mirror of
https://github.com/vyos/vyos-documentation.git
synced 2025-10-26 08:41:46 +01:00
Merge branch 'crux' into 'master'
* crux: MSS-Clamping: move from routing to firewall chapter Version: set version/release to 1.2.2/Crux Login: adjust CLI interface to VyOS 1.2 crux
This commit is contained in:
Christian Poessinger
commit
c0a077b745
@ -174,5 +174,42 @@ Example Partial Config
|
||||
}
|
||||
}
|
||||
|
||||
MSS Clamping
|
||||
------------
|
||||
|
||||
As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP
|
||||
MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option
|
||||
to clamp your TCP MSS value for IPv4 and IPv6.
|
||||
|
||||
Clamping can be disabled per interface using the `disable` keywork:
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set firewall options interface pppoe0 disable
|
||||
|
||||
IPv4
|
||||
----
|
||||
|
||||
Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`
|
||||
for your WireGuard `wg02` tunnel.
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set firewall options interface pppoe0 adjust-mss '1452'
|
||||
set firewall options interface wg02 adjust-mss '1372'
|
||||
|
||||
IPv6
|
||||
----
|
||||
|
||||
Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
|
||||
`wg02` interface.
|
||||
|
||||
To achieve the same for IPv6 please use:
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set firewall options interface pppoe0 adjust-mss6 '1280'
|
||||
set firewall options interface wg02 adjust-mss6 '1280'
|
||||
|
||||
[https://www.xfinity.com/support/internet/list-of-blocked-ports/ XFinity Blocked Port List]
|
||||
|
||||
|
||||
@ -281,7 +281,7 @@ display arp table entries
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
show protocols static arp
|
||||
show protocols static arp
|
||||
|
||||
Address HWtype HWaddress Flags Mask Iface
|
||||
10.1.1.1 ether 08:00:27:de:23:2e C eth1
|
||||
@ -331,15 +331,41 @@ we use:
|
||||
|
||||
set interfaces ethernet eth1 policy route FILTER-WEB
|
||||
|
||||
The route policy functionality in VyOS can also be used to rewrite TCP MSS
|
||||
using the set policy route <name> rule <rule> `set tcp-mss <value>` directive,
|
||||
modify DSCP value using `set dscp <value>`, or mark the traffic with an
|
||||
internal ID using `set mark <value>` for further processing (e.g. QOS) on a
|
||||
per-rule basis for matching traffic.
|
||||
MSS Clamping
|
||||
============
|
||||
|
||||
In addition to 5-tuple matching, additional options such as time-based rules,
|
||||
are available. See the built-in help for a complete list of options.
|
||||
As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP
|
||||
MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option
|
||||
to clamp your TCP MSS value for IPv4 and IPv6.
|
||||
|
||||
Clamping can be disabled per interface using the `disable` keywork:
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set firewall options interface pppoe0 disable
|
||||
|
||||
IPv4
|
||||
----
|
||||
|
||||
Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`
|
||||
for your WireGuard `wg02` tunnel.
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set firewall options interface pppoe0 adjust-mss '1452'
|
||||
set firewall options interface wg02 adjust-mss '1372'
|
||||
|
||||
IPv6
|
||||
----
|
||||
|
||||
Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
|
||||
`wg02` interface.
|
||||
|
||||
To achieve the same for IPv6 please use:
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set firewall options interface pppoe0 adjust-mss6 '1280'
|
||||
set firewall options interface wg02 adjust-mss6 '1280'
|
||||
|
||||
.. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol
|
||||
|
||||
@ -77,35 +77,21 @@ a default timeout and port.
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set system login radius server 192.168.1.2 secret 's3cr3t0815'
|
||||
set system login radius server 192.168.1.2 timeout '5'
|
||||
set system login radius server 192.168.1.2 port '1812'
|
||||
set system login radius server 192.168.1.3 secret 's3cr3t0816'
|
||||
set system login radius-server 192.168.1.2 secret 's3cr3t0815'
|
||||
set system login radius-server 192.168.1.2 timeout '5'
|
||||
set system login radius-server 192.168.1.2 port '1812'
|
||||
set system login radius-server 192.168.1.3 secret 's3cr3t0816'
|
||||
|
||||
This configuration results in:
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
show system login radius
|
||||
server 192.168.1.2 {
|
||||
show system login
|
||||
radius-server 192.168.1.2 {
|
||||
secret s3cr3t0815
|
||||
timeout 5
|
||||
port 1812
|
||||
}
|
||||
server 192.168.1.3 {
|
||||
radius-server 192.168.1.3 {
|
||||
secret s3cr3t0816
|
||||
}
|
||||
|
||||
RADIUS Source Address
|
||||
*********************
|
||||
|
||||
If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS
|
||||
server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a
|
||||
single source IP e.g. the loopback interface.
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set system login radius source-address 3.3.3.3
|
||||
|
||||
Above command will use `3.3.3.3` as source IPv4 address for all queries originating
|
||||
from this NAS.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user