { | ||||
|            option { | ||||
|                bootfile-name pxelinux.0 | ||||
|                bootfile-server 192.168.1.50 | ||||
|                default-router 192.168.1.50 | ||||
|            } | ||||
|            range 0 { | ||||
|                start 192.168.1.70 | ||||
|                stop 192.168.1.100 | ||||
|            } | ||||
|            subnet-id 1 | ||||
|        } | ||||
|    } | ||||
| 
 | ||||
|  | ||||
| @ -10,7 +10,7 @@ for the new image to boot using the current configuration. | ||||
| 
 | ||||
| .. note:: Only LTS releases are PGP-signed. | ||||
| 
 | ||||
| .. opcmd:: add system image <url | path> [vrf name] | ||||
| .. opcmd:: add system image <url | path> | [latest] [vrf name] | ||||
|    [username user [password pass]] | ||||
| 
 | ||||
|    Use this command to install a new system image. You can reach the | ||||
| @ -72,6 +72,13 @@ Example | ||||
| 
 | ||||
|      OK.  This image will be named: vyos-1.3-rolling-201912201452 | ||||
| 
 | ||||
| You can use ``latest`` option. It loads the latest available Rolling release. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|      vyos@vyos:~$ add system image latest | ||||
| 
 | ||||
| .. note:: To use the `latest` option the "system update-check url" must be configured. | ||||
| 
 | ||||
| .. hint:: The most up-do-date Rolling Release for AMD64 can be accessed using | ||||
|    the following URL: | ||||
|  | ||||
| @ -93,12 +93,13 @@ DNS server. | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1' | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 name-server '192.168.0.1' | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'vyos.net' | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1' | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '192.168.0.1' | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'vyos.net' | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.9' | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254' | ||||
|   set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1' | ||||
| 
 | ||||
|   set service dns forwarding cache-size '0' | ||||
|   set service dns forwarding listen-address '192.168.0.1' | ||||
| @ -141,7 +142,7 @@ networks, addresses, ports, and domains that describe different parts of | ||||
| our network. We can then use them for filtering within our firewall rulesets, | ||||
| allowing for more concise and readable configuration. | ||||
| 
 | ||||
| In this case, we will create two interface groups—a ``WAN`` group for our | ||||
| In this case, we will create two interface groups — a ``WAN`` group for our | ||||
| interfaces connected to the public internet and a ``LAN`` group for the | ||||
| interfaces connected to our internal network. Additionally, we will create a | ||||
| network group, ``NET-INSIDE-v4``, that contains our internal subnet. | ||||
| @ -156,10 +157,26 @@ Configure Stateful Packet Filtering | ||||
| ----------------------------------- | ||||
| 
 | ||||
| With the new firewall structure, we have have a lot of flexibility in how we | ||||
| group and order our rules, as shown by the two alternative approaches below. | ||||
| group and order our rules, as shown by the three alternative approaches below. | ||||
| 
 | ||||
| Option 1: Common Chain | ||||
| ^^^^^^^^^^^^^^^^^^^^^^ | ||||
| Option 1: Global State Policies | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
| Using options defined in ``set firewall global-options state-policy``, state | ||||
| policy rules that applies for both IPv4 and IPv6 are created. These global | ||||
| state policies also applies for all traffic that passes through the router | ||||
| (transit) and for traffic originated/destinated to/from the router itself, and | ||||
| will be avaluated before any other rule defined in the firewall. | ||||
| 
 | ||||
| Most installations would choose this option, and will contain: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|   set firewall global-options state-policy established action accept | ||||
|   set firewall global-options state-policy related action accept | ||||
|   set firewall global-options state-policy invalid action drop | ||||
| 
 | ||||
| Option 2: Common/Custom Chain | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| We can create a common chain for stateful connection filtering of multiple | ||||
| interfaces (or multiple netfilter hooks on one interface). Those individual | ||||
| @ -196,12 +213,11 @@ hooks as the first filtering rule in the respective chains: | ||||
|   set firewall ipv4 input filter rule 10 action 'jump' | ||||
|   set firewall ipv4 input filter rule 10 jump-target CONN_FILTER | ||||
| 
 | ||||
| Option 2: Per-Hook Chain | ||||
| Option 3: Per-Hook Chain | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
| 
 | ||||
| Alternatively, instead of configuring the ``CONN_FILTER`` chain described above, | ||||
| you can take the more traditional stateful connection filtering approach by | ||||
| creating rules on each hook's chain: | ||||
| Alternatively, you can take the more traditional stateful connection | ||||
| filtering approach by creating rules on each base hook's chain: | ||||
| 
 | ||||
| .. code-block:: none | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user