Merge branch 'crux' into 'master'

* crux: MSS-Clamping: move from routing to firewall chapter Version: set version/release to 1.2.2/Crux Login: adjust CLI interface to VyOS 1.2 crux
author: Christian Poessinger <christian@poessinger.com> 2019-04-21 21:04:21 +0200
committer: Christian Poessinger <christian@poessinger.com> 2019-04-21 21:04:21 +0200
commit: c0a077b7456bb6a3d43f4b0e2a748d93607be40e (patch)
tree: 00bf67d27aecf2bb00143998223482bf6dcaa76e
parent: b7b94d6a147f64fcad2fda0997629eef734960d6 (diff)
parent: b7059fb3911aa3011d22d5aeb2b2361a63ab9fba (diff)
download: vyos-documentation-c0a077b7456bb6a3d43f4b0e2a748d93607be40e.tar.gz
vyos-documentation-c0a077b7456bb6a3d43f4b0e2a748d93607be40e.zip
3 files changed, 78 insertions, 29 deletions
diff --git a/docs/firewall.rst b/docs/firewall.rst
index 8ab4dacf..e14cb19b 100644
--- a/docs/firewall.rst
+++ b/docs/firewall.rst
@@ -174,5 +174,42 @@ Example Partial Config
      }
   }
 
+MSS Clamping
+------------
+
+As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP
+MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option
+to clamp your TCP MSS value for IPv4 and IPv6.
+
+Clamping can be disabled per interface using the `disable` keywork:
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 disable
+
+IPv4
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`
+for your WireGuard `wg02` tunnel.
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss '1452'
+  set firewall options interface wg02 adjust-mss '1372'
+
+IPv6
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
+`wg02` interface.
+
+To achieve the same for IPv6 please use:
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss6 '1280'
+  set firewall options interface wg02 adjust-mss6 '1280'
+
 [https://www.xfinity.com/support/internet/list-of-blocked-ports/ XFinity Blocked Port List]
 
diff --git a/docs/routing.rst b/docs/routing.rst
index 43a1d0d9..b4144969 100644
--- a/docs/routing.rst
+++ b/docs/routing.rst
@@ -281,7 +281,7 @@ display arp table entries
 
 .. code-block:: sh
 
-  show protocols static arp 
+  show protocols static arp
 
   Address                  HWtype  HWaddress           Flags Mask            Iface
   10.1.1.1                 ether   08:00:27:de:23:2e   C                     eth1
@@ -331,15 +331,41 @@ we use:
 
   set interfaces ethernet eth1 policy route FILTER-WEB
 
-The route policy functionality in VyOS can also be used to rewrite TCP MSS
-using the set policy route <name> rule <rule> `set tcp-mss <value>` directive,
-modify DSCP value using `set dscp <value>`, or mark the traffic with an
-internal ID using `set mark <value>` for further processing (e.g. QOS) on a
-per-rule basis for matching traffic.
+MSS Clamping
+============
 
-In addition to 5-tuple matching, additional options such as time-based rules,
-are available. See the built-in help for a complete list of options.
+As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP
+MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option
+to clamp your TCP MSS value for IPv4 and IPv6.
 
+Clamping can be disabled per interface using the `disable` keywork:
 
+.. code-block:: sh
+
+  set firewall options interface pppoe0 disable
+
+IPv4
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`
+for your WireGuard `wg02` tunnel.
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss '1452'
+  set firewall options interface wg02 adjust-mss '1372'
+
+IPv6
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
+`wg02` interface.
+
+To achieve the same for IPv6 please use:
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss6 '1280'
+  set firewall options interface wg02 adjust-mss6 '1280'
 
 .. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol
diff --git a/docs/system/system-users.rst b/docs/system/system-users.rst
index a6be5a05..67786f20 100644
--- a/docs/system/system-users.rst
+++ b/docs/system/system-users.rst
@@ -77,35 +77,21 @@ a default timeout and port.
 
 .. code-block:: sh
 
-  set system login radius server 192.168.1.2 secret 's3cr3t0815'
-  set system login radius server 192.168.1.2 timeout '5'
-  set system login radius server 192.168.1.2 port '1812'
-  set system login radius server 192.168.1.3 secret 's3cr3t0816'
+  set system login radius-server 192.168.1.2 secret 's3cr3t0815'
+  set system login radius-server 192.168.1.2 timeout '5'
+  set system login radius-server 192.168.1.2 port '1812'
+  set system login radius-server 192.168.1.3 secret 's3cr3t0816'
 
 This configuration results in:
 
 .. code-block:: sh
 
-  show system login radius
-   server 192.168.1.2 {
+  show system login
+   radius-server 192.168.1.2 {
        secret s3cr3t0815
        timeout 5
        port 1812
    }
-   server 192.168.1.3 {
+   radius-server 192.168.1.3 {
        secret s3cr3t0816
    }
-
-RADIUS Source Address
-*********************
-
-If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS
-server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a
-single source IP e.g. the loopback interface.
-
-.. code-block:: sh
-
-  set system login radius source-address 3.3.3.3
-
-Above command will use `3.3.3.3` as source IPv4 address for all queries originating
-from this NAS.
author	Christian Poessinger <christian@poessinger.com>	2019-04-21 21:04:21 +0200
committer	Christian Poessinger <christian@poessinger.com>	2019-04-21 21:04:21 +0200
commit	c0a077b7456bb6a3d43f4b0e2a748d93607be40e (patch)
tree	00bf67d27aecf2bb00143998223482bf6dcaa76e
parent	b7b94d6a147f64fcad2fda0997629eef734960d6 (diff)
parent	b7059fb3911aa3011d22d5aeb2b2361a63ab9fba (diff)
download	vyos-documentation-c0a077b7456bb6a3d43f4b0e2a748d93607be40e.tar.gz vyos-documentation-c0a077b7456bb6a3d43f4b0e2a748d93607be40e.zip