Age | Commit message (Collapse) | Author |
|
Initially the option 'rate-limit' was implemented with the
wrong place in the CLI:
set vpn pptp remote-access authentication rate-limit <xxx>
Expected under 'radius' section:
set vpn pptp remote-access authentication radius rate-limit <xxx>
Configuration for 'rate-limit' (Jinja2 template) never worked for
pptp, fix it.
|
|
In cases with multiple named IP pools, it is required the option 'next'
to be sure that if IP addresses ended in one pool, then they would
begin to be allocated from the next named pool.
For accel-ppp it requires specific order as pool must be defined
before we can use it with the 'next-option'
set service ipoe-server client-ip-pool name first-pool subnet '192.0.2.0/25'
set service ipoe-server client-ip-pool name first-pool next-pool 'second-pool'
set service ipoe-server client-ip-pool name second-pool subnet '203.0.113.0/25'
[ip-pool]
203.0.113.0/25,name=second-pool
192.0.2.0/25,name=first-pool,next=second-pool
|
|
Named pools for ipoe-server must not rely on autentication type
It is a separate global option for [ipoe] and [ip-pool] sections
|
|
If the 'client-subnet' is not used we must exclude it
from the ipoe.config.j2 template.
Otherwise we get wrong empty parameter ',range=,'
|
|
Fix incorrect regex '\d+' when used vlan ranges
For example 'ipoe-server interface eth1 vlan 2000-3000'
- replace 'interface=re:eth1\.\d+'
=> 'interface=re:^eth1\.(200\d|20[1-9]\d|2[1-9]\d{2}|3000)$'
|
|
After rewriting IPoE server for config.dict the ipoe.config.j2
template wasn't changed for 'vlan-mon' section
Fix it
|
|
Disabling authentication is useful in emergency situations
(e.g. RADIUS server is down) or testing purposes.
Clients can connect with any login and username.
set service pppoe-server authentication mode 'noauth'
|
|
T1993: PPPoE-server add section shaper and fwmark option
|
|
T4971: PPPoE server add named ip pool and attr Framed-Pool
|
|
Extended PPPoE-server rate-limiter to avoid shaping marked resources
Often this feature needs for ISP, which provides access to some IX
or its resources.
set service pppoe-server shaper fwmark '223'
|
|
Minimum acceptable MTU. If client will try to negotiate less then
specified MTU then it will be NAKed or disconnected if rejects
greater MTU.
Change 'min-mtu' from 1492 to 1280
|
|
Add a new feature to allow to use named pools
Also it can be used with RADIUS attribute 'Framed-Pool'
set service pppoe-server client-ip-pool name POOL1 gateway-address '192.0.2.1'
set service pppoe-server client-ip-pool name POOL1 subnet '192.0.2.0/24'
|
|
Add ppp-options IPv6 interface id for vpn L2TP
- fixed or random interface identifier for IPv6
- peer interface identifier for IPv6
- whether to accept peer’s interface identifier
set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id
set vpn l2tp remote-access ppp-options ipv6-intf-id 'random'
set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
|
|
L2TP 'ppp-options ipv6 x' can work without declaring IPv6 pool
As we can get addresses via RADIUS attributes:
- Framed-IPv6-Prefix
- Delegated-IPv6-Prefix
|
|
Fix l2tp dae server template and python config dict for correctlly
handling Dynamic Authorization Extension server configuration
|
|
|
|
In addition to the rewrite to make use of get_config_dict() the CLI is
slightly adjusted as specified in T4703.
* Rename vlan-id and vlan-range to simply vlan
* Rename network-mode to simply mode
* Re-use existing common Jinja2 template for Accel-PPP which are shared
with PPPoE and SSTP server.
* Retrieve default values via defaultValue XML node
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
Add rate-limit options: attribute, muptiplier and vendor
set service ipoe-server auth radius rate-limit attribute 'Mikrotik-Rate-Limit'
set service ipoe-server auth radius rate-limit enable
set service ipoe-server auth radius rate-limit multiplier '0.001'
set service ipoe-server auth radius rate-limit vendor 'Miktorik'
|
|
|
|
ppppoe-server: T4373: Add option multiplier for correct shaping
|
|
Multiplier option is required by some vendors for correct shaping
For RADIUS based rate-limits
edit service pppoe-server
set authentication radius rate-limit multiplier '0.001'
|
|
|
|
|
|
|
|
Add new feature to allow to use named pools
Can be used also with Radius attribute 'Framed-Pool'
set service ipoe-server client-ip-pool name POOL1 gateway-address '192.0.2.1'
set service ipoe-server client-ip-pool name POOL1 subnet '192.0.2.0/24'
|
|
|
|
(cherry picked from commit 01ed77040ec9493e4ca1cf868ff3c22847da4487)
|
|
To allow IPv6 only for vpn sstp sessions we have to add
'ppp-options' which can disable IPv4 allocation explicity.
Additional IPv6 ppp-options and fix template for it.
(cherry picked from commit dd036c62d1370f655a8d2075577597f24ffff7dc)
|
|
|
|
(cherry picked from commit 23388fe193f04ab05f270098123cbb3e5f0b9f75)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Commit a2ac9fac ("vyos.template: T2720: always enable Jinja2 trim_blocks
feature") globally enabled the trim_blocks feature. Some templates still used
in-line trim_blocks "{%"- or "-%}" which caused miss-placed line endings.
This is fixed by removing all in-line trim_block statememnts of Jinja2 templates.
|
|
|
|
|
|
|
|
Required to get a common CLI for all services provided by Accel-PPP. Once the
CLI for each service is consitent - Jinja2 templates can be reused together
with get_config_dict().
|
|
|
|
|
|
For easier configuration read in (CLI) validation and also template rendering
it makes sense to drop the old, single implementation and move to the new,
generic get_config_dict() approach.
Recurring configuration parts like ip-pool, ipv6-pool and nameservers have
also been split our into individual templates which will be included through
Jinja2 - leading to a single-source of the template sections, too.
|