vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
vyos-documentation/docs/services.rst
kmpm 169c5ae113 dhcp ranges 
in 1.2.0-rc11 you must use range
2019-01-18 10:33:20 +01:00

1714 lines
53 KiB
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. _services:
Services
========
This chapter descriptes the available system/network services provided by VyOS.
Conntrack
---------
One of the important features built on top of the Netfilter framework is
connection tracking. Connection tracking allows the kernel to keep track of all
logical network connections or sessions, and thereby relate all of the packets
which may make up that connection. NAT relies on this information to translate
all related packets in the same way, and iptables can use this information to
act as a stateful firewall.
The connection state however is completely independent of any upper-level
state, such as TCP's or SCTP's state. Part of the reason for this is that when
merely forwarding packets, i.e. no local delivery, the TCP engine may not
necessarily be invoked at all. Even connectionless-mode transmissions such as
UDP, IPsec (AH/ESP), GRE and other tunneling protocols have, at least, a pseudo
connection state. The heuristic for such protocols is often based upon a preset
timeout value for inactivity, after whose expiration a Netfilter connection is
dropped.
Each Netfilter connection is uniquely identified by a (layer-3 protocol, source
address, destination address, layer-4 protocol, layer-4 key) tuple. The layer-4
key depends on the transport protocol; for TCP/UDP it is the port numbers, for
tunnels it can be their tunnel ID, but otherwise is just zero, as if it were
not part of the tuple. To be able to inspect the TCP port in all cases, packets
will be mandatorily defragmented.
Configuration
^^^^^^^^^^^^^
.. code-block:: sh
# Protocols only for which local conntrack entries will be synced (tcp, udp, icmp, sctp)
set service conntrack-sync accept-protocol
# Queue size for listening to local conntrack events (in MB)
set service conntrack-sync event-listen-queue-size <int>
# Protocol for which expect entries need to be synchronized. (all, ftp, h323, nfs, sip, sqlnet)
set service conntrack-sync expect-sync
# Failover mechanism to use for conntrack-sync [REQUIRED]
set service conntrack-sync failover-mechanism
set service conntrack-sync cluster group <string>
set service conntrack-sync vrrp sync-group <1-255>
# IP addresses for which local conntrack entries will not be synced
set service conntrack-sync ignore-address ipv4 <x.x.x.x>
# Interface to use for syncing conntrack entries [REQUIRED]
set service conntrack-sync interface <ifname>
# Multicast group to use for syncing conntrack entries
set service conntrack-sync mcast-group <x.x.x.x>
# Queue size for syncing conntrack entries (in MB)
set service conntrack-sync sync-queue-size <size>
Example
^^^^^^^
The next exemple is a simple configuration of conntrack-sync.
.. figure:: _static/images/service_conntrack_sync-schema.png
:scale: 60 %
:alt: Conntrack Sync Example
Conntrack Sync Example
First of all, make sure conntrack is enabled by running
.. code-block:: sh
show conntrack table ipv4
If the table is empty and you have a warning message, it means conntrack is not
enabled. To enable conntrack, just create a NAT or a firewall rule.
.. code-block:: sh
set firewall state-policy established action accept
You now should have a conntrack table
.. code-block:: sh
$ show conntrack table ipv4
TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
TW - TIME WAIT, CL - CLOSE, LI - LISTEN
CONN ID Source Destination Protocol TIMEOUT
1015736576 10.35.100.87:58172 172.31.20.12:22 tcp [6] ES 430279
1006235648 10.35.101.221:57483 172.31.120.21:22 tcp [6] ES 413310
1006237088 10.100.68.100 172.31.120.21 icmp [1] 29
1015734848 10.35.100.87:56282 172.31.20.12:22 tcp [6] ES 300
1015734272 172.31.20.12:60286 239.10.10.14:694 udp [17] 29
1006239392 10.35.101.221 172.31.120.21 icmp [1] 29
Now configure conntrack-sync service on ``router1`` **and** ``router2``
.. code-block:: sh
set service conntrack-sync accept-protocol 'tcp,udp,icmp'
set service conntrack-sync event-listen-queue-size '8'
set service conntrack-sync failover-mechanism cluster group 'GROUP' # Or VRRP
set service conntrack-sync interface 'eth0'
set service conntrack-sync mcast-group '225.0.0.50'
set service conntrack-sync sync-queue-size '8'
On the active router, you should have informations in the internal-cache of
conntrack-sync. The same current active connections number should be shown in
the external-cache of the standby router
On active router run:
.. code-block:: sh
$ show conntrack-sync statistics
Main Table Statistics:
cache internal:
current active connections: 10
connections created: 8517 failed: 0
connections updated: 127 failed: 0
connections destroyed: 8507 failed: 0
cache external:
current active connections: 0
connections created: 0 failed: 0
connections updated: 0 failed: 0
connections destroyed: 0 failed: 0
traffic processed:
0 Bytes 0 Pckts
multicast traffic (active device=eth0):
868780 Bytes sent 224136 Bytes recv
20595 Pckts sent 14034 Pckts recv
0 Error send 0 Error recv
message tracking:
0 Malformed msgs 0 Lost msgs
On standby router run:
$ show conntrack-sync statistics
Main Table Statistics:
cache internal:
current active connections: 0
connections created: 0 failed: 0
connections updated: 0 failed: 0
connections destroyed: 0 failed: 0
cache external:
current active connections: 10
connections created: 888 failed: 0
connections updated: 134 failed: 0
connections destroyed: 878 failed: 0
traffic processed:
0 Bytes 0 Pckts
multicast traffic (active device=eth0):
234184 Bytes sent 907504 Bytes recv
14663 Pckts sent 21495 Pckts recv
0 Error send 0 Error recv
message tracking:
0 Malformed msgs 0 Lost msgs
DHCP
----
Multiple DHCP Servers can be run from a single machine. Each DHCP service is
identified by a `shared-network-name`.
DHCP Server Example
^^^^^^^^^^^^^^^^^^^
In this example, we are offering address space in the 172.16.17.0/24 network,
which is on eth1, and pppoe0 is our connection to the internet. We are using
the network name `dhcpexample`.
Prerequisites
^^^^^^^^^^^^^
Configuring the PPPoE interface is assumed to be done already, and appears
on `pppoe0`
Interface Configuration
^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: sh
set interface eth1 address 172.16.17.1/24
Multiple ranges can be defined and can contain holes.
.. code-block:: sh
set service dhcp-server shared-network-name dhcpexample authoritative
set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 default-router 172.16.17.1
set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 dns-server 172.16.17.1
set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 lease 86400
set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 range 0 start 172.16.17.100
set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 range 0 stop 172.16.17.199
Failover
^^^^^^^^
VyOS provides support for DHCP failover:
.. code-block:: sh
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover local-address '192.168.0.1'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover name 'foo'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover peer-address '192.168.0.2'
.. note:: `name` must be identical on both sides!
The primary and secondary statements determines whether the server is primary or secondary
.. code-block:: sh
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover status 'primary'
or
.. code-block:: sh
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover status 'secondary'
.. note:: In order for the primary and the secondary DHCP server to keep
their lease tables in sync, they must be able to reach each other on TCP
port 647. If you have firewall rules in effect, adjust them accordingly.
Static mappings MAC/IP
^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: sh
set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 static-mapping static-mapping-01 ip-address 172.16.17.10
set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 static-mapping static-mapping-01 mac-address ff:ff:ff:ff:ff:ff
Explanation
^^^^^^^^^^^
* :code:`set service dhcp-server shared-network-name dhcpexample authoritative`
This says that this device is the only DHCP server for this network. If other
devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to
any device trying to request an IP address that is not valid for this network.
* :code:`set service dhcp-server shared-network-name dhcpexample subnet
172.16.17.0/24 default-router 172.16.17.1`
This is a configuration parameter for the subnet, saying that as part of the
response, tell the client that I am the default router for this network
* :code:`set service dhcp-server shared-network-name dhcpexample subnet
172.16.17.0/24 dns-server 172.16.17.1`
This is a configuration parameter for the subnet, saying that as part of the
response, tell the client that I am the DNS server for this network. If you
do not want to run a DNS server, you could also provide one of the public
DNS servers, such as google's. You can add multiple entries by repeating the
line.
* :code:`set service dhcp-server shared-network-name dhcpexample subnet
172.16.17.0/24 lease 86400`
Assign the IP address to this machine for 24 hours. It is unlikely you'd need
to shorten this period, unless you are running a network with lots of devices
appearing and disappearing.
* :code:`set service dhcp-server shared-network-name dhcpexample subnet
172.16.17.0/24 range 0 start 172.16.17.100`
Make a range of addresses available for clients starting from .100 [...]
* :code:`set service dhcp-server shared-network-name dhcpexample subnet
172.16.17.0/24 range 0 stop 172.16.17.199`
[...] and ending at .199
DHCPv6 server
-------------
VyOS provides DHCPv6 server functionality which is described in this section.
In order to use the DHCPv6 server it has to be enabled first:
.. code-block:: sh
set service dhcpv6-server
To restart the DHCPv6 server (operational mode):
.. code-block:: sh
restart dhcpv6 server
To show the current status of the DHCPv6 server use:
.. code-block:: sh
show dhcpv6 server status
Show statuses of all assigned leases:
.. code-block:: sh
show dhcpv6 server leases
DHCPv6 server options
^^^^^^^^^^^^^^^^^^^^^
DHCPv6 server preference value
******************************
Clients receiving advertise messages from multiple servers choose the server
with the highest preference value. The range for this value is `0...255`. Set
a preference value for the DHCPv6 server:
.. code-block:: sh
set service dhcpv6-server preference <preference value>
Delete a preference:
.. code-block:: sh
set service dhcpv6-server preference
Show current preference:
.. code-block:: sh
show service dhcpv6-server preference
Specify address lease time
**************************
The default lease time for DHCPv6 leases is 24 hours. This can be changed by
supplying a `default-time`, `maximum-time` and `minimum-time` (all values in
seconds):
.. code-block:: sh
set service dhcpv6-server shared-network-name <name> subnet <ipv6net> lease-time {default <default-time> | maximum <maximum-time> | minimum <minimum-time>}
Reset the custom lease times:
.. code-block:: sh
delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> lease-time {default | maximum | minimum}
Show the current configuration:
.. code-block:: sh
show service dhcpv6-server shared-network-name <name> subnet <ipv6net> lease-time {default | maximum | minimum}
Specify NIS domain
******************
A Network Information (NIS) domain can be set to be used for DHCPv6 clients:
.. code-block:: sh
set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-domain <nis-domain-name>
To Delete the NIS domain:
.. code-block:: sh
delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-domain <nis-domain-name>
Show a configured NIS domain:
.. code-block:: sh
show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-domain <nis-domain-name>
Specify NIS+ domain
*******************
The procedure to specify a Network Information Service Plus (NIS+) domain is
similar to the NIS domain one:
.. code-block:: sh
set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-domain <nisplus-domain-name>
To Delete the NIS+ domain:
.. code-block:: sh
delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-domain <nisplus-domain-name>
Show a configured NIS domain:
# show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-domain <nisplus-domain-name>
Specify NIS server address
**************************
To specify a NIS server address for DHCPv6 clients:
.. code-block:: sh
set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-server <IPv6 address>
Delete a specified NIS server address:
.. code-block:: sh
delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-server <IPv6 address>
Show specified NIS server addresses:
.. code-block:: sh
show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-server
Specify NIS+ server address
***************************
To specify a NIS+ server address for DHCPv6 clients:
.. code-block:: sh
set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-server <IPv6 address>
Delete a specified NIS+ server address:
.. code-block:: sh
delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-server <IPv6 address>
Show specified NIS+ server addresses:
.. code-block:: sh
show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-server
Specify a SIP server address for DHCPv6 clients
***********************************************
By IPv6 address
###############
A Session Initiation Protocol (SIP) server address can be specified for DHCPv6 clients:
.. code-block:: sh
set service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-address <IPv6 address>
Delete a specified SIP server address:
.. code-block:: sh
delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-address <IPv6 address>
Show specified SIP server addresses:
.. code-block:: sh
show service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-address
By FQDN
#######
A name for SIP server can be specified:
.. code-block:: sh
set service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-name <sip-server-name>
Delete a specified SIP server name:
.. code-block:: sh
delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-name <sip-server-name>
Show specified SIP server names:
.. code-block:: sh
show service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-name
Simple Network Time Protocol (SNTP) server address for DHCPv6 clients
*********************************************************************
A SNTP server address can be specified for DHCPv6 clients:
.. code-block:: sh
set service dhcpv6-server shared-network-name <name> subnet <ipv6net> sntp-server-address <IPv6 address>
Delete a specified SNTP server address:
.. code-block:: sh
delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> sntp-server-address <IPv6 address>
Show specified SNTP server addresses:
.. code-block:: sh
show service dhcpv6-server shared-network-name <name> subnet <ipv6net> sntp-server-address
DHCPv6 address pools
^^^^^^^^^^^^^^^^^^^^
DHCPv6 address pools must be configured for the system to act as a DHCPv6
server. The following example describes a common scenario.
Example 1: DHCPv6 address pool
******************************
A shared network named `NET1` serves subnet `2001:db8:100::/64` which is
connected to `eth1`, a DNS server at `2001:db8:111::111` is used for name
services. The range of the address pool shall be `::100` through `::199`. The
lease time will be left at the default value which is 24 hours.
.. code-block:: sh
set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 address-range start 2001:db8:100::100 stop 2001:db8:100::199
set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 name-server 2001:db8:111::111
Commit the changes and show the configuration:
.. code-block:: sh
commit
show service dhcpv6-server
shared-network-name NET1 {
subnet 2001:db8:100::/64 {
address-range {
start 2001:db8:100::100 {
stop 2001:db8:100::199
}
}
name-server 2001:db8:111::111
}
}
Static mappings
^^^^^^^^^^^^^^^
In order to map specific IPv6 addresses to specific hosts static mappings can
be created. The following example explains the process.
Example 1: Static IPv6 MAC-based mapping
****************************************
IPv6 address `2001:db8:100::101` shall be statically mapped to a device with
MAC address `00:15:c5:b7:5e:23`, this host-specific mapping shall be named
`client1`.
.. note:: The MAC address identifier is defined by the last 4 byte of the
MAC address.
.. code-block:: sh
set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 static-mapping client1 ipv6-address 2001:db8:100::101
set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 static-mapping client1 identifier c5b75e23
Commit the changes and show the configuration:
.. code-block:: sh
show service dhcp-server shared-network-name NET1
shared-network-name NET1 {
subnet 2001:db8:100::/64 {
name-server 2001:db8:111::111
address-range {
start 2001:db8:100::100 {
stop 2001:db8:100::199 {
}
}
static-mapping client1 {
ipv6-address 2001:db8:100::101
identifier c5b75e23
}
}
}
DHCP Relay
----------
If you want your router to forward DHCP requests to an external DHCP server
you can configure the system to act as a DHCP relay agent. The DHCP relay
agent works with IPv4 and IPv6 addresses.
All interfaces used for the DHCP relay must be configured. See
https://wiki.vyos.net/wiki/Network_address_setup.
DHCP relay example
^^^^^^^^^^^^^^^^^^
.. figure:: _static/images/service_dhcp-relay01.png
:scale: 80 %
:alt: DHCP relay example
DHCP relay example
In this example the interfaces used for the DHCP relay are eth1 and eth2. The
router receives DHCP client requests on eth1 and relays them through eth2 to
the DHCP server at 10.0.1.4.
Configuration
^^^^^^^^^^^^^
Enable DHCP relay for eth1 and eth2:
.. code-block:: sh
set service dhcp-relay interface eth1
set service dhcp-relay interface eth2
Set the IP address of the DHCP server:
.. code-block:: sh
set service dhcp-relay server 10.0.1.4
The router should discard DHCP packages already containing relay agent
information to ensure that only requests from DHCP clients are forwarded:
.. code-block:: sh
set service dhcp-relay relay-options relay-agents-packets discard
Commit the changes and show the results:
.. code-block:: sh
commit
show service dhcp-relay
interface eth1
interface eth2
server 10.0.1.4
relay-options {
relay-agents-packets discard
}
The DHCP relay agent can be restarted with:
.. code-block:: sh
restart dhcp relay-agent
DHCPv6 relay example
^^^^^^^^^^^^^^^^^^^^
.. figure:: _static/images/service_dhcpv6-relay01.png
:scale: 80 %
:alt: DHCPv6 relay example
DHCPv6 relay example
In this example DHCPv6 requests are received by the router on eth1 (`listening
interface`) and forwarded through eth2 (`upstream interface`) to the external
DHCPv6 server at 2001:db8:100::4.
Configuration
*************
Set eth1 to be the listening interface for the DHCPv6 relay:
.. code-block:: sh
set service dhcpv6-relay listen-interface eth1
Set eth2 to be the upstream interface and specify the IPv6 address of the DHCPv6 server:
.. code-block:: sh
set service dhcpv6-relay upstream-interface eth2 address 2001:db8:100::4
Commit the changes and show results:
.. code-block:: sh
commit
show service dhcpv6-relay
listen-interface eth1 {
}
upstream-interface eth2 {
address 2001:db8:100::4
}
Show the current status of the DHCPv6 relay agent:
.. code-block:: sh
show dhcpv6 relay-agent status
The DHCPv6 relay agent can be restarted with:
.. code-block:: sh
restart dhcpv6 relay-agent
Additional parameters
^^^^^^^^^^^^^^^^^^^^^
DHCP relay agent options
************************
Set the maximum hop count before packets are discarded. Range 0...255,
default 10.
* :code:`set service dhcp-relay relay-options hop-count 'count'`
Set maximum size of DHCP packets including relay agent information. If a
DHCP packet size surpasses this value it will be forwarded without appending
relay agent information. Range 64...1400, default 576.
* :code:`set service dhcp-relay relay-options max-size 'size'`
Four policies for reforwarding DHCP packets exist:
* **append:** The relay agent is allowed to append its own relay information
to a received DHCP packet, disregarding relay information already present in
the packet.
* **discard:** Received packets which already contain relay information will
be discarded.
* **forward:** All packets are forwarded, relay information already present
will be ignored.
* **replace:** Relay information already present in a packet is stripped and
replaced with the router's own relay information set.
* :code:`set service dhcp-relay relay-options relay-agents-packet 'policy'`
DHCPv6 relay agent options
**************************
Set maximum hop count before packets are discarded. Default: 10.
* :code:`set service dhcpv6-relay max-hop-count 'count'`
If this is set the relay agent will insert the interface ID. This option is
set automatically if more than one listening interfaces are in use.
* :code:`set service dhcpv6-relay use-interface-id-option`
DNS Forwarding
--------------
Use DNS forwarding if you want your router to function as a DNS server for the
local network. There are several options, the easiest being 'forward all
traffic to the system DNS server(s)' (defined with set system name-server):
.. code-block:: sh
set service dns forwarding system
Manually setting DNS servers for forwarding:
.. code-block:: sh
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
Manually setting DNS servers with IPv6 connectivity:
.. code-block:: sh
set service dns forwarding name-server 2001:4860:4860::8888
set service dns forwarding name-server 2001:4860:4860::8844
Setting a forwarding DNS server for a specific domain:
.. code-block:: sh
set service dns forwarding domain example.com server 192.0.2.1
Example 1
^^^^^^^^^
Router with two interfaces eth0 (WAN link) and eth1 (LAN). A DNS server for the
local domain (example.com) is at 192.0.2.1, other DNS requests are forwarded
to Google's DNS servers.
.. code-block:: sh
set service dns forwarding domain example.com server 192.0.2.1
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding listen-on 'eth1'
Example 2
^^^^^^^^^
Same as example 1 but with additional IPv6 addresses for Google's public DNS
servers:
.. code-block:: sh
set service dns forwarding domain example.com server 192.0.2.1
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding name-server 2001:4860:4860::8888
set service dns forwarding name-server 2001:4860:4860::8844
set service dns forwarding listen-on 'eth1'
Dynamic DNS
-----------
VyOS is able to update a remote DNS record when an interface gets a new IP
address. In order to do so, VyOS includes ddclient_, a perl script written for
this exact purpose.
ddclient_ uses two methods to update a DNS record. The first one will send
updates directly to the DNS daemon, in compliance with RFC2136_. The second
one involves a third party service, like DynDNS.com or any other similar
website. This method uses HTTP requests to transmit the new IP address. You
can configure both in VyOS.
VyOS CLI and RFC2136
^^^^^^^^^^^^^^^^^^^^
First, create an RFC2136_ config node :
.. code-block:: sh
edit service dns dynamic interface eth0 rfc2136 <confignodename>
Present your RNDC key to ddclient :
.. code-block:: sh
set key /config/dyndns/mydnsserver.rndc.key
Set the DNS server IP/FQDN :
.. code-block:: sh
set server dns.mydomain.com
Set the NS zone to be updated :
.. code-block:: sh
set zone mydomain.com
Set the records to be updated :
.. code-block:: sh
set record dyn
set record dyn2
You can optionally set a TTL (note : default value is 600 seconds) :
.. code-block:: sh
set ttl 600
This will generate the following ddclient config blocks:
.. code-block:: sh
server=dns.mydomain.com
protocol=nsupdate
password=/config/dyndns/mydnsserver.rndc.key
ttl=600
zone=mydomain.com
dyn
server=dns.mydomain.com
protocol=nsupdate
password=/config/dyndns/mydnsserver.rndc.key
ttl=600
zone=mydomain.com
dyn2
You can also keep a different dns zone updated. Just create a new config node:
.. code-block:: sh
edit service dns dynamic interface eth0 rfc2136 <confignode2>
VyOS CLI and HTTP dynamic DNS services
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
VyOS is also able to use any service relying on protocols supported by ddclient.
To use such a service, you must define a login, a password, one or multiple
hostnames, a protocol and a server.
.. code-block:: sh
edit service dns dynamic interface eth0 service HeNet
set login my-login # set password my-password
set host-name my-tunnel-id
set protocol dyndns2
set server ipv4.tunnelbroker.net
VyOS is also shipped with a list of known services. You don't need to set the
protocol and server value as VyOS has defaults provided for those. These are
the services VyOS knows about:
* afraid
* changeip
* dnspark
* dslreports
* dyndns
* easydns
* namecheap
* noip
* zoneedit
To use DynDNS for example:
.. code-block:: sh
edit service dns dynamic interface eth0 service dyndns
set login my-login
set password my-password
set host-name my-dyndns-hostname
It's possible to use multiple services :
.. code-block:: sh
edit service dns dynamic interface eth0 service dyndns
set login my-login
set password my-password
set host-name my-dyndns-hostname
edit service dns dynamic interface eth0 service HeNet
set login my-login
set password my-password
set host-name my-tunnel-id
set protocol dyndns2
set server ipv4.tunnelbroker.net
ddclient behind NAT
^^^^^^^^^^^^^^^^^^^
By default, ddclient will update a dynamic dns record using the IP address
directly attached to the interface. If your VyOS instance is behind NAT, your
record will be updated to point to your internal IP.
ddclient_ has another way to determine the WAN IP address. This is controlled
by these two options:
.. code-block:: sh
set service dns dynamic interface eth0 use-web url
set service dns dynamic interface eth0 use-web skip
ddclient_ will load the webpage at `[url]` and will try to extract an IP
address for the response. ddclient_ will skip any address located before the
string set in `[skip]`.
LLDP
----
The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol
in the Internet Protocol Suite used by network devices for advertising their
identity, capabilities, and neighbors on an IEEE 802 local area network,
principally wired Ethernet.[1] The protocol is formally referred to by the IEEE
as Station and Media Access Control Connectivity Discovery specified in
IEEE 802.1AB and IEEE 802.3-2012 section 6 clause 79.
LLDP performs functions similar to several proprietary protocols, such as `Cisco
Discovery Protocol`_, `Foundry Discovery Protocol`_, Nortel Discovery Protocol
and Link Layer Topology Discovery.
Information gathered
^^^^^^^^^^^^^^^^^^^^
Information gathered with LLDP is stored in the device as a management
information database (MIB_) and can be queried with the Simple Network
Management Protocol (SNMP_) as specified in RFC 2922. The topology of an
LLDP-enabled network can be discovered by crawling the hosts and querying this
database. Information that may be retrieved include:
* System name and description
* Port name and description
* VLAN name
* IP management address
* System capabilities (switching, routing, etc.)
* MAC/PHY information
* MDI power
* Link aggregation
Configuration
^^^^^^^^^^^^^
* Enable service with:
:code:`set service lldp`
Options
*******
* Configure a Define management-address:
:code:`set service lldp management-address <x.x.x.x>`
* Define listening interfaces
:code:`set service lldp interface <all|interface name>`
* LLDPd also implements an SNMP subagent. To Enable SNMP queries of the LLDP
database:
:code:`set service lldp snmp enable`
* Enable optional/other protocols
:code:`set service lldp legacy-protocols cdp`
Supported legacy protocols:
* ``cdp`` - Listen for CDP for Cisco routers/switches
* ``edp`` - Listen for EDP for Extreme routers/switches
* ``fdp`` - Listen for FDP for Foundry routers/switches
* ``sonmp`` - Listen for SONMP for Nortel routers/switches
Display neighbors
^^^^^^^^^^^^^^^^^
* Display with:
``show lldp neighbors``
Exemple:
.. code-block:: sh
vyos@vyos:~# show lldp neighbors
Capability Codes: R - Router, B - Bridge, W - Wlan r - Repeater, S - Station
D - Docsis, T - Telephone, O - Other
Device ID Local Proto Cap Platform Port ID
--------- ----- ----- --- -------- -------
swA309 eth0 LLDP ? Cisco IOS Software, GigE0/33
* Options:
* ``detail`` - Show lldp neighbors detail
* ``interface`` - Show LLDP for specified interface
Troubleshooting
^^^^^^^^^^^^^^^
Use operationnal command ``show log lldp`` to display logs.
mDNS Repeater
-------------
Starting with VyOS 1.2 a `Multicast DNS`_ (mDNS) repeater functionality is
provided.
Multicast DNS uses the 224.0.0.51 address, which is "administratively scoped"
and does not leave the subnet. It re-broadcast mDNS packets from one interface
to other interfaces. This enables support for e.g. Apple Airplay devices across
multiple VLANs.
To enable mDNS repeater you need to configure at least two interfaces. To re-
broadcast all mDNS packets from `eth0` to `eth1` and vice versa run:
.. code-block:: sh
set service mdns repeater interface eth0
set service mdns repeater interface eth1
mDNS repeater can be temporarily disabled without deleting the service using
.. code-block:: sh
set service mdns repeater disable
.. note:: You can not run this in a VRRP setup, if multiple mDNS repeaters
are launched in a subnet you will experience the mDNS packet storm death!
PPPoE server
------------
VyOS utilizes `accel-ppp`_ to provide PPPoE server functionality. It can be
used with local authentication or a connected RADIUS server.
.. note:: Please be aware, due to an upstream bug, config changes/commits
will restart the ppp daemon and will reset existing PPPoE connections from
connected users, in order to become effective.**
Configuration
^^^^^^^^^^^^^
The example below uses ACN as access-concentrator name, assigns an address
from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and
serves requests only on eth1.
.. code-block:: sh
set service pppoe-server access-concentrator 'ACN'
set service pppoe-server authentication local-users username foo password 'bar'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool start '10.1.1.100'
set service pppoe-server client-ip-pool stop '10.1.1.111'
set service pppoe-server dns-servers server-1 '10.100.100.1'
set service pppoe-server dns-servers server-2 '10.100.200.1'
set service pppoe-server interface 'eth1'
set service pppoe-server local-ip '10.1.1.2'
Connections can be locally checked via the command
.. code-block:: sh
show pppoe-server sessions
ifname | username | calling-sid | ip | type | comp | state | uptime
-------+----------+-------------------+------------+-------+------+--------+----------
ppp0 | foo | 08:00:27:fa:3e:50 | 10.1.1.100 | pppoe | | active | 00:04:15
To use a radius server, you need to switch to authentication mode radius and
of course need to specify an IP for the server. You can have multiple RADIUS
server configured, if you wish to achieve redundancy.
.. code-block:: sh
set service pppoe-server access-concentrator 'ACN'
set service pppoe-server authentication mode 'radius'
set service pppoe-server authentication radius-server 10.1.100.1 secret 'secret'
set service pppoe-server interface 'eth1'
set service pppoe-server local-ip '10.1.1.2'
RADIUS provides the IP addresses in the example above via Framed-IP-Address.
UDP broadcast relay
-------------------
Certain vendors use broadcasts to identify their equipemnt within one ethernet
segment. Unfortunately if you split your network with multiple VLANs you loose
the ability of identifying your equiment.
This is where "UDP broadcast relay" comes into play! It will forward received
broadcasts to other configured networks.
Every UDP port which will be forward requires one unique ID. Currently we
support 99 IDs!
Example #1: To forward all broadcast packets received on `UDP port 1900` on
`eth3`, `eth4` or `eth5` to all other interfaces in this configuration.
.. code-block:: sh
set service broadcast-relay id 1 description 'SONOS'
set service broadcast-relay id 1 interface 'eth3'
set service broadcast-relay id 1 interface 'eth4'
set service broadcast-relay id 1 interface 'eth5'
set service broadcast-relay id 1 port '1900'
Example #2: To Forward all broadcasts packets received on `UDP port 6969` on
`eth3` or `eth4` to the other interface in this configuration.
.. code-block:: sh
set service broadcast-relay id 2 description 'SONOS MGMT'
set service broadcast-relay id 2 interface 'eth3'
set service broadcast-relay id 2 interface 'eth4'
set service broadcast-relay id 2 port '6969'
Disable Instance(s)
^^^^^^^^^^^^^^^^^^^
Each broadcast relay instance can be individually disabled without deleting the
configured node by using the following command:
.. code-block:: sh
set service broadcast-relay id <n> disable
In addition you can also disable the whole service without removing the
configuration by:
.. code-block:: sh
set service broadcast-relay disable
.. note:: You can run the UDP broadcast relay service on multiple routers
connected to a subnet. There is **NO** UDP broadcast relay packet storm!
SNMP
----
Simple Network Management Protocol (SNMP_) is an Internet Standard protocol
for collecting and organizing information about managed devices on IP networks
and for modifying that information to change device behavior. Devices that
typically support SNMP include cable modems, routers, switches, servers,
workstations, printers, and more.
SNMP is widely used in network management for network monitoring. SNMP exposes
management data in the form of variables on the managed systems organized in
a management information base (MIB_) which describe the system status and
configuration. These variables can then be remotely queried (and, in some
circumstances, manipulated) by managing applications.
Three significant versions of SNMP have been developed and deployed. SNMPv1 is
the original version of the protocol. More recent versions, SNMPv2c and SNMPv3,
feature improvements in performance, flexibility and security.
SNMP is a component of the Internet Protocol Suite as defined by the Internet
Engineering Task Force (IETF). It consists of a set of standards for network
management, including an application layer protocol, a database schema, and a
set of data objects.
Overview and basic concepts
^^^^^^^^^^^^^^^^^^^^^^^^^^^
In typical uses of SNMP, one or more administrative computers called managers
have the task of monitoring or managing a group of hosts or devices on a
computer network. Each managed system executes a software component called an
agent which reports information via SNMP to the manager.
An SNMP-managed network consists of three key components:
* Managed devices
* Agent software which runs on managed devices
* Network management station (NMS) software which runs on the manager
A managed device is a network node that implements an SNMP interface that
allows unidirectional (read-only) or bidirectional (read and write) access to
node-specific information. Managed devices exchange node-specific information
with the NMSs. Sometimes called network elements, the managed devices can be
any type of device, including, but not limited to, routers, access servers,
switches, cable modems, bridges, hubs, IP telephones, IP video cameras,
computer hosts, and printers.
An agent is a network-management software module that resides on a managed
device. An agent has local knowledge of management information and translates
that information to or from an SNMP-specific form.
A network management station executes applications that monitor and control
managed devices. NMSs provide the bulk of the processing and memory resources
required for network management. One or more NMSs may exist on any managed
network.
.. figure:: _static/images/service_snmp_communication_principles_diagram.png
:scale: 20 %
:alt: Principle of SNMP Communication
Image thankfully borrowed from
https://en.wikipedia.org/wiki/File:SNMP_communication_principles_diagram.PNG
which is under the GNU Free Documentation License
.. note:: VyOS SNMP supports both IPv4 and IPv6.
SNMP protocol versions
^^^^^^^^^^^^^^^^^^^^^^
VyOS itself supports SNMPv2_ (version 2) and SNMPv3_ (version 3) where the
later is recommended because of improved security (optional authentication and
encryption).
SNMPv2
^^^^^^
SNMPv2 is the original and most commonly used version. For authorizing clients,
SNMP uses the concept of communities. Communities may have authorization set
to read only (this is most common) or to read and write (this option is not
actively used in VyOS).
SNMP can work synchronously or asynchronously. In synchronous communication,
the monitoring system queries the router periodically. In asynchronous, the
router sends notification to the "trap" (the monitoring host).
SNMPv2 does not support any authentication mechanisms, other than client source
address, so you should specify addresses of clients allowed to monitor the
router. Note that SNMPv2 also supports no encryption and always sends data in
plain text.
Example
*******
.. code-block:: sh
# Define a community
set service snmp community routers authorization ro
# Allow monitoring access from the entire network
set service snmp community routers network 192.0.2.0/24
set service snmp community routers network 2001::db8:ffff:eeee::/64
# Allow monitoring access from specific addresses
set service snmp community routers client 203.0.113.10
set service snmp community routers client 203.0.113.20
# Define optional router information
set service snmp location "UK, London"
set service snmp contact "admin@example.com"
# Trap target if you want asynchronous communication
set service snmp trap-target 203.0.113.10
# Listen only on specific IP addresses (port defaults to 161)
set service snmp listen-address 172.16.254.36 port 161
set service snmp listen-address 2001:db8::f00::1
SNMPv3
^^^^^^
SNMPv3 is an updated version that, among other things, supports encryption and
cryptographic authentication of clients.
Example
*******
.. code-block:: sh
set service snmp v3 engineid '0x0aa0d6c6f450'
set service snmp v3 group defaultgroup mode 'ro'
set service snmp v3 group defaultgroup seclevel 'priv'
set service snmp v3 group defaultgroup view 'defaultview'
set service snmp v3 view defaultview oid '1'
set service snmp v3 user testUser1 auth plaintext-key testUserKey1
set service snmp v3 user testUser1 auth type 'md5'
set service snmp v3 user testUser1 engineid '0x0aa0d6c6f450'
set service snmp v3 user testUser1 group 'defaultgroup'
set service snmp v3 user testUser1 mode 'ro'
set service snmp v3 user testUser1 privacy type aes
set service snmp v3 user testUser1 privacy plaintext-key testUserKey1
After commit the resulting configuration will look like:
.. note:: SNMPv3 keys won't we stored in plaintext. On ``commit`` the keys
will be encrypted and the encrypted key is based on the engineid!
.. code-block:: sh
vyos@vyos# show service snmp
v3 {
engineid 0x0aa0d6c6f450
group defaultgroup {
mode ro
seclevel priv
view defaultview
}
user testUser1 {
auth {
encrypted-key 0x3b68d4162c2c817b8e9dfb6f08583e5d
type md5
}
engineid 0x0aa0d6c6f450
group defaultgroup
mode ro
privacy {
encrypted-key 0x3b68d4162c2c817b8e9dfb6f08583e5d
type aes
}
}
view defaultview {
oid 1 {
}
}
}
SSH
---
Secure Shell (SSH_) is a cryptographic network protocol for operating network
services securely over an unsecured network.[1] The standard TCP port for SSH
is 22. The best known example application is for remote login to computer
systems by users.
SSH provides a secure channel over an unsecured network in a client-server
architecture, connecting an SSH client application with an SSH server. Common
applications include remote command-line login and remote command execution,
but any network service can be secured with SSH. The protocol specification
distinguishes between two major versions, referred to as SSH-1 and SSH-2.
The most visible application of the protocol is for access to shell accounts
on Unix-like operating systems, but it sees some limited use on Windows as
well. In 2015, Microsoft announced that they would include native support for
SSH in a future release.
SSH was designed as a replacement for Telnet and for unsecured remote shell
protocols such as the Berkeley rlogin, rsh, and rexec protocols. Those protocols
send information, notably passwords, in plaintext, rendering them susceptible
to interception and disclosure using packet analysis. The encryption used by
SSH is intended to provide confidentiality and integrity of data over an
unsecured network, such as the Internet.
Configuration
^^^^^^^^^^^^^
Enabling SSH only requires you to add ``service ssh port NN``, where 'NN' is
the port you want SSH to listen on. By default, SSH runs on port 22.
.. code-block:: sh
set service ssh port 22
Options
*******
* Listening address - Specify the IPv4/IPv6 listening address for connection
requests. Multiple ``listen-address`` nodes can be defined.
:code:`set service ssh listen-address <address>`
* Allow ``root`` login, this can be set to allow ``root`` logins on SSH
connections, however it is not advisable to use this setting as this bears
serious security risks. The default system user posesses all required
privileges.
:code:`set service ssh allow-root`
* Allowed ciphers - A number of allowed ciphers can be specified, use multiple
occurances to allow multiple ciphers.
:code:`set service ssh ciphers <cipher>`
Available ciphers:
* `3des-cbc`
* `aes128-cbc`
* `aes192-cbc`
* `aes256-cbc`
* `aes128-ctr`
* `aes192-ctr`
* `aes256-ctr`
* `arcfour128`
* `arcfour256`
* `arcfour`
* `blowfish-cbc`
* `cast128-cbc`
* Disable password authentication - If SSH key authentication is set up,
password-based user authetication can be disabled. This hardens security!
:code:`set service ssh disable-password-authentication`
* Disable host validation - Disable the host validation through reverse DNS
lookups.
:code:`set service ssh disable-host-validation`
* MAC algorithms - Specifies the available MAC (message authentication code)
algorithms. The MAC algorithm is used in protocol version 2 for data
integrity protection. Multiple algorithms can be entered.
:code:`set service ssh macs <macs>`
Supported MACs:
* `hmac-md5`
* `hmac-md5-96`
* `hmac-ripemd160`
* `hmac-sha1`
* `hmac-sha1-96`
* `hmac-sha2-256`
* `hmac-sha2-512`
* `umac-64@openssh.com`
* `umac-128@openssh.com`
* `hmac-md5-etm@openssh.com`
* `hmac-md5-96-etm@openssh.com`
* `hmac-ripemd160-etm@openssh.com`
* `hmac-sha1-etm@openssh.com`
* `hmac-sha1-96-etm@openssh.com`
* `hmac-sha2-256-etm@openssh.com`
* `hmac-sha2-512-etm@openssh.com`
* `umac-64-etm@openssh.com`
* `umac-128-etm@openssh.com`
Key Authentication
##################
It is highly recommended to use SSH Key authentication. By default there is
only one user (``vyos``), and you can assign any number of keys to that user.
You can generate a ssh key with the ``ssh-keygen`` command on your local
machine, which will (by default) save it as ``~/.ssh/id_rsa.pub`` which is in
three parts:
``ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...VByBD5lKwEWB username@host.example.com``
Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that
the key will usually be several hundred characters long, and you will need to
copy and paste it. Some terminal emulators may accidentally split this over
several lines. Be attentive when you paste it that it only pastes as a single
line. The third part is simply an identifier, and is for your own reference.
**Assign SSH Key to user**
Under the user (in this example, ``vyos``), add the public key and the type.
The `identifier` is simply a string that is relevant to you.
.. code-block:: sh
set system login user vyos authentication public-keys 'identifier' key "AAAAB3Nz...."
set system login user vyos authentication public-keys 'identifier' type ssh-rsa"
You can assign multiple keys to the same user by changing the identifier. In
the following example, both Unicron and xrobau will be able to SSH into VyOS
as the ``vyos`` user using their own keys.
.. code-block:: sh
set system login user vyos authentication public-keys 'Unicron' key "AAAAB3Nz...."
set system login user vyos authentication public-keys 'Unicron' type ssh-rsa
set system login user vyos authentication public-keys 'xrobau' key "AAAAQ39x...."
set system login user vyos authentication public-keys 'xrobau' type ssh-rsa
TFTP
----
Trivial File Transfer Protocol (TFTP_) is a simple lockstep File Transfer
Protocol which allows a client to get a file from or put a file onto a remote
host. One of its primary uses is in the early stages of nodes booting from a
local area network. TFTP has been used for this application because it is very
simple to implement.
Example
^^^^^^^
.. code-block:: sh
# If you want to enable uploads, else TFTP server will act as read-only (optional)
set service tftp-server allow-upload
# Directory for TFTP server content
set service tftp-server directory '/config/tftpboot'
# On which addresses we want to listen for incoming TFTP connections? (mandatory)
set service tftp-server listen-address '2001:db8:ffee::1'
set service tftp-server listen-address '10.10.1.1'
.. note:: Choose your ``directory`` location carefully or you will loose the
content on image upgrades. Any directory under ``/config`` is save at this
will be migrated.
.. note:: Configuring a listen-address is essential for the service to work.
The resulting configuration will look like:
.. code-block:: sh
vyos@vyos# show service
tftp-server {
allow-upload
directory /config/tftpboot
listen-address 2001:db8:ffee::1
listen-address 10.10.1.1
}
Webproxy
--------
The proxy service in VyOS is based on Squid3 and some related modules.
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses,
including speeding up a web server by caching repeated requests, caching web,
DNS and other computer network lookups for a group of people sharing network
resources, and aiding security by filtering traffic. Although primarily used
for HTTP and FTP, Squid includes limited support for several other protocols
including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does not support the
SOCKS protocol.
All examples here assumes that your inside ip address is ``192.168.0.1``.
Replace with your own where applicable.
URL Filtering is provided by Squidguard_.
Configuration
^^^^^^^^^^^^^^
.. code-block:: sh
# Enable proxy service
set service webproxy listen-address 192.168.0.1
# By default it will listen to port 3128. If you wan't something else you have to define that.
set service webproxy listen-address 192.168.0.1 port 2050
# By default the transparent proxy on that interface is enabled. To disable that you simply
set service webproxy listen-address 192.168.0.1 disable-transparent
# Block specific urls
set service webproxy url-filtering squidguard local-block myspace.com
# If you want to you can log these blocks
set service webproxy url-filtering squidguard log local-block
Options
*******
Filtering by category
^^^^^^^^^^^^^^^^^^^^^
If you wan't to use existing blacklists you have to create/download a database
first. Otherwise you will not be able to commit the config changes.
.. code-block:: sh
vyos@vyos# commit
[ service webproxy ]
Warning: no blacklists installed
Unknown block-category [ads] for policy [default]
[[service webproxy]] failed
Commit failed
* Download/Update complete blacklist
:code:`update webproxy blacklists`
* Download/Update partial blacklist
:code:`update webproxy blacklists category ads`
Use tab completion to get a list of categories.
* To auto update the blacklist files
:code:`set service webproxy url-filtering squidguard auto-update update-hour 23`
* To configure blocking add the following to the configuration
:code:`set service webproxy url-filtering squidguard block-category ads`
:code:`set service webproxy url-filtering squidguard block-category malware`
Authentication
^^^^^^^^^^^^^^
TBD: https://wiki.vyos.net/wiki/Web_proxy_LDAP_authentication
Adjusting cache size
^^^^^^^^^^^^^^^^^^^^
The size of the proxy cache can be adjusted by the user.
.. code-block:: sh
set service webproxy cache-size
Possible completions:
<0-4294967295>
Disk cache size in MB (default 100)
0 Disable disk caching
100
.. _ddclient: http://sourceforge.net/p/ddclient/wiki/Home/
.. _RFC2136: https://www.ietf.org/rfc/rfc2136.txt
.. _`Cisco Discovery Protocol`: https://en.wikipedia.org/wiki/Cisco_Discovery_Protocol
.. _`Foundry Discovery Protocol`: https://en.wikipedia.org/wiki/Foundry_Discovery_Protocol
.. _`Multicast DNS`: https://en.wikipedia.org/wiki/Multicast_DNS
.. _SSH: https://en.wikipedia.org/wiki/Secure_Shell
.. _SNMP: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
.. _SNMPv2: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_2
.. _SNMPv3: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_3
.. _MIB: https://en.wikipedia.org/wiki/Management_information_base
.. _TFTP: https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
.. _Squid3: http://www.squid-cache.org/
.. _Squidguard: http://www.squidguard.org/
.. _`accel-ppp`: https://accel-ppp.org/
Bypassing the webproxy
^^^^^^^^^^^^^^^^^^^^^^
Some services don't work correctly when being handled via a web proxy.
So sometimes it is useful to bypass a transparent proxy:
* To bypass the proxy for every request that is directed to a specific destination:
:code:`set service webproxy whitelist destination-address 1.2.3.4`
:code:`set service webproxy whitelist destination-address 4.5.6.0/24`
* To bypass the proxy for every request that is coming from a specific source:
:code:`set service webproxy whitelist source-address 192.168.1.2`
:code:`set service webproxy whitelist source-address 192.168.2.0/24`
(This can be useful when a called service has many and/or often changing destination addresses - e.g. Netflix.)
Reference in New Issue View Git Blame Copy Permalink